Use bpf programs as filters for seccomp, the one in the example will block all the write syscalls after it's loaded.
Compile it with just
gcc main.c
#define PAGE_OFFSET_MASK (~(~0UL << PAGE_SHIFT)) | |
unsigned long page_table_walk(unsigned long addr, struct mm_struct *mm_str) | |
{ | |
pgd_t *pgd; | |
p4d_t *p4d; | |
pud_t *pud; | |
pmd_t *pmd; | |
pte_t *pte; | |
unsigned long pfn, phys_page_addr, page_offset, phys_addr; |
#!/bin/bash | |
grep rw-p /proc/$1/maps \ | |
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | |
| while read start stop; do \ | |
gdb --batch --pid $1 -ex \ | |
"dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \ | |
done | |
# use strings on file after. |
#include <stdint.h> //for int8_t | |
#include <string.h> //for memcmp | |
#include <wmmintrin.h> //for intrinsics for AES-NI | |
//compile using gcc and following arguments: -g;-O0;-Wall;-msse2;-msse;-march=native;-maes | |
//internal stuff | |
//macros | |
#define DO_ENC_BLOCK(m,k) \ | |
do{\ |