Create a gist now

Instantly share code, notes, and snippets.

@ghedo /Makefile
Last active Sep 12, 2017

What would you like to do?
Kernel module to disable the ptrace() system call (http://blog.ghedini.me/post/10240771002/kernel-module-to-disable-ptrace)
# Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
# Updated 2012 by Mike Perry to extract syscall table addresses
# Updated 2014 by Francis Brosnan Blázquez to check for ia32 support
obj-m += noptrace2.o
KERNEL_VER=$(shell uname -r)
SCT := $(shell grep " sys_call_table" /boot/System.map-$(KERNEL_VER) | awk '{ print $$1; }')
SCT32 := $(shell grep "ia32_sys_call_table" /boot/System.map-$(KERNEL_VER) | awk '{ print $$1; }')
EXTRA_CFLAGS += -Dsys_call_table_addr="((void**)0x$(SCT))"
ifdef SCT32
EXTRA_CFLAGS += -Dia32_sys_call_table_addr="((void**)0x$(SCT32))" -D__enable_32bits_support
endif
all:
@echo "Building with " . $(EXTRA_CFLAGS)
make -C /lib/modules/$(KERNEL_VER)/build M=$(PWD)
clean:
make -C /lib/modules/$(KERNEL_VER)/build M=$(PWD) clean
/*
* Kernel module to disable the ptrace() system call.
* Updated to disable ia32 ptrace by Mike Perry <mikeperry torproject org>
* Updated to check for ia32 support by Francis Brosnan Blázquez <francis aspl es>
*
* Compile:
* $ make
*
* Usage:
* # insmod noptrace2.ko
* # rmmod noptrace2
*
* Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/sched.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Alessandro Ghedini and Mike Perry");
MODULE_DESCRIPTION("disable the ptrace() system call");
/* ia32 entry */
#define __NR_compat_ptrace 26
static asmlinkage long (*o_ptr)(long request, long pid, unsigned long addr, unsigned long data);
#if defined(__enable_32bits_support)
static asmlinkage long (*o_ptr32)(long request, long pid, unsigned long addr, unsigned long data);
#endif
asmlinkage long noptrace(long request, long pid, unsigned long addr, unsigned long data) {
printk("[noptrace2] ptrace() invoked against process %ld by process %i\n",
pid, current->pid);
return EPERM;
}
static void sys_call_table_make_rw(void **addr);
static void sys_call_table_make_ro(void **addr);
static int __init init_noptrace(void) {
void **sys_call_tbl = sys_call_table_addr;
#if defined(__enable_32bits_support)
void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
#endif
sys_call_table_make_rw(sys_call_tbl);
o_ptr = sys_call_tbl[__NR_ptrace];
sys_call_tbl[__NR_ptrace] = noptrace;
sys_call_table_make_ro(sys_call_tbl);
#if defined(__enable_32bits_support)
sys_call_table_make_rw(ia32_sys_call_tbl);
o_ptr32 = ia32_sys_call_tbl[__NR_compat_ptrace];
ia32_sys_call_tbl[__NR_compat_ptrace] = noptrace;
sys_call_table_make_ro(ia32_sys_call_tbl);
#endif
printk("[noptrace2] ptrace syscall disabled\n");
return 0;
}
static void __exit exit_noptrace(void) {
void **sys_call_tbl = sys_call_table_addr;
#if defined(__enable_32bits_support)
void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
#endif
sys_call_table_make_rw(sys_call_tbl);
sys_call_tbl[__NR_ptrace] = o_ptr;
sys_call_table_make_ro(sys_call_tbl);
#if defined(__enable_32bits_support)
sys_call_table_make_rw(ia32_sys_call_tbl);
ia32_sys_call_tbl[__NR_compat_ptrace] = o_ptr32;
sys_call_table_make_ro(ia32_sys_call_tbl);
#endif
printk("[noptrace2] ptrace syscall restored\n");
}
module_init(init_noptrace);
module_exit(exit_noptrace);
static void sys_call_table_make_rw(void **addr) {
unsigned int lvl;
pte_t *pte = lookup_address((unsigned long) addr, &lvl);
if (pte -> pte &~ _PAGE_RW)
pte -> pte |= _PAGE_RW;
write_cr0(read_cr0() & (~ 0x10000));
}
static void sys_call_table_make_ro(void **addr) {
unsigned int lvl;
pte_t *pte = lookup_address((unsigned long) addr, &lvl);
pte -> pte = pte -> pte &~_PAGE_RW;
write_cr0(read_cr0() | 0x10000);
}

Line 59 , wrong function
should be sys_call_table_make_rw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment