‘Anti-Ptrace Linux LKM ‘

Summary
Credit:

‘The information has been provided by sacrine.’


Details

‘The following Linux LKM allows an administrator to disable the ptrace abilities under the 2.4.x kernels.

Tool source:
#!/bin/sh
# MAKE ME EXECUTABLE !!!
#
# root@Hogwarts:/home/sacrine/TEST# chmod +x anti-ptrace
# root@Hogwarts:/home/sacrine/TEST# ./anti-ptrace
# [+] making anti-ptrace.c: OK
# [+] compiling the script: OK
# [+] loading the module : OK
#

echo -n ‘ [+] making anti-ptrace.c: ‘
cat > anti-ptrace.c <<NETRIC

/*
 * Noodoplossing voor de ptrace race vuln
 * anti-ptrace.c by sacrine
 * netric.org
 */

#define __KERNEL__
#define MODULE
#define LINUX

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/version.h>
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/tty.h>
#include <sys/syscall.h>

#include <linux/ptrace.h>

long (*o_ptrace) ( pid_t pid,
   void *addr,
   void *data );

extern void* sys_call_table[];

int anti_ptrace( pid_t pid,
   uid_t uid,
   void *addr,
   void *data )
{
   uid_t o_uid;

   if(current->uid == 0)
     {
 return(o_ptrace(pid,addr,data));
     }
   
   printk(‘warning: ptrace(); violationn’
  ‘pid=[%i] uid=[%i]n’
  ,current->pid
  ,current->uid);
   
   console_print(‘warning: non-root users are not allowed to use ptrace();n’);
   return EPERM;
}

int init_module(void)
{
   o_ptrace=sys_call_table[SYS_ptrace];
   sys_call_table[SYS_ptrace]=anti_ptrace;
   
   printk(‘anti-ptrace kernel module loaded with pid=[%i]n’,
  current->pid);
   
   return(0);
}

void cleanup_module(void)
{
   sys_call_table[SYS_ptrace]=o_ptrace;
   printk(‘anti-ptrace kernel module ended with pid=[%i]n’,
  current->pid);
}

NETRIC
echo ‘OK’;
echo -n ‘ [+] compiling the script: ‘;
gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include
echo ‘OK’;
echo -n ‘ [+] loading the module : ‘;
/sbin/insmod anti-ptrace.o >/dev/null
echo ‘OK’;

# sacrine [Netric Security]’

Categories: Tools