Fix commit: c049fa5

lkrg-org · Dec 30, 2020 · 1299583 · 1299583
1 parent 58b9ec0
commit 1299583
Show file tree

Hide file tree

Showing 16 changed files with 19 additions and 992 deletions.
diff --git a/Makefile b/Makefile
@@ -45,8 +45,7 @@ $(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
                   src/modules/self-defense/hiding/p_hiding.o \
                   src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.o \
                   src/modules/exploit_detection/syscalls/p_install.o \
-                  src/modules/exploit_detection/syscalls/p_sys_execve/p_sys_execve.o \
-                  src/modules/exploit_detection/syscalls/p_sys_execveat/p_sys_execveat.o \
+                  src/modules/exploit_detection/syscalls/p_search_binary_handler/p_search_binary_handler.o \
                   src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.o \
                   src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.o \
                   src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.o \
@@ -72,14 +71,10 @@ $(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
                   src/modules/exploit_detection/syscalls/keyring/p_sys_request_key/p_sys_request_key.o \
                   src/modules/exploit_detection/syscalls/keyring/p_sys_keyctl/p_sys_keyctl.o \
                   src/modules/exploit_detection/syscalls/p_security_ptrace_access/p_security_ptrace_access.o \
-                  src/modules/exploit_detection/syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.o \
-                  src/modules/exploit_detection/syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.o \
                   src/modules/exploit_detection/syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.o \
                   src/modules/exploit_detection/syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.o \
                   src/modules/exploit_detection/syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.o \
                   src/modules/exploit_detection/syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.o \
-                  src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.o \
-                  src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.o \
                   src/modules/exploit_detection/syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.o \
                   src/modules/exploit_detection/syscalls/override/p_override_creds/p_override_creds.o \
                   src/modules/exploit_detection/syscalls/override/p_revert_creds/p_revert_creds.o \

diff --git a/src/modules/exploit_detection/p_exploit_detection.c b/src/modules/exploit_detection/p_exploit_detection.c
@@ -41,22 +41,13 @@ static const struct p_functions_hooks {
    int is_isra_safe;
 
 } p_functions_hooks_array[] = {
-   { "sys_execve",
-     p_install_sys_execve_hook,
-     p_uninstall_sys_execve_hook,
+   { "search_binary_handler",
+     p_install_search_binary_handler_hook,
+     p_uninstall_search_binary_handler_hook,
      1,
      NULL,
-     0
-   },
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,19,0)
-   { "sys_execveat",
-     p_install_sys_execveat_hook,
-     p_uninstall_sys_execveat_hook,
-     1,
-     NULL,
-     0
+     1
    },
-#endif
    { "call_usermodehelper",
      p_install_call_usermodehelper_hook,
      p_uninstall_call_usermodehelper_hook,
@@ -230,22 +221,6 @@ static const struct p_functions_hooks {
      0
    },
 #ifdef CONFIG_COMPAT
-   { "compat_sys_execve",
-     p_install_compat_sys_execve_hook,
-     p_uninstall_compat_sys_execve_hook,
-     1,
-     NULL,
-     0
-   },
-  #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,19,0)
-   { "compat_sys_execveat",
-     p_install_compat_sys_execveat_hook,
-     p_uninstall_compat_sys_execveat_hook,
-     1,
-     NULL,
-     0
-   },
-  #endif
    { "compat_sys_keyctl",
      p_install_compat_sys_keyctl_hook,
      p_uninstall_compat_sys_keyctl_hook,
@@ -281,20 +256,6 @@ static const struct p_functions_hooks {
 #endif /* CONFIG_COMPAT */
 #ifdef CONFIG_X86_X32
  #ifdef P_SYSCALL_LAYOUT_4_17
-   { "x32_sys_execve",
-     p_install_x32_sys_execve_hook,
-     p_uninstall_x32_sys_execve_hook,
-     1,
-     NULL,
-     0
-   },
-   { "x32_sys_execveat",
-     p_install_x32_sys_execveat_hook,
-     p_uninstall_x32_sys_execveat_hook,
-     1,
-     NULL,
-     0
-   },
    { "x32_sys_keyctl",
      p_install_x32_sys_keyctl_hook,
      p_uninstall_x32_sys_keyctl_hook,
@@ -588,10 +549,10 @@ struct p_lkrg_debug_off_flag_callers {
 
