403WebShell

h( )($6;EbBLkfu�_l� ''8;DUFKV3Dd#,?ANk&5G$/(5M\^�ms��Sb�,;R''6c2I�!\��kx�Ve�[i��Me�IYO7:nOL~�Kr�qrv�I:�BM�y��s}r��K��x)1�6@r*2�89ma��&��'ti��{~#��t)1�2<�0:^5�W.uFzQ/u}�v��vv�u��U37yDJeEJo(/�5Ds'1�:Jlu�iy�iy�hw�1;:S`^BMLOQQn,4�7C�8C�>Lfe�]k�[i�Zg��IW�LZ�EP;,.��Tc�q(0) G,/]/1��w�r��l&-t*3�<<�u��#��j&.u��J68\8?"#$%&'()*+,-./0 !
Notice: Undefined index: dl in /var/www/html/web/simple.mini.php on line 1
403WebShell403Webshell
Server IP : 10.254.12.21 / Your IP : 10.254.12.21
Web Server : Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
System : Linux arit.skru.ac.th 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64
User : apache ( 48)
PHP Version : 5.6.40
Disable Function : NONE
MySQL : ON | cURL : ON | WGET : OFF | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON
Directory : /var/opt/eset/efs/eventd/eset_rtp/
Upload File :
[ Back ]
Current File : /var/opt/eset/efs/eventd/eset_rtp/ertp.h
/*
 * eset_rtp (ESET Real-time file system protection module)
 * Copyright (C) 1992-2021 ESET, spol. s r.o.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 * In case of any questions, you can contact us at ESET, spol. s r.o., Einsteinova 24, 851 01 Bratislava, Slovakia.
 */

#ifndef _ERTP_H
#define _ERTP_H

#include <linux/delay.h>
#include <linux/device.h>
#include <linux/cred.h>
#include <linux/err.h>
#include <linux/file.h>
#include <linux/fdtable.h>
#include <linux/fs.h>
#include <linux/kallsyms.h>
#include <linux/kdev_t.h>
#include <linux/kprobes.h>
#include <linux/mm_types.h>
#include <linux/module.h>
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/poll.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/rcupdate.h>
#include <linux/version.h>
#include <linux/uaccess.h>
#include <linux/unistd.h>

#include "eset_rtp.h"
#include "ertp_cache.h"

/*---------------------- HANDLERS - ertp_handlers.c ---------------------------*/
int ertp_handlers_init(uintptr_t k32, uintptr_t k64);
void ertp_handlers_deinit(void);

/*---------------------- HOOKS - ertp_hooks.c ---------------------------------*/

/* register hooks on open, close syscalls */
int ertp_hooks_init(uintptr_t t32, uintptr_t t64);

/* unregister eset hooks from syscalls */
void ertp_hooks_exit(void);

/* possible return values from antivirus filter */
enum ertp_flt_rv {
	ERTP_CONTINUE,
	ERTP_DENIED
};

/**
 * @brief call to antivirus filter to scan open file
 * @param struct file - open file
 * @return ERTP_CONTINUE when file is ok, ERTP_DENIED when operation was denied by filer
 */
enum ertp_flt_rv ertp_check_open(const struct file *file);

/**
 * @brief call to antivirus filter to scan closed file
 * @param struct file - closed file
 * @return ERTP_CONTINUE when file is ok, ERTP_DENIED when operation was denied by filer
 */
enum ertp_flt_rv ertp_check_close(const struct file *file);

/**
 * @brief call to antivirus filter to scan executed file
 * @param struct file - executed file
 * @return ERTP_CONTINUE when file is ok, ERTP_DENIED when operation was denied by filer
 */
enum ertp_flt_rv ertp_check_exec(const struct file *file);

/*------------------------ CONTROL DEVICE - ertp_dev.c ------------------------*/

/* create control device /dev/eset_hook */
int ertp_dev_init(void);

/* unregister and destroy /dev/eset_hook */
void ertp_dev_exit(void);

/*------------------------ EVENTS & REQUESTS - ertp_event.c -------------------*/

#define ERTP_OPEN         1
#define ERTP_CLOSE        2
#define ERTP_EXEC         4
#define ERTP_BASIC_EVENTS_FLAG 0xF
#define ERTP_REMOVE       0x10 // only file_id and device_number are set and eset_rtp_response is not required

#define ERTP_UNKNOWN      0
#define ERTP_ALLOW        1
#define ERTP_DENY         2
#define ERTP_DO_NOT_CACHE      0x00010000 /* use when you don't want to cache result, e.g. because of excludes */
#define ERTP_MODIFIED          0x00020000 /* we had cached this file, but it has changed */
#define ERTP_SCAN_IN_PROGRESS  0x00040000 /* scan we need is already in progress, so let's wait for its result */
#define ERTP_FLAGS_MASK        0xFFFF0000

