LKM Detector - This module lets you a compare between a syscall & its kernel function, so you can detect any lkm which modifies your system. More documentation available here.
4dd86712125cd0e0aa3f86be78658c7384fc49ad18e49214d42677ca2d36a51b
/*
* Name: LKM DETECT0R
* Date: Tue Apr 18 12:00:16 2000
* Author: pIGpEN [ pigpen@s0ftpj.org, deadhead@sikurezza.org ]
*
* SoftProject 2000 - Digital Sekurity for Y2k
* Sikurezza.org - Italian Security MailingList
* FreeBSD Abuser - Current does it better ! ;)
*
* COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
* Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
*
* Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #5: Mon Mar i386
*
* This module gives you a compare between a syscall & its kernel function...
* So You can detect lkm wich modifies your system...
*
* Note: This code is only a way to demostrate this ... you can also modify
* this for *sw structure (ex. protosw, devsw and so on...)
*
* Compile with: make
*
* Use: make load
* make unload
*/
#include <sys/types.h>
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/systm.h>
#include <sys/module.h>
#include <sys/sysent.h>
#include <sys/sysproto.h>
#include <sys/syscall.h>
static int module_handler __P((module_t, int, void *));
static moduledata_t S_Check = {
"scheck",
module_handler,
NULL
};
DECLARE_MODULE(scheck, S_Check, SI_SUB_EXEC, SI_ORDER_MIDDLE);
#define c(x, y, n) if(sysent[x].sy_call!=(sy_call_t *) y) \
printf("%s: altered! [function] at %p, [syscall] at %p\n", \
n, y, sysent[x].sy_call);
static int
module_handler(module_t mod, int cmd, void *arg)
{
switch(cmd) {
case MOD_LOAD:
c(SYS_exit, exit, "exit");
c(SYS_fork, fork, "fork");
c(SYS_read, read, "read");
c(SYS_write, write, "write");
c(SYS_open, open, "open");
c(SYS_close, close, "close");
c(SYS_wait4, wait4, "wait");
c(SYS_link, link, "link");
c(SYS_unlink, unlink, "unlink");
c(SYS_chdir, chdir, "chdir");
c(SYS_fchdir, fchdir, "fchdir");
c(SYS_mknod, mknod, "mknod");
c(SYS_chmod, chmod, "chmod");
c(SYS_chown, chown, "chown");
c(SYS_getfsstat, getfsstat, "getfsstat");
c(SYS_getpid, getpid, "getpid");
c(SYS_mount, mount, "mount");
c(SYS_unmount, unmount, "unmount");
c(SYS_setuid, setuid, "setuid");
c(SYS_getuid, getuid, "getuid");
c(SYS_mount, mount, "mount");
c(SYS_unmount, unmount, "unmount");
c(SYS_setuid, setuid, "setuid");
c(SYS_getuid, getuid, "getuid");
c(SYS_geteuid, geteuid, "geteuid");
c(SYS_ptrace, ptrace, "ptrace");
c(SYS_recvmsg, recvmsg, "recvmsg");
c(SYS_sendmsg, sendmsg, "sendmsg");
c(SYS_recvfrom, recvfrom, "recvfrom");
/*
* ..... put here other syscalls ....
*/
c(SYS_ioctl, ioctl, "ioctl");
c(SYS_setsockopt, setsockopt, "setsockopt");
c(SYS___sysctl, __sysctl, "sysctl");
break;
}
return 0;
}
/*
# SoftProject 2000 - Digital Sekurity for Y2k
# Sikurezza.org - Italian Security MailingList
#
# COFFEE-WARE LICENSE - This source code is like "THE BEER-WARE LICENSE" by
# Poul-Henning Kamp <phk@FreeBSD.ORG> but you can give me in return a coffee.
#
# Tested on: FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE #3: Thu Mar i386
# < pigpen@s0ftpj.org >
.PATH: /sys/kern
SRCS = sec_lkm.c
CFLAGS+= -I/sys
KMOD = seclkm
NOMAN = t
KLDMOD = t
KLDLOAD = /sbin/kldload
KLDUNLOAD = /sbin/kldunload
CLEANFILES+= ${KMOD}
load:
${KLDLOAD} -v ./${KMOD}
unload:
${KLDUNLOAD} -v -n ${KMOD}
.include <bsd.kmod.mk>
*/