/* * Name: LKM DETECT0R * Date: Tue Apr 18 12:00:16 2000 * Author: pIGpEN [ pigpen@s0ftpj.org, deadhead@sikurezza.org ] * * SoftProject 2000 - Digital Sekurity for Y2k * Sikurezza.org - Italian Security MailingList * FreeBSD Abuser - Current does it better ! ;) * * COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by * Poul-Henning Kamp but you can give me in return a coffee. * * Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #5: Mon Mar i386 * * This module gives you a compare between a syscall & its kernel function... * So You can detect lkm wich modifies your system... * * Note: This code is only a way to demostrate this ... you can also modify * this for *sw structure (ex. protosw, devsw and so on...) * * Compile with: make * * Use: make load * make unload */ #include #include #include #include #include #include #include #include static int module_handler __P((module_t, int, void *)); static moduledata_t S_Check = { "scheck", module_handler, NULL }; DECLARE_MODULE(scheck, S_Check, SI_SUB_EXEC, SI_ORDER_MIDDLE); #define c(x, y, n) if(sysent[x].sy_call!=(sy_call_t *) y) \ printf("%s: altered! [function] at %p, [syscall] at %p\n", \ n, y, sysent[x].sy_call); static int module_handler(module_t mod, int cmd, void *arg) { switch(cmd) { case MOD_LOAD: c(SYS_exit, exit, "exit"); c(SYS_fork, fork, "fork"); c(SYS_read, read, "read"); c(SYS_write, write, "write"); c(SYS_open, open, "open"); c(SYS_close, close, "close"); c(SYS_wait4, wait4, "wait"); c(SYS_link, link, "link"); c(SYS_unlink, unlink, "unlink"); c(SYS_chdir, chdir, "chdir"); c(SYS_fchdir, fchdir, "fchdir"); c(SYS_mknod, mknod, "mknod"); c(SYS_chmod, chmod, "chmod"); c(SYS_chown, chown, "chown"); c(SYS_getfsstat, getfsstat, "getfsstat"); c(SYS_getpid, getpid, "getpid"); c(SYS_mount, mount, "mount"); c(SYS_unmount, unmount, "unmount"); c(SYS_setuid, setuid, "setuid"); c(SYS_getuid, getuid, "getuid"); c(SYS_mount, mount, "mount"); c(SYS_unmount, unmount, "unmount"); c(SYS_setuid, setuid, "setuid"); c(SYS_getuid, getuid, "getuid"); c(SYS_geteuid, geteuid, "geteuid"); c(SYS_ptrace, ptrace, "ptrace"); c(SYS_recvmsg, recvmsg, "recvmsg"); c(SYS_sendmsg, sendmsg, "sendmsg"); c(SYS_recvfrom, recvfrom, "recvfrom"); /* * ..... put here other syscalls .... */ c(SYS_ioctl, ioctl, "ioctl"); c(SYS_setsockopt, setsockopt, "setsockopt"); c(SYS___sysctl, __sysctl, "sysctl"); break; } return 0; } /* # SoftProject 2000 - Digital Sekurity for Y2k # Sikurezza.org - Italian Security MailingList # # COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by # Poul-Henning Kamp but you can give me in return a coffee. # # Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386 # < pigpen@s0ftpj.org > .PATH: /sys/kern SRCS = sec_lkm.c CFLAGS+= -I/sys KMOD = seclkm NOMAN = t KLDMOD = t KLDLOAD = /sbin/kldload KLDUNLOAD = /sbin/kldunload CLEANFILES+= ${KMOD} load: ${KLDLOAD} -v ./${KMOD} unload: ${KLDUNLOAD} -v -n ${KMOD} .include */