#define ERTP_WITHOUT_FLAGS(result) (result & ~ERTP_FLAGS_MASK) /* get pure ERTP_ALLOW or ERTP_ALLOW status */

/* max timeout for scanner response in ms */
#define ERTP_MAX_TIMEOUT 10000

/* struct ertp_event - holds info for scanned event */
struct ertp_event {
	struct list_head req_list;            /* entry to request list */
	struct list_head scan_list;           /* entry to scanner list */
	struct list_head cache_waiting_list;  /* entry to cache, which the event is waiting for to be updated */
	struct completion wait;               /* wait for completion handler */
	atomic_t count;                       /* refcount */

	#ifndef f_dentry
		#define f_dentry f_path.dentry /* needed for kernel backward compatibility */
	#endif
	#define f_path_dentry f_path.dentry
	struct path f_path;               /* holding file path */
	unsigned int flags;               /* file->f_flags */
	struct file *file;                /* file for scan */
	char *process_path;               /* path of parent process */

	int was_removed_from_req_list;    /* 1 if event was remove from request list, 0 otherwise */

	/* user copyable fields from type till end of struct*/
	int type;                          /* event type: ERTP_OPEN, ERTP_CLOSE, ERTP_EXEC or ERTP_REMOVE */
	int id;                            /* unique id number */
	int result;                        /* result from scanner; ERTP_ALLOW or ERTP_DENY */
	uint32_t scan_mask;               /* bit mask of applied scan settings */
	pid_t tgid;                       /* event's pid */
	kuid_t uid;                       /* event's uid */
	kgid_t gid;                       /* event's gid */
	int fd;                           /* file descriptor */
	unsigned long fs_magic;           /* file system magic number from include/linux/magic.h */
	uint64_t ino;                     /* inode number */
	uint64_t dev;                     /* device number */
	loff_t file_size;                 /* file size in bytes */
	time64_t ctime;                   /* tv_sec value of change time */
	time64_t mtime;                   /* tv_sec value of modified time */
	uint16_t mode;                    /* kstat mode */
};

/* increase/decrease refcount of @event */
struct ertp_event *ertp_event_get(struct ertp_event *event);
void ertp_event_put(struct ertp_event *event);

/* pop request from queue */
struct ertp_event *ertp_pop_request(void);

/* append request back to queue */
void ertp_append_request(struct ertp_event *event);

/* process scan request for @event_type operation for @file done by @process_path */
int ertp_process_request(const struct file *file, int event_type, char *process_path);

/* send notification message about removing file with @path and remove it from our internal cache*/
void ertp_remove_notify(struct path *path);

/* mark event as done */
void ertp_event_done(struct ertp_event *event);

/* open/close file in @event - needed to send it to scanner */
int ertp_open_event_file(struct ertp_event *event);
void ertp_close_event_file(struct ertp_event *event);

/* allow event which was already prepared for sending to user space */
void ertp_event_allow_prepared_event(struct ertp_event *event);

/* tags/indexes of var data items */
enum ertp_event_var_item {
	ERTP_VAR_FILE_PATH = 0,
	ERTP_VAR_PROCESS_PATH,

	N_ERTP_VAR_ITEMS
};

/* variable data list item. */
struct ertp_event_var_data {
	const char *ptr;
	size_t      size;
	void       *buf;
};

/* convert event data to eset_rtp_event structure @buf for user space */
int ertp_event_serialize(struct ertp_event *event, struct eset_rtp_event *buf, struct ertp_event_var_data *var_data);

/* assign @event to be handled by current process */
int ertp_add_reply(struct ertp_event *event);
int ertp_request_queue_empty(void);

/* enable/disable sending event to antivirus filter */
void ertp_start_accept(void);
void ertp_stop_accept(void);
/* test whether any antivirus is registred to module */
int ertp_is_stopped(void);

/* remove all request from cache */
void ertp_rem_requests(void);

/* get ertp_event for user space @response */
struct ertp_event *ertp_get_reply(struct eset_rtp_set_av_status *response);

/**
 * ertp_get_full_path - get full file path of @event
 *
 * use buffer @buf with size @size to store the path
 * return pointer to path string
 */
static inline const char *ertp_get_full_path(const struct ertp_event *event, char *buf, size_t size) {
	return d_path(&event->f_path, buf, size);
}

/* create/destroy event cache */
int ertp_events_init(void);
void ertp_events_exit(void);

extern wait_queue_head_t ertp_request_available;

/*------------------------- PATHS - ertp_path.c -------------------------------*/

struct ertp_path {
	struct list_head list; /* list of paths */
	char *path_name;       /* null-terminated path */
	size_t path_len;       /* len of path */
	atomic_t count;        /* refcount */
};

/* alloc new ertp_path */
struct ertp_path *ertp_path_alloc(const char *path_name);

/* increase/decrease refcount of @path */
struct ertp_path *ertp_path_get(struct ertp_path* path);
void ertp_path_put(struct ertp_path* path);

