首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
finding hidden modules on 2.6 kernel_module_hunter
来源:www.linuxforum.net 作者:madsys 发布时间:2004-09-21  

finding hidden modules on 2.6 kernel_module_hunter

文摘出处:http://www.linuxforum.net/forum/showflat.php?Cat=&Board=security&Number=512152&page=0&view=collapsed&sb=5&o=31&fpart=

/* name: module hunter 2.6 ver 1.0 9.6.04
author: madsys
usage: cat /proc/showmodules
*/

#undef KBUILD_MODNAME
#define KBUILD_MODNAME mh26

#include <linux/config.h>

#ifdef CONFIG_SMP
#define __SMP__
#endif

#if CONFIG_MODVERSIONS == 1
#define MODVERSIONS
//#include <linux/modversions.h>
#endif

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/version.h>

#include <linux/unistd.h>
#include <linux/string.h>
#include <linux/mm.h>

#include <linux/proc_fs.h> //must need

#include <linux/errno.h>
#include <asm/uaccess.h>


#include <asm/pgtable.h>
#include <asm/fixmap.h>
#include <asm/page.h>

//static int errno;
#define HARDCORE 0xc041f000
#define STEPPING (PAGE_SIZE/32)


int valid_addr(unsigned long address)
{
unsigned long page;

if (!address)
return 0;

page = ((unsigned long *)HARDCORE)[address >> 22]; //pde
if (page & 1)
{
page &= PAGE_MASK;
address &= 0x003ff000;
page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT]; //pte
if (page)
return 1;
}

return 0;
}

ssize_t showmodule_read(struct file *unused_file, char *buffer, size_t len, loff_t*off)
{
struct module *p;

printk("\naddress name size core_addr flags \n\n");
for (p=(struct module *)VMALLOC_START; p<=(structmodule*)(VMALLOC_START+VMALLOC_RESERVE-PAGE_SIZE); p=(struct module *)((unsignedlong)p+STEPPING))
{
if (valid_addr((unsigned long)p+ (unsigned long)&((struct module*)NULL)->name) )

if (((p->name[0]>=0x30 && p->name[0]<=0x39) ||(p->name[0]> 0x41 && p->name[0]<=0x7a )) &&(p->core_size < 1 <<20) && (p->core_size> 128) &&p->state <3 && (int)p->init >0xc6800000) //never seen module over1M
printk("0x%p%18s %6lu 0x%4p %3d\n", p, p->name, p->core_size,p->module_core, p->state);
}

return 0;
}

static struct file_operations showmodules_ops = {
read: showmodule_read,
};

int init_module(void)
{
struct proc_dir_entry *entry;

entry = create_proc_entry("showmodules", S_IRUSR, &proc_root);
entry->proc_fops = &showmodules_ops;

return 0;
}

void cleanup_module()
{
remove_proc_entry("showmodules", &proc_root);
}

MODULE_LICENSE("GPL");
MODULE_AUTHOR("madsys madsys<at>ercist.iscas.ac.cn");



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cdrecord Local Exploit (SUID S
·Proof Of Concept exploit for h
·BlackJumboDog FTP Server Buffe
·Pigeon Server DoS Exploit
·Cdrecord Local Root Exploit
·Sudo Local Exploit
·Citadel/UX<= 6.23 Remote US
·Windows JPEG Processing Buffer
·Trillian 0.74i Remote Buffer O
·Windows JPEG GDI+ Overflow She
·PHP-Nuke 7.4 SQL Injection Exp
·Windows JPEG GDI+ Overflow Adm
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved