Programming

rootkit_helper.c

daehee87 2013. 3. 19. 15:18

#include <stdio.h>

#include <fcntl.h>

#include <unistd.h>

#include <string.h>

#include <sys/ioctl.h>


#define MAXBUFFER 8192

#define MAGIC_num  0xDF

#define SPROOF_INIT    _IO(MAGIC_num,0)

#define SPROOF_STOP    _IO(MAGIC_num,1)

#define SPROOF_START    _IO(MAGIC_num,2)

#define SPROOF_SCREENICMP    _IO(MAGIC_num,3)

#define SPROOF_SCREENUDP    _IO(MAGIC_num,4)

#define SPROOF_SCREENTCP    _IOWR(MAGIC_num,5, unsigned int)

#define SPROOF_STATISTICS    _IOWR(MAGIC_num,6, unsigned int)

#define MAXNR 6


int gfd;

char* white=" \t\n\r";


int is_number( char c ){

if( c <= '9' && c >= '0' )

return 1;

return 0;

}


int is_white( char c ){

unsigned int i;

// fprintf(stderr, "%c\n", c);

for(i=0; i<strlen(white); i++)

if(c == white[i]) return 1;

return 0;

}


int processCode( char* p ){

int res=0;

int i=0;


// eat first token.

while( !is_white( p[i] ) ){

i++;

}


// fprintf(stderr, "hmm... %s\n", &p[i]);

res = atoi( &p[i] );

return res;

}


int main(int argc, char* argv[]){


if(argc!=3){

printf("usage : ./helper procname devname\n");

return 0;

}


gfd = open("tmp", O_RDWR | O_CREAT | O_TRUNC);

printf("gfd : %d\n", gfd);


dup2( gfd, fileno(stdout) );

char buf[1024];

strcpy(buf, "ps u | grep ");

strcat(buf, argv[1]);

system( buf );


lseek(gfd, 0, SEEK_SET);

int n;

n = read(gfd, buf, 1024);

buf[n]=0;

// fprintf(stderr, "n : %d\n", n);

// fprintf(stderr, "res : %s\n", buf);


int id = processCode( buf );

fprintf(stderr, "pid : %d\n", id);


sprintf(buf, "ls -l /proc/%d/fd | grep ", id);

strcat(buf, argv[2]);

lseek(gfd, 0, SEEK_SET);

system(buf);


lseek(gfd, 0, SEEK_SET);

n = read(gfd, buf, 1024);

buf[n] = 0;

// fprintf(stderr, "n: %d\n", n);

fprintf(stderr, "res2:%s\n", buf);


char* p = strstr(buf, argv[2]);

if(p==0)

fprintf(stderr, "can't find %s\n", argv[2]);

int i;

// eat slack space.

for(i=0; i<25; i++){

if( !is_number( *(p--) ) )

continue;

break;

}


for(i=0; i<25; i++){

if( is_number( *(p--) ) )

continue;

break;

}


p++; // restore one index

id = atoi( p );

fprintf(stderr, "%s...\n", p);

fprintf(stderr, "fd is %d\n", id);


int fd;

if(( fd = open( "/dev/sproof", O_RDWR)) < 0){

fprintf(stderr, "can't open /dev/sproof");

}

ioctl(fd, SPROOF_STATISTICS, (char*)id);


return 0;

}


저작자표시 (새창열림)