added execwatch

execwatch/Makefile

@@ -0,0 +1,8 @@
+# Makefile for building the sample lala module
+# $FreeBSD: src/share/examples/kld/lala/module/Makefile,v 1.2 2001/09/18 12:03:42 ru Exp $
+
+KMOD=	execWatch
+SRCS=	execWatch.c
+	
+
+.include <bsd.kmod.mk>

execwatch/execWatch.c

@@ -0,0 +1,85 @@
+/* 	
+	execWatch to the arms!
+ 	hooks syscall execve and logs every access to /var/log/messages
+   	written somewhen between 2006-2009
+	ported to freebsd 10.1 should work also on older releases
+	by dash
+*/
+#include <sys/param.h>
+#include <sys/proc.h>
+#include <sys/module.h>
+#include <sys/sysent.h>
+#include <sys/kernel.h>
+#include <sys/syscall.h>
+#include <sys/syscallsubr.h>
+#include <sys/sysproto.h>
+#include <sys/syslog.h>
+#include <sys/imgact.h>
+#include <sys/linker.h>
+#include <sys/libkern.h>
+
+#define eVersion "0.1"
+
+static int execve_hook(struct thread *td, void *syscall_args)
+{
+	
+	struct execve_args *uap;	
+	uap = (struct execve_args *)syscall_args;
+	
+        int error;
+        struct image_args args;
+
+        error = exec_copyin_args(&args, uap->fname, UIO_USERSPACE,
+            uap->argv, uap->envv);
+
+	log(LOG_DEBUG,"execWatch: fname: %s (%s) %d uid: %d\n",uap->fname,*uap->argv,args.argc,td->td_ucred->cr_uid);
+        if (error == 0)
+                error = kern_execve(td, &args, NULL);
+        return (error);
+
+		
+}
+struct eWatch_function_args {
+	int op;
+	};
+
+static int eWatch_function(struct thread *td, void *syscall_args)
+{
+	return(0);
+}
+static struct sysent eWatch_function_sysent = {
+        0,
+        eWatch_function
+};
+
+static int offset = NO_SYSCALL;
+
+static int load(struct module *module, int cmd, void *args)
+{
+        int error;
+	error=0;
+
+
+        switch(cmd) {
+        case MOD_LOAD:
+		uprintf("[+] Loaded execWatch %s\n",eVersion);
+                uprintf("[+] Call at %d\n",offset);
+                sysent[SYS_execve].sy_call = (sy_call_t *)execve_hook;
+		
+                break;
+
+        case MOD_UNLOAD:
+
+                sysent[SYS_execve].sy_call = (sy_call_t *)sys_execve;
+		uprintf("[+] Unloaded execWatch %s\n",eVersion);
+                uprintf("[+] Unload at %d\n",offset);
+                break;
+        default:
+                error = EOPNOTSUPP;
+                break;
+        }
+
+        return(error);
+}
+
+SYSCALL_MODULE(eWatch_function, &offset, &eWatch_function_sysent,load,NULL);

execwatch/readme.txt

@@ -0,0 +1,47 @@
+execWatch
+=========
+module for logging every execution of tools on freebsd. logs will go directly to /var/log/messages.
+
+usage
+=====
+
+root@crashb0x:~/execWatch # make
+Warning: Object directory not changed from original /root/execWatch
+cc -O2 -pipe  -fno-strict-aliasing -Werror -D_KERNEL -DKLD_MODULE -nostdinc   -I. -I@ -I@/contrib/altq -fno-common  -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer  -mno-aes -mno-avx -mcmodel=kernel -mno-red-zone -mno-mmx -mno-sse -msoft-float  -fno-asynchronous-unwind-tables -ffreestanding -fstack-protector -std=iso9899:1999 -Qunused-arguments  -fstack-protector -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes  -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual  -Wundef -Wno-pointer-sign -fformat-extensions  -Wmissing-include-dirs -fdiagnostics-show-option  -Wno-error-tautological-compare -Wno-error-empty-body  -Wno-error-parentheses-equality -Wno-error-unused-function   -c execWatch.c
+ld  -d -warn-common -r -d -o execWatch.ko execWatch.o
+:> export_syms
+awk -f /sys/conf/kmod_syms.awk execWatch.ko  export_syms | xargs -J% objcopy % execWatch.ko
+objcopy --strip-debug execWatch.ko
+
+root@crashb0x:~/execWatch # kldload ./execWatch.ko
+[+] Loaded execWatch 0.1
+[+] Call at 210
+
+root@crashb0x:~/execWatch # kldstat
+Id Refs Address            Size     Name
+ 1    3 0xffffffff80200000 1755658  kernel
+ 2    1 0xffffffff81a11000 326      execWatch.ko
+
+root@crashb0x:~/execWatch # /usr/bin/id
+uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
+
+root@crashb0x:~/execWatch # tail -20 /var/log/messages
+[...]
+May 31 12:09:41 crashb0x kernel: execWatch: fname: /sbin/kldload (kldload) 2 uid: 0
+May 31 12:09:47 crashb0x kernel: execWatch: fname: /sbin/kldunload (kldunload) 2 uid: 0
+May 31 12:10:00 crashb0x kernel: execWatch: fname: /bin/sh (/bin/sh) 3 uid: 0
+May 31 12:10:00 crashb0x kernel: execWatch: fname: /usr/libexec/atrun (/usr/libexec/atrun) 1 uid: 0
+May 31 12:10:52 crashb0x kernel: execWatch: fname: /usr/bin/id (/usr/bin/id) 1 uid: 0
+May 31 12:10:59 crashb0x kernel: execWatch: fname: /sbin/kldstat (kldstat) 1 uid: 0
+May 31 12:11:00 crashb0x kernel: execWatch: fname: /bin/sh (/bin/sh) 3 uid: 2
+May 31 12:11:00 crashb0x kernel: execWatch: fname: /usr/libexec/save-entropy (/usr/libexec/save-entropy) 1 uid: 2
+May 31 12:11:00 crashb0x kernel: execWatch: fname: /sbin/sysctl (/sbin/sysctl) 3 uid: 2
+May 31 12:11:00 crashb0x kernel: execWatch: fname: /bin/dd (dd) 5 uid: 2
+
+ps
+==
+btw. it has its own syscall, which is obsolete, just ignore it. check the code if in doubt ;)
+
+author
+======
+dash