/*----------------------- EXCLUDES - ertp_excludes.c --------------------------*/

/* return true if @process_path is excluded, return false if it is not or in case of error*/
bool ertp_proc_excluded(const char *process_path);
/* return true if @file is excluded, return false if it is not or in case of error*/
bool ertp_file_excluded(const struct file *file);

/* Show or store excluded processes. Called from sysfs. */
int ertp_excluded_proc_show(char *buf, int size);
int ertp_excluded_proc_store(const char *buf, int size);

/* Show or store excluded files. Called from sysfs. */
int ertp_excluded_files_show(char *buf, int size);
int ertp_excluded_files_store(const char *buf, int size);

/* clean cache of excludes*/
void ertp_excluded_proc_clear(void);
void ertp_excluded_files_clear(void);
void ertp_excludes_clear(void);

/*------------------------ SCANNER - escanner.c ---------------------------*/

/* struct ertp_scanner - information about scanner connected to eset_rtp */
/* Note: current implementation supports only one connected scanner */
struct ertp_scanner {
	struct list_head events; /* list of scanned events */
	spinlock_t lock;         /* spin lock */
	atomic_t   tgid;         /* process tgit */
};

extern struct ertp_scanner escanner;

/* return true if there is no registered scanner */
static inline int ertp_no_scanner(void)
{
	return atomic_read(&escanner.tgid) == -1;
}

/* return true if current process is registered scanner */
static inline int ertp_is_scanner(void)
{
	return atomic_read(&escanner.tgid) == current->tgid;
}

/* register process with @tgid as current scanner */
/* there has to be no registered scanner or return -EEXIST */
int ertp_scanner_reg(pid_t tgid);

/* remove registered scanner and clean all its events */
void ertp_scanner_rem(void);

/* add/remove event to/from scanner */
int ertp_scan_add_event(struct ertp_event *event);
void ertp_scan_rem_event(struct ertp_event *event);

/* pop event with @id from scanner list */
struct ertp_event *ertp_scan_pop_event(int id);

/*--------------------- /sys/module control - ertp_sysfs.c ------------------*/

/* init /sys/module/eset_rtp control directory */
int ertp_sysfs_init(void);
/* delete sysfs directories */
void ertp_sysfs_exit(void);

/*------------------------ utilities - ertp_utils.c -------------------------*/

/* lookup address of symbol, return 0 on error */
unsigned long ertp_lookup_address(const char *symbol_name);

static inline struct file *ertp_dentry_open(const struct path *path, int flags) {
#if (LINUX_VERSION_CODE < KERNEL_VERSION(3,6,0))
	return dentry_open(dget(path->dentry), mntget(path->mnt), flags,
			current_cred());
#else
	return dentry_open(path, flags, current_cred());
#endif
}

static inline int ertp_vfs_getattr(const struct path *path, struct kstat *attr_info) {
#if (LINUX_VERSION_CODE < KERNEL_VERSION(3,9,0))
	return vfs_getattr(path->mnt, path->dentry, attr_info);
#elif (LINUX_VERSION_CODE < KERNEL_VERSION(4,11,0))
	return vfs_getattr((struct path *)path, attr_info);
#else
	return vfs_getattr(path, attr_info, 0, 0);
#endif
}

#ifdef ERTP_DEBUG
/* get/release filename from userspace to kernel space */
/* Not very optimal, use only for debug purposes */
char *ertp_getname(const char __user * filename);
static inline void ertp_putname(char * filename) { if (!IS_ERR_OR_NULL(filename)) __putname(filename); }
#	define ERPT_UNKONWN "[unknown]"
#endif

/*----------------------------- LOGS ----------------------------------------*/

#define ertp_pr_error(fmt, ...) \
	printk(KERN_ERR ESET_RTP "(%s): " pr_fmt(fmt) "\n", __PRETTY_FUNCTION__, ##__VA_ARGS__)
#define ertp_pr_warning(fmt, ...) \
	printk(KERN_WARNING ESET_RTP "(%s): " pr_fmt(fmt) "\n", __PRETTY_FUNCTION__, ##__VA_ARGS__)
#define ertp_pr_info(fmt, ...) \
	printk(KERN_INFO ESET_RTP ": " pr_fmt(fmt) "\n", ##__VA_ARGS__)

/*----------------------------- DEBUG ---------------------------------------*/

#ifdef ERTP_DEBUG
#	define DBG_BUG_ON(cond) BUG_ON(cond)
#	define ertp_pr_debug(fmt, ...) \
		printk(KERN_DEBUG ESET_RTP ": %s:%d:%s:" pr_fmt(fmt) "\n", __FILE__, __LINE__, __PRETTY_FUNCTION__, ##__VA_ARGS__)
#else
#	define DBG_BUG_ON(cond)
#	define ertp_pr_debug(fmt, ...)
#endif

#endif /* _ERTP_H */
Youez - 2016 - github.com/yon3zu
LinuXploit