绿盟安全月刊->第52期->安全文摘 finding hidden modules on 2.6 kernel_module_hunter

作者：madsys madsys<at>ercist.iscas.ac.cn
出处：http://www.linuxforum.net/forum/showflat.php?Cat=&Board=security&Number=
日期：2004-10-10

/*     name: module hunter     2.6 ver 1.0 9.6.04
    author: madsys
    usage: cat /proc/showmodules
*/

#undef KBUILD_MODNAME
#define KBUILD_MODNAME mh26

#include <linux/config.h>

#ifdef CONFIG_SMP
#define __SMP__
#endif

#if CONFIG_MODVERSIONS == 1
#define MODVERSIONS
//#include <linux/modversions.h>
#endif

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/version.h>

#include <linux/unistd.h>
#include <linux/string.h>
#include <linux/mm.h>

#include <linux/proc_fs.h>        //must need

#include <linux/errno.h>
#include <asm/uaccess.h>


#include <asm/pgtable.h>
#include <asm/fixmap.h>
#include <asm/page.h>

//static int errno;
#define HARDCORE 0xc041f000
#define STEPPING (PAGE_SIZE/32)


int valid_addr(unsigned long address)
{
    unsigned long page;

    if (!address)
        return 0;

    page = ((unsigned long *)HARDCORE)[address >> 22];        //pde
    if (page & 1)
    {
        page &= PAGE_MASK;
        address &= 0x003ff000;
        page = ((unsigned long *) __va(page))[address >> PAGE_SHIFT];    //pte
        if (page)
            return 1;
    }
    
    return 0;
}

ssize_t showmodule_read(struct file *unused_file, char *buffer, size_t len, loff_t*off)
{
    struct module *p;

    printk("\naddress                 name     size      core_addr     flags  \n\n");
    for (p=(struct module *)VMALLOC_START; p<=(structmodule*)(VMALLOC_START+VMALLOC_RESERVE-PAGE_SIZE); p=(struct module *)((unsignedlong)p+STEPPING))
    {
        if (valid_addr((unsigned long)p+ (unsigned long)&((struct module*)NULL)->name)  )

            if (((p->name[0]>=0x30 && p->name[0]<=0x39) ||(p->name[0]> 0x41 && p->name[0]<=0x7a )) &&(p->core_size < 1 <<20) && (p->core_size> 128) &&p->state <3 && (int)p->init >0xc6800000) //never seen module over1M
                printk("0x%p%18s   %6lu     0x%4p     %3d\n", p, p->name, p->core_size,p->module_core, p->state);
    }

    return 0;
}

static struct file_operations showmodules_ops = {
    read:    showmodule_read,
};

int init_module(void)
{
    struct proc_dir_entry *entry;

    entry = create_proc_entry("showmodules", S_IRUSR, &proc_root);
    entry->proc_fops = &showmodules_ops;

    return 0;
}

void cleanup_module()
{
    remove_proc_entry("showmodules", &proc_root);
}

MODULE_LICENSE("GPL");
MODULE_AUTHOR("madsys madsys<at>ercist.iscas.ac.cn");