added execwatch
This commit is contained in:
your-favorite-hacker
85
execwatch/execWatch.c
Executable file
85
execwatch/execWatch.c
Executable file
@@ -0,0 +1,85 @@
|
||||
/*
|
||||
execWatch to the arms!
|
||||
hooks syscall execve and logs every access to /var/log/messages
|
||||
written somewhen between 2006-2009
|
||||
ported to freebsd 10.1 should work also on older releases
|
||||
by dash
|
||||
*/
|
||||
#include <sys/param.h>
|
||||
#include <sys/proc.h>
|
||||
#include <sys/module.h>
|
||||
#include <sys/sysent.h>
|
||||
#include <sys/kernel.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/syscallsubr.h>
|
||||
#include <sys/sysproto.h>
|
||||
#include <sys/syslog.h>
|
||||
#include <sys/imgact.h>
|
||||
#include <sys/linker.h>
|
||||
#include <sys/libkern.h>
|
||||
|
||||
#define eVersion "0.1"
|
||||
|
||||
static int execve_hook(struct thread *td, void *syscall_args)
|
||||
{
|
||||
|
||||
struct execve_args *uap;
|
||||
uap = (struct execve_args *)syscall_args;
|
||||
|
||||
int error;
|
||||
struct image_args args;
|
||||
|
||||
error = exec_copyin_args(&args, uap->fname, UIO_USERSPACE,
|
||||
uap->argv, uap->envv);
|
||||
|
||||
log(LOG_DEBUG,"execWatch: fname: %s (%s) %d uid: %d\n",uap->fname,*uap->argv,args.argc,td->td_ucred->cr_uid);
|
||||
if (error == 0)
|
||||
error = kern_execve(td, &args, NULL);
|
||||
return (error);
|
||||
|
||||
|
||||
}
|
||||
struct eWatch_function_args {
|
||||
int op;
|
||||
};
|
||||
|
||||
static int eWatch_function(struct thread *td, void *syscall_args)
|
||||
{
|
||||
return(0);
|
||||
}
|
||||
static struct sysent eWatch_function_sysent = {
|
||||
0,
|
||||
eWatch_function
|
||||
};
|
||||
|
||||
static int offset = NO_SYSCALL;
|
||||
|
||||
static int load(struct module *module, int cmd, void *args)
|
||||
{
|
||||
int error;
|
||||
error=0;
|
||||
|
||||
|
||||
switch(cmd) {
|
||||
case MOD_LOAD:
|
||||
uprintf("[+] Loaded execWatch %s\n",eVersion);
|
||||
uprintf("[+] Call at %d\n",offset);
|
||||
sysent[SYS_execve].sy_call = (sy_call_t *)execve_hook;
|
||||
|
||||
break;
|
||||
|
||||
case MOD_UNLOAD:
|
||||
|
||||
sysent[SYS_execve].sy_call = (sy_call_t *)sys_execve;
|
||||
uprintf("[+] Unloaded execWatch %s\n",eVersion);
|
||||
uprintf("[+] Unload at %d\n",offset);
|
||||
break;
|
||||
default:
|
||||
error = EOPNOTSUPP;
|
||||
break;
|
||||
}
|
||||
|
||||
return(error);
|
||||
}
|
||||
|
||||
SYSCALL_MODULE(eWatch_function, &offset, &eWatch_function_sysent,load,NULL);
|
||||
Reference in New Issue
Block a user