home *** CD-ROM | disk | FTP | other *** search
- /*
- * Name: LKM DETECT0R
- * Date: Tue Apr 18 12:00:16 2000
- * Author: pIGpEN [ pigpen@s0ftpj.org, deadhead@sikurezza.org ]
- *
- * SoftProject 2000 - Digital Sekurity for Y2k
- * Sikurezza.org - Italian Security MailingList
- * FreeBSD Abuser - Current does it better ! ;)
- *
- * COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
- * Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
- *
- * Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #5: Mon Mar i386
- *
- * This module gives you a compare between a syscall & its kernel function...
- * So You can detect lkm wich modifies your system...
- *
- * Note: This code is only a way to demostrate this ... you can also modify
- * this for *sw structure (ex. protosw, devsw and so on...)
- *
- * Compile with: make
- *
- * Use: make load
- * make unload
- */
-
- #include <sys/types.h>
- #include <sys/param.h>
- #include <sys/kernel.h>
- #include <sys/systm.h>
- #include <sys/module.h>
- #include <sys/sysent.h>
- #include <sys/sysproto.h>
- #include <sys/syscall.h>
-
- static int module_handler __P((module_t, int, void *));
-
- static moduledata_t S_Check = {
- "scheck",
- module_handler,
- NULL
- };
-
- DECLARE_MODULE(scheck, S_Check, SI_SUB_EXEC, SI_ORDER_MIDDLE);
-
- #define c(x, y, n) if(sysent[x].sy_call!=(sy_call_t *) y) \
- printf("%s: altered! [function] at %p, [syscall] at %p\n", \
- n, y, sysent[x].sy_call);
-
- static int
- module_handler(module_t mod, int cmd, void *arg)
- {
- switch(cmd) {
- case MOD_LOAD:
- c(SYS_exit, exit, "exit");
- c(SYS_fork, fork, "fork");
- c(SYS_read, read, "read");
- c(SYS_write, write, "write");
- c(SYS_open, open, "open");
- c(SYS_close, close, "close");
- c(SYS_wait4, wait4, "wait");
- c(SYS_link, link, "link");
- c(SYS_unlink, unlink, "unlink");
- c(SYS_chdir, chdir, "chdir");
- c(SYS_fchdir, fchdir, "fchdir");
- c(SYS_mknod, mknod, "mknod");
- c(SYS_chmod, chmod, "chmod");
- c(SYS_chown, chown, "chown");
- c(SYS_getfsstat, getfsstat, "getfsstat");
- c(SYS_getpid, getpid, "getpid");
- c(SYS_mount, mount, "mount");
- c(SYS_unmount, unmount, "unmount");
- c(SYS_setuid, setuid, "setuid");
- c(SYS_getuid, getuid, "getuid");
- c(SYS_mount, mount, "mount");
- c(SYS_unmount, unmount, "unmount");
- c(SYS_setuid, setuid, "setuid");
- c(SYS_getuid, getuid, "getuid");
- c(SYS_geteuid, geteuid, "geteuid");
- c(SYS_ptrace, ptrace, "ptrace");
- c(SYS_recvmsg, recvmsg, "recvmsg");
- c(SYS_sendmsg, sendmsg, "sendmsg");
- c(SYS_recvfrom, recvfrom, "recvfrom");
-
- /*
- * ..... put here other syscalls ....
- */
-
- c(SYS_ioctl, ioctl, "ioctl");
- c(SYS_setsockopt, setsockopt, "setsockopt");
- c(SYS___sysctl, __sysctl, "sysctl");
- break;
- }
-
- return 0;
- }
-
- /*
-
- # SoftProject 2000 - Digital Sekurity for Y2k
- # Sikurezza.org - Italian Security MailingList
- #
- # COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
- # Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
- #
- # Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386
- # < pigpen@s0ftpj.org >
-
- .PATH: /sys/kern
- SRCS = sec_lkm.c
- CFLAGS+= -I/sys
- KMOD = seclkm
- NOMAN = t
- KLDMOD = t
-
- KLDLOAD = /sbin/kldload
- KLDUNLOAD = /sbin/kldunload
-
- CLEANFILES+= ${KMOD}
-
- load:
- ${KLDLOAD} -v ./${KMOD}
-
- unload:
- ${KLDUNLOAD} -v -n ${KMOD}
-
- .include <bsd.kmod.mk>
-
- */
-
