finding hidden modules on 2.6 kernel_module_hunter文摘出处:http://www.linuxforum.net/forum/showflat.php?Cat=&Board=security&Number=512152&page=0&view=collapsed&sb=5&o=31&fpart=
/* name: module hunter 2.6 ver 1.0 9.6.04
author: madsys
usage: cat /proc/showmodules
*/
#undef KBUILD_MODNAME
#define KBUILD_MODNAME mh26
#include <linux/config.h>
#ifdef CONFIG_SMP
#define __SMP__
#endif
#if CONFIG_MODVERSIONS == 1
#define MODVERSIONS
//#include <linux/modversions.h>
#endif
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/version.h>
#include <linux/unistd.h>
#include <linux/string.h>
#include <linux/mm.h>
#include <linux/proc_fs.h> //must need
#include <linux/errno.h>
#include <asm/uaccess.h>
#include <asm/pgtable.h>
#include <asm/fixmap.h>
#include <asm/page.h>
//static int errno;
#define HARDCORE 0xc041f000
#define STEPPING (PAGE_SIZE/32)
int valid_addr(unsigned long address)
{
unsigned long page;
if (!address)
return 0;
page = ((unsigned long *)HARDCORE)[address >> 22]; //pde
if (page & 1)
{
page &= PAGE_MASK;
address &= 0x003ff000;
page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT]; //pte
if (page)
return 1;
}
return 0;
}
ssize_t showmodule_read(struct file *unused_file, char *buffer, size_t len, loff_t*off)
{
struct module *p;
printk("\naddress name size core_addr flags \n\n");
for (p=(struct module *)VMALLOC_START; p<=(structmodule*)(VMALLOC_START+VMALLOC_RESERVE-PAGE_SIZE); p=(struct module *)((unsignedlong)p+STEPPING))
{
if (valid_addr((unsigned long)p+ (unsigned long)&((struct module*)NULL)->name) )
if (((p->name[0]>=0x30 && p->name[0]<=0x39) ||(p->name[0]> 0x41 && p->name[0]<=0x7a )) &&(p->core_size < 1 <<20) && (p->core_size> 128) &&p->state <3 && (int)p->init >0xc6800000) //never seen module over1M
printk("0x%p%18s %6lu 0x%4p %3d\n", p, p->name, p->core_size,p->module_core, p->state);
}
return 0;
}
static struct file_operations showmodules_ops = {
read: showmodule_read,
};
int init_module(void)
{
struct proc_dir_entry *entry;
entry = create_proc_entry("showmodules", S_IRUSR, &proc_root);
entry->proc_fops = &showmodules_ops;
return 0;
}
void cleanup_module()
{
remove_proc_entry("showmodules", &proc_root);
}
MODULE_LICENSE("GPL");
MODULE_AUTHOR("madsys madsys<at>ercist.iscas.ac.cn");
推荐
评论(0条)
