linux-l: module

Steffen Dettmer steffen at dett.de
Mi Nov 22 09:25:52 CET 2000


* Jan-Benedict Glaw wrote on Tue, Nov 21, 2000 at 12:28 +0100:
> On Tue, Nov 21, 2000 at 12:40:46AM +0100, Ulrich Wiederhold wrote:
> > > ...und nach dem kaputten binary solltest Du suchen;)
> > Wie denn das?

Einfach alle exec-calls loggen? Wird zwar verdammt viel, aber
wenn Du's nur nachts laufen läßt... Sollte sich per Suche finden
lassen. Ich häng' mal ein Modul an, was exec calls loggt.
Einfach "make", dann "modprobe exec.o".

> Beobachten, welche Programme gerade gestartet haben, wenn diese Meldung
> auftritt. Alternativ kannst Du Dir ein Mini-Programm schreiben, daß
> die Erkennung eines binaries nachbildet. Tip: ./linux/fs/exec.c:

Also, ich hab das nicht verstanden, was Du damit meinst.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
-------------- nächster Teil --------------
default: exec.o

exec-smp.o:exec.c
	gcc exec.c -D__SMP__ 

clean:
	rm -f exec.o exec-smp.o
-------------- nächster Teil --------------
/* exec.c 1.0.4 by Pat Szuta <perly at xnet.com>
 *
 * exec.c is a kernel module which allows administrators to log all the
 * commands executed by users.  Although many have done this sort of
 * thing,  I haven't seen any public releases, so here it is.  
 * The basic output looks like this:
Nov 15 00:42:27 perly kernel: EXECVE(0)[4837]: /bin/ps uax
 * The EXECVE()[] format is: EXECVE(UID)[PID].
 * I suggest redirecting kern.info to your own file, because that's where 
 * exec.c will log its stuff. You can do this by adding this line to
 * your /etc/sysconf.log, and restarting it:
kern.info	/path/to/myfile
 * Applaud gersh for catching a nasty little syslog thingy that caused
 * the output to be printed twice. 
 * Do whatever you want with this code, just leave my name on it.  If you 
 * have any comments/questions/mods,  send them to perly at xnet.com
 * Oh, and if you do use this module, drop me an email, so that if I
 * update it, you'll be the first one to know.  Good luck :)
 * To compile and execute:
gcc exec.c -c OR gcc exec.c -D__SMP__ if you have SMP (thanks cafuego at creativecontingencies.com)
insmod exec.o
 * Changelog:
 dec 6, 99
  I have just recieved an email from Pavel Urban (<urbanp at mlp.cz>) with
  code to fix a major bug!! Thanks Pavel!!!!!!
  He says that the accual person who found the bug is Belgarat
  (svatopluk.dedic at netbeans.cz). Thanks a lot to him too!
 nov 18, 99
  Recieving not too many complaints,  I have decided to make this into
  a stable version.
  I have noticed that if a user does 'ls *' in a big directory,  the shell
  will expand the * to all the files in the directory and pass them as
  arguments.  Thus I have limited the number of arguments logged to 10.
  This should be enough for everyone,  and enough to keep syslog from
  bugging you about long prints :) (You can change the define if you want
  to).
 nov 18, 99
  After a bug report,  I have improved the pointer error checking routine. 
  Before it would not log any arguments, now it should.  Note that this is 
  the beta version.
 nov 15, 99
  Gersh caught a rather nasty bug.  If a user wrote a program which did
  execl("some", "stuff"); without a NULL at the end, the kernel would
  oops.  So, I added a little pointer checking.
*/

#define MODULE
#define __KERNEL__
#include <linux/module.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <linux/unistd.h>
#include <sys/syscall.h>
#include <linux/mm.h>
#include <linux/smp_lock.h>
#include <asm/ptrace.h>
#include <errno.h>

#define ARGS_LOGGED 	10	/* Max number of arguments logged */

int (*orig_execve)(struct pt_regs);
void execve_log(char *, char **);

extern void *sys_call_table[];

int hacked_execve(struct pt_regs regs)
{
   int error;
   char * filename;

   lock_kernel();
  
   filename = getname((char *) regs.ebx);

   error = PTR_ERR(filename);

   if (IS_ERR(filename))
      goto out;

   execve_log(filename, (char **) regs.ecx);

   error = do_execve(filename, (char **) regs.ecx, (char **) regs.edx, &regs);        

   if (error == 0)
      current->flags &= ~PF_DTRACE;

   putname(filename);

out:
   unlock_kernel();
   return error;
}

void execve_log(char *file, char **argv)
{
   int args_logged = ARGS_LOGGED;
   char *tmp; 	/* pavel/belgarat's fix */

   printk(KERN_INFO "EXECVE(%d)[%d]: %s ", current->uid, current->pid,
          file);
   
   while(*argv++ && args_logged--)
   {
      if(IS_ERR(tmp = getname(*argv))) /* Pointer checking, changed dec 6, 99 */
         break;				/* changed to *argv++ (David Nicklay <ventura at angband.org>) */
      printk("%s ", tmp);
      putname(tmp); /* (frees up what getname allocated) */
   }

   printk("\n");
}

int init_module(void)
{
   orig_execve = sys_call_table[SYS_execve];
   sys_call_table[SYS_execve] = hacked_execve;
   printk(KERN_INFO "execve() backdoor version 1.0.4 by Perly loaded.\n");

   return(0);
}

void cleanup_module(void)
{
   sys_call_table[SYS_execve] = orig_execve;
   printk(KERN_INFO "execve() backdoor version 1.0.4 by Perly unloaded.\n");
}


Mehr Informationen über die Mailingliste linux-l