Last active
January 13, 2022 13:22
-
-
Save ghedo/1216637 to your computer and use it in GitHub Desktop.
Kernel module to disable the ptrace() system call (http://blog.ghedini.me/post/10240771002/kernel-module-to-disable-ptrace)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (C) 2011 Alessandro Ghedini <[email protected]> | |
| # Updated 2012 by Mike Perry to extract syscall table addresses | |
| # Updated 2014 by Francis Brosnan Blázquez to check for ia32 support | |
| obj-m += noptrace2.o | |
| KERNEL_VER=$(shell uname -r) | |
| SCT := $(shell grep " sys_call_table" /boot/System.map-$(KERNEL_VER) | awk '{ print $$1; }') | |
| SCT32 := $(shell grep "ia32_sys_call_table" /boot/System.map-$(KERNEL_VER) | awk '{ print $$1; }') | |
| EXTRA_CFLAGS += -Dsys_call_table_addr="((void**)0x$(SCT))" | |
| ifdef SCT32 | |
| EXTRA_CFLAGS += -Dia32_sys_call_table_addr="((void**)0x$(SCT32))" -D__enable_32bits_support | |
| endif | |
| all: | |
| @echo "Building with " . $(EXTRA_CFLAGS) | |
| make -C /lib/modules/$(KERNEL_VER)/build M=$(PWD) | |
| clean: | |
| make -C /lib/modules/$(KERNEL_VER)/build M=$(PWD) clean |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Kernel module to disable the ptrace() system call. | |
| * Updated to disable ia32 ptrace by Mike Perry <mikeperry torproject org> | |
| * Updated to check for ia32 support by Francis Brosnan Blázquez <francis aspl es> | |
| * | |
| * Compile: | |
| * $ make | |
| * | |
| * Usage: | |
| * # insmod noptrace2.ko | |
| * # rmmod noptrace2 | |
| * | |
| * Copyright (C) 2011 Alessandro Ghedini <[email protected]> | |
| * | |
| * This program is free software: you can redistribute it and/or modify | |
| * it under the terms of the GNU General Public License as published by | |
| * the Free Software Foundation, either version 2 of the License, or | |
| * (at your option) any later version. | |
| * | |
| * This program is distributed in the hope that it will be useful, | |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| * GNU General Public License for more details. | |
| * | |
| * You should have received a copy of the GNU General Public License | |
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | |
| */ | |
| #include <linux/init.h> | |
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/syscalls.h> | |
| #include <linux/sched.h> | |
| MODULE_LICENSE("GPL"); | |
| MODULE_AUTHOR("Alessandro Ghedini and Mike Perry"); | |
| MODULE_DESCRIPTION("disable the ptrace() system call"); | |
| /* ia32 entry */ | |
| #define __NR_compat_ptrace 26 | |
| static asmlinkage long (*o_ptr)(long request, long pid, unsigned long addr, unsigned long data); | |
| #if defined(__enable_32bits_support) | |
| static asmlinkage long (*o_ptr32)(long request, long pid, unsigned long addr, unsigned long data); | |
| #endif | |
| asmlinkage long noptrace(long request, long pid, unsigned long addr, unsigned long data) { | |
| printk("[noptrace2] ptrace() invoked against process %ld by process %i\n", | |
| pid, current->pid); | |
| return EPERM; | |
| } | |
| static void sys_call_table_make_rw(void **addr); | |
| static void sys_call_table_make_ro(void **addr); | |
| static int __init init_noptrace(void) { | |
| void **sys_call_tbl = sys_call_table_addr; | |
| #if defined(__enable_32bits_support) | |
| void **ia32_sys_call_tbl = ia32_sys_call_table_addr; | |
| #endif | |
| sys_call_table_make_rw(sys_call_tbl); | |
| o_ptr = sys_call_tbl[__NR_ptrace]; | |
| sys_call_tbl[__NR_ptrace] = noptrace; | |
| sys_call_table_make_ro(sys_call_tbl); | |
| #if defined(__enable_32bits_support) | |
| sys_call_table_make_rw(ia32_sys_call_tbl); | |
| o_ptr32 = ia32_sys_call_tbl[__NR_compat_ptrace]; | |
| ia32_sys_call_tbl[__NR_compat_ptrace] = noptrace; | |
| sys_call_table_make_ro(ia32_sys_call_tbl); | |
| #endif | |
| printk("[noptrace2] ptrace syscall disabled\n"); | |
| return 0; | |
| } | |
| static void __exit exit_noptrace(void) { | |
| void **sys_call_tbl = sys_call_table_addr; | |
| #if defined(__enable_32bits_support) | |
| void **ia32_sys_call_tbl = ia32_sys_call_table_addr; | |
| #endif | |
| sys_call_table_make_rw(sys_call_tbl); | |
| sys_call_tbl[__NR_ptrace] = o_ptr; | |
| sys_call_table_make_ro(sys_call_tbl); | |
| #if defined(__enable_32bits_support) | |
| sys_call_table_make_rw(ia32_sys_call_tbl); | |
| ia32_sys_call_tbl[__NR_compat_ptrace] = o_ptr32; | |
| sys_call_table_make_ro(ia32_sys_call_tbl); | |
| #endif | |
| printk("[noptrace2] ptrace syscall restored\n"); | |
| } | |
| module_init(init_noptrace); | |
| module_exit(exit_noptrace); | |
| static void sys_call_table_make_rw(void **addr) { | |
| unsigned int lvl; | |
| pte_t *pte = lookup_address((unsigned long) addr, &lvl); | |
| if (pte -> pte &~ _PAGE_RW) | |
| pte -> pte |= _PAGE_RW; | |
| write_cr0(read_cr0() & (~ 0x10000)); | |
| } | |
| static void sys_call_table_make_ro(void **addr) { | |
| unsigned int lvl; | |
| pte_t *pte = lookup_address((unsigned long) addr, &lvl); | |
| pte -> pte = pte -> pte &~_PAGE_RW; | |
| write_cr0(read_cr0() | 0x10000); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Line 59 , wrong function
should be sys_call_table_make_rw