 } p_debug_off_flag_callers[] = {
 
-   { 0, "p_x32_sys_execve_entry" },
-   { 1, "p_x32_sys_execve_ret" },
-   { 2, "p_x32_sys_execveat_entry" },
-   { 3, "p_x32_sys_execveat_ret" },
+   { 0, "RESERVED" },
+   { 1, "RESERVED" },
+   { 2, "RESERVED" },
+   { 3, "RESERVED" },
    { 4, "p_x32_sys_keyctl_entry" },
    { 5, "p_x32_sys_keyctl_ret" },
    { 6, "p_cap_task_prctl_entry" },
@@ -602,10 +563,10 @@ struct p_lkrg_debug_off_flag_callers {
    { 11, "p_compat_sys_add_key_ret" },
    { 12, "p_compat_sys_capset_entry" },
    { 13, "p_compat_sys_capset_ret" },
-   { 14, "p_compat_sys_execve_entry" },
-   { 15, "p_compat_sys_execve_ret" },
-   { 16, "p_compat_sys_execveat_entry" },
-   { 17, "p_compat_sys_execveat_ret" },
+   { 14, "RESERVED" },
+   { 15, "RESERVED" },
+   { 16, "RESERVED" },
+   { 17, "RESERVED" },
    { 18, "p_compat_sys_keyctl_entry" },
    { 19, "p_compat_sys_keyctl_ret" },
    { 20, "p_compat_sys_request_key_entry" },
@@ -625,10 +586,10 @@ struct p_lkrg_debug_off_flag_callers {
    { 34, "p_seccomp_ret" },
    { 35, "p_set_current_groups_entry" },
    { 36, "p_set_current_groups_ret" },
-   { 37, "p_sys_execve_entry" },
-   { 38, "p_sys_execve_ret" },
-   { 39, "p_sys_execveat_entry" },
-   { 40, "p_sys_execveat_ret" },
+   { 37, "p_search_binary_handler_entry" },
+   { 38, "p_search_binary_handler_ret" },
+   { 39, "RESERVED" },
+   { 40, "RESERVED" },
    { 41, "p_sys_setfsgid_entry" },
    { 42, "p_sys_setfsgid_ret" },
    { 43, "p_sys_setfsuid_entry" },

diff --git a/src/modules/exploit_detection/p_exploit_detection.h b/src/modules/exploit_detection/p_exploit_detection.h
@@ -268,8 +268,7 @@ struct p_ed_global_variables {
 
 #include "p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.h"
 #include "syscalls/p_install.h"
-#include "syscalls/p_sys_execve/p_sys_execve.h"
-#include "syscalls/p_sys_execveat/p_sys_execveat.h"
+#include "syscalls/p_search_binary_handler/p_search_binary_handler.h"
 #include "syscalls/p_call_usermodehelper/p_usermode_kernel_dep.h"
 #include "syscalls/p_call_usermodehelper/p_call_usermodehelper.h"
 #include "syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.h"
@@ -295,14 +294,10 @@ struct p_ed_global_variables {
 #include "syscalls/keyring/p_sys_request_key/p_sys_request_key.h"
 #include "syscalls/keyring/p_sys_keyctl/p_sys_keyctl.h"
 #include "syscalls/p_security_ptrace_access/p_security_ptrace_access.h"
-#include "syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.h"
-#include "syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.h"
 #include "syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.h"
 #include "syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.h"
 #include "syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.h"
 #include "syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.h"
-#include "syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.h"
-#include "syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.h"
 #include "syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.h"
 /* Override creds */
 #include "syscalls/override/p_override_creds/p_override_creds.h"

diff --git a/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.c b/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.c
diff --git a/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.h b/src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.h