/*
 * Name: LKM DETECT0R
 * Date: Tue Apr 18 12:00:16 2000
 * Author: pIGpEN [ pigpen@s0ftpj.org, deadhead@sikurezza.org ]
 *
 * SoftProject 2000 - Digital Sekurity for Y2k
 * Sikurezza.org - Italian Security MailingList
 * FreeBSD Abuser - Current does it better ! ;)
 *
 * COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
 * Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
 *
 * Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #5: Mon Mar i386
 *
 * This module gives you a compare between a syscall & its kernel function...
 * So You can detect lkm wich modifies your system...
 *
 * Note: This code is only a way to demostrate this ... you can also modify 
 * this for *sw structure (ex. protosw, devsw and so on...)
 *
 * Compile with: make
 *
 * Use: make load
 * 	make unload
 */

#include <sys/types.h>
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/module.h>
#include <sys/sysent.h>
#include <sys/sysproto.h>
#include <sys/syscall.h>

static int	module_handler		__P((module_t, int, void *));

static moduledata_t S_Check = {
	"scheck",
	module_handler,
	NULL
};

DECLARE_MODULE(scheck, S_Check, SI_SUB_EXEC, SI_ORDER_MIDDLE);

#define	c(x, y, n) if(sysent[x].sy_call!=(sy_call_t *) y) \
 printf("%s: altered! [function] at %p, [syscall] at %p\n", \
		 n, y, sysent[x].sy_call);

static int
module_handler(module_t mod, int cmd, void *arg)
{
	switch(cmd) {
		case MOD_LOAD:
			c(SYS_exit, 		exit, 		"exit");
			c(SYS_fork, 		fork, 		"fork");
			c(SYS_read, 		read, 		"read");
			c(SYS_write, 		write, 		"write");
			c(SYS_open,		open,		"open");
			c(SYS_close,		close,		"close");
			c(SYS_wait4,		wait4,		"wait");
			c(SYS_link,		link,		"link");
			c(SYS_unlink,		unlink,		"unlink");
			c(SYS_chdir,		chdir,		"chdir");
			c(SYS_fchdir,		fchdir,		"fchdir");
			c(SYS_mknod,		mknod,		"mknod");
			c(SYS_chmod,		chmod,		"chmod");
			c(SYS_chown,		chown,		"chown");
			c(SYS_getfsstat,	getfsstat,	"getfsstat");
			c(SYS_getpid,		getpid,		"getpid");
			c(SYS_mount,		mount,		"mount");
			c(SYS_unmount,		unmount,	"unmount");
			c(SYS_setuid,		setuid,		"setuid");
			c(SYS_getuid,		getuid,		"getuid");
			c(SYS_mount,		mount,		"mount");
			c(SYS_unmount,		unmount,	"unmount");
			c(SYS_setuid,		setuid,		"setuid");
			c(SYS_getuid,		getuid,		"getuid");
			c(SYS_geteuid,		geteuid,	"geteuid");
			c(SYS_ptrace,		ptrace,		"ptrace");
			c(SYS_recvmsg,		recvmsg,	"recvmsg");
			c(SYS_sendmsg,		sendmsg,	"sendmsg");
			c(SYS_recvfrom,		recvfrom,	"recvfrom");

			/*
			 * ..... put here other syscalls ....
			 */

			c(SYS_ioctl,		ioctl,		"ioctl");	
			c(SYS_setsockopt,	setsockopt,	"setsockopt");
			c(SYS___sysctl,		__sysctl,	"sysctl");
			break;
	}

	return 0;
}
	
/*			

# SoftProject 2000 - Digital Sekurity for Y2k
# Sikurezza.org - Italian Security MailingList
#
# COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
# Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
#
# Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386
# < pigpen@s0ftpj.org > 

.PATH: /sys/kern
SRCS	= sec_lkm.c 
CFLAGS+= -I/sys
KMOD	= seclkm 
NOMAN	= t
KLDMOD	= t

KLDLOAD		= /sbin/kldload
KLDUNLOAD	= /sbin/kldunload

CLEANFILES+= ${KMOD}

load:
	${KLDLOAD} -v ./${KMOD}

unload:
	${KLDUNLOAD} -v -n ${KMOD}

.include <bsd.kmod.mk>

*/