|
 | 作者: sjs800729 [sjs800729]
 论坛用户 |
登录 |
| 这段是捕获Linux下运行命令的系统调用及进程的补丁 请帮忙解释一下具体的意思,劳烦了! 其文件包名为immsec-990628.patch,是可以下载的。 diff -u --recursive --new-file linux.orig/arch/i386/config.in linux/arch/i386/config.in --- linux.orig/arch/i386/config.in Mon Jun 28 08:16:45 1999 +++ linux/arch/i386/config.in Thu Jun 24 23:06:55 1999 @@ -141,4 +141,5 @@ if [ "$CONFIG_PROFILE" = "y" ]; then int ' Profile shift count' CONFIG_PROFILE_SHIFT 2 fi +bool 'IMMSEC tracing' CONFIG_IMMSEC endmenu diff -u --recursive --new-file linux.orig/arch/i386/kernel/entry.S linux/arch/i386/kernel/entry.S --- linux.orig/arch/i386/kernel/entry.S Sun Nov 22 16:14:58 1998 +++ linux/arch/i386/kernel/entry.S Sun Jun 6 22:41:32 1999 @@ -46,6 +46,8 @@ #define ASSEMBLY #include <asm/smp.h> +#include <linux/config.h> + EBX = 0x00 ECX = 0x04 EDX = 0x08 @@ -303,6 +305,15 @@ #ifdef __SMP__ ENTER_KERNEL #endif + +#ifdef CONFIG_IMMSEC + /* + * IMMSEC: use a global variable for current syscall + * we probably should pass this on the stack + */ + movl %eax,SYMBOL_NAME(immsec_current_syscall) +#endif /* CONFIG_IMMSEC */ + movl $-ENOSYS,EAX(%esp) cmpl $(NR_syscalls),%eax jae ret_from_sys_call @@ -320,6 +331,17 @@ movl %edx,dbgreg6(%ebx) # save current hardware debugging status testb $0x20,flags(%ebx) # PF_TRACESYS jne 1f + + +#ifdef CONFIG_IMMSEC + /* + *IMMSEC: process (for now, log) the current system call + */ + pushl %eax + call SYMBOL_NAME(immsec_process_syscall) + popl %eax +#endif /* CONFIG_IMMSEC */ + call *%eax movl %eax,EAX(%esp) # save the return value jmp ret_from_sys_call diff -u --recursive --new-file linux.orig/arch/i386/kernel/process.c linux/arch/i386/kernel/process.c --- linux.orig/arch/i386/kernel/process.c Mon Jun 28 08:16:46 1999 +++ linux/arch/i386/kernel/process.c Thu Jun 24 23:06:56 1999 @@ -33,6 +33,11 @@ #include <asm/io.h> #include <linux/smp.h> +#ifdef CONFIG_IMMSEC +#include <linux/string.h> +#include <linux/immsec.h> +#endif /* CONFIG_IMMSEC */ + asmlinkage void ret_from_sys_call(void) __asm__("ret_from_sys_call"); #ifdef CONFIG_APM @@ -611,6 +616,23 @@ error = getname((char *) regs.ebx, &filename); if (error) return error; + +#ifdef CONFIG_IMMSEC + /* IMMSEC: Anil, 3/15/98 + * Check if we are tracing. If not, check if we should. + * If so, set the flag. + * Note: if we couldn't get the filename, we don't start tracing! + */ + + current->immsec_trace = 0; + if (strcmp(filename + (strlen(filename) - 6), "/stide") == 0) { + current->immsec_trace = 1; + printk("<7> IMMSEC: Starting tracing %s in %d at %d\n", + filename, current->pid, immsec_syscall_count); + } + +#endif /* CONFIG_IMMSEC */ + error = do_execve(filename, (char **) regs.ecx, (char **) regs.edx, ®s); putname(filename); return error; diff -u --recursive --new-file linux.orig/include/linux/immsec.h linux/include/linux/immsec.h --- linux.orig/include/linux/immsec.h Wed Dec 31 17:00:00 1969 +++ linux/include/linux/immsec.h Sun Jun 6 22:41:32 1999 @@ -0,0 +1,14 @@ +/* + IMMSEC header file + + barely needed +*/ + +#ifndef _LINUX_IMMSEC_H +#define _LINUX_IMMSEC_H + +extern int immsec_syscall_count; +extern int immsec_current_syscall; +extern asmlinkage void immsec_process_syscall(void); + +#endif /* IMMSEC_INCLUDE */ diff -u --recursive --new-file linux.orig/include/linux/sched.h linux/include/linux/sched.h --- linux.orig/include/linux/sched.h Sat Aug 8 00:20:58 1998 +++ linux/include/linux/sched.h Sun Jun 27 23:56:26 1999 @@ -26,6 +26,8 @@ #include <linux/tty.h> #include <linux/sem.h> +#include <linux/config.h> + /* * cloning flags: */ @@ -248,7 +250,14 @@ int processor; int last_processor; int lock_depth; /* Lock depth. We can context switch in and out of holding a syscall kernel lock... */ -#endif +#endif + + /* IMMSEC addition - Anil, 3/15/98 */ + /* immsec_trace: boolean whether task is being traced */ +#ifdef CONFIG_IMMSEC + int immsec_trace; +#endif /* CONFIG_IMMSEC */ + }; /* diff -u --recursive --new-file linux.orig/kernel/Makefile linux/kernel/Makefile --- linux.orig/kernel/Makefile Wed Jan 10 00:27:39 1996 +++ linux/kernel/Makefile Sun Jun 6 22:41:32 1999 @@ -13,7 +13,7 @@ O_TARGET := kernel.o O_OBJS = sched.o dma.o fork.o exec_domain.o panic.o printk.o sys.o \ module.o exit.o signal.o itimer.o info.o time.o softirq.o \ - resource.o sysctl.o + resource.o sysctl.o immsec.o ifeq ($(CONFIG_MODULES),y) OX_OBJS = ksyms.o diff -u --recursive --new-file linux.orig/kernel/fork.c linux/kernel/fork.c --- linux.orig/kernel/fork.c Sat Jul 11 13:16:56 1998 +++ linux/kernel/fork.c Sun Jun 6 22:41:32 1999 @@ -26,6 +26,8 @@ #include <asm/system.h> #include <asm/pgtable.h> +#include <linux/config.h> + int nr_tasks=1; int nr_running=1; unsigned long int total_forks=0; /* Handle normal Linux uptimes. */ @@ -300,6 +302,13 @@ p->counter = (current->counter >>= 1); wake_up_process(p); /* do this last, just in case */ ++total_forks; + +#ifdef CONFIG_IMMSEC + if (current->immsec_trace) { + printk("<7> IMMSEC F: parent %d, child %d\n",current->pid, p->pid); + } +#endif /* CONFIG_IMMSEC */ + return p->pid; bad_fork_cleanup_sighand: diff -u --recursive --new-file linux.orig/kernel/immsec.c linux/kernel/immsec.c --- linux.orig/kernel/immsec.c Wed Dec 31 17:00:00 1969 +++ linux/kernel/immsec.c Mon Jun 28 08:26:21 1999 @@ -0,0 +1,143 @@ +/* + immsec.c: routines for logging system calls directly from the kernel + + * original version by Anil Somayaji (soma@cs.unm.edu), June 1997 + * modifications for writing data directly to a binary log file + (instead of via klogd) by William C. Shutters <wcs@tycho.ncsc.mil>, + June 1998, with help from linux/kernel/sys.c. + * Shutters's patch adapted for UNM use by Geoff Hunsicker + (geoff@cs.unm.edu), 11/30/98. +*/ + +#include <linux/config.h> + +#ifdef CONFIG_IMMSEC + +#include <linux/kernel.h> +#include <asm/unistd.h> +#include <linux/sched.h> + +int immsec_syscall_count = 0; +int immsec_current_syscall = 0; + +static struct file immsec_logfile; +static int immsec_logfile_open = 0; /* 1=open, 0=not open yet, -1=can't open */ +int open_immsec_logfile(void); + +asmlinkage void immsec_process_syscall(void) +{ + int error = 0; + unsigned short fs; + + if (current->immsec_trace) { + if (immsec_logfile_open < 0) { /* there was an error opening the file */ + return; + } + immsec_syscall_count++; + if (!immsec_logfile_open) { /* not yet open */ + immsec_logfile_open = open_immsec_logfile(); + if (immsec_logfile_open < 0) { /* open failed */ + return; + } + } + + fs = get_fs(); + set_fs(KERNEL_DS); + + error = immsec_logfile.f_op->write(immsec_logfile.f_inode, &immsec_logfile, + (char *)&immsec_syscall_count, sizeof(int)); + if (error < 0) + goto errors; + + error = immsec_logfile.f_op->write(immsec_logfile.f_inode, &immsec_logfile, + (char *)¤t->pid, sizeof(pid_t)); + if (error < 0) + goto errors; + + error = immsec_logfile.f_op->write(immsec_logfile.f_inode, &immsec_logfile, + (char *)&immsec_current_syscall, sizeof(int)); + if (error < 0) + goto errors; + + set_fs(fs); + + } + + return; + +errors: + set_fs(fs); + printk("<7> IMMSEC: Error writing logfile, errno %d\n", error); +} + +int open_immsec_logfile(void) +{ + unsigned short fs; + struct inode *inode = (struct inode *)0; + char *tmp; + int error = 0; + int old_fsuid = current->fsuid; + + fs = get_fs(); + set_fs(KERNEL_DS); + + current->fsuid = 0; + + error = getname("/var/log/immsec.raw", &tmp); + if (error) + goto errors; + + error = open_namei(tmp, O_RDWR | O_CREAT, 0666, &inode, 0); + putname(tmp); + if (error) + goto errors; + + current->fsuid = old_fsuid; + + if (!S_ISREG(inode->i_mode)) { + iput(inode); + error = -EACCES; + goto errors; + } + + if (!inode->i_op || + !inode->i_op->default_file_ops || + !inode->i_op->default_file_ops->write) { + iput(inode); + error = -EIO; + goto errors; + } + + immsec_logfile.f_mode = 3; + immsec_logfile.f_flags = 0; + immsec_logfile.f_count = 1; + immsec_logfile.f_inode = inode; + immsec_logfile.f_pos = inode->i_size; + immsec_logfile.f_reada = 0; + immsec_logfile.f_op = inode->i_op->default_file_ops; + +if (immsec_logfile.f_op->open) { + error = immsec_logfile.f_op->open(immsec_logfile.f_inode, &immsec_logfile); + if (error < 0) { + iput(inode); + error = -EIO; + goto errors; + } +} else { /* There is no special open needed for this type of filesystem. */ + /* NOP */ +} + + set_fs(fs); + printk("<7> IMMSEC: syscall logging started; output file is /var/log/immsec.raw\n"); + + return 1; + +errors: + current->fsuid = old_fsuid; + set_fs(fs); + printk("<7> IMMSEC: Unable to open logfile, errno %d\n", error); + return -1; +} + + +#endif /* CONFIG_IMMSEC */ diff -u --recursive --new-file linux.orig/kernel/printk.c linux/kernel/printk.c --- linux.orig/kernel/printk.c Fri Jun 7 02:54:06 1996 +++ linux/kernel/printk.c Sun Jun 6 22:41:32 1999 @@ -23,7 +23,13 @@ #include <linux/tty.h> #include <linux/tty_driver.h> +#include <linux/config.h> + +#ifdef CONFIG_IMMSEC +#define LOG_BUF_LEN 1024*1024 +#else #define LOG_BUF_LEN 8192 +#endif /* CONFIG_IMMSEC */ static char buf[1024]; 这一段是raw2int.c部分 #include <stdio.h> #include <unistd.h> #include <sys/types.h> #define STDIN 0 #define STDOUT 1 #define STDERR 2 int main() { char buf[100]; ssize_t result; int record_size = sizeof(