anti-ptrace

Tue, 01 Apr 2003 15:10:59 -0600

Has anyone else beside me tried this anti-ptrace script? I downloaded it from packetstormsecurity.com and ran and loaded the module and it works like a charm. If anyone tries to use ptrace besides root it echo's that event to the root terminal, and denies it. Well here is a copy of the script 

 #!/bin/sh
# MAKE ME EXECUTABLE !!!
#
# [EMAIL PROTECTED]:/home/sacrine/TEST# chmod +x anti-ptrace
# [EMAIL PROTECTED]:/home/sacrine/TEST# ./anti-ptrace
#  [+] making anti-ptrace.c: OK
#  [+] compiling the script: OK
#  [+] loading the module  : OK
#


echo -n " [+] making anti-ptrace.c: "
cat > anti-ptrace.c <<NETRIC

/*
* Noodoplossing voor de ptrace race vuln
* anti-ptrace.c by sacrine
* netric.org
*/

#define __KERNEL__
#define MODULE
#define LINUX

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/version.h>
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/tty.h>
#include <sys/syscall.h>

#include <linux/ptrace.h>

long (*o_ptrace) ( pid_t pid,
                   void *addr,
                   void *data );

extern void* sys_call_table[];

int anti_ptrace( pid_t pid,
                 uid_t uid,
                 void *addr,
                 void *data )
{
  uid_t o_uid;

  if(current->uid == 0)
    {
        return(o_ptrace(pid,addr,data));
    }

  printk("warning: ptrace(); violation\n"
          "pid=[%i] uid=[%i]\n"
          ,current->pid
          ,current->uid);
console_print("warning: non-root users are not allowed to use ptrace();\n"); 
  return EPERM;
}

int init_module(void)
{
  o_ptrace=sys_call_table[SYS_ptrace];
  sys_call_table[SYS_ptrace]=anti_ptrace;

  printk("anti-ptrace kernel module loaded with pid=[%i]\n",
          current->pid);

  return(0);
}

void cleanup_module(void)
{
  sys_call_table[SYS_ptrace]=o_ptrace;
  printk("anti-ptrace kernel module ended with pid=[%i]\n",
          current->pid);
}

NETRIC
echo "OK";
echo -n " [+] compiling the script: ";
gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include
echo "OK";
echo -n " [+] loading the module  : ";
/sbin/insmod anti-ptrace.o >/dev/null
echo "OK";

# sacrine [Netric Security]




_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail

Reply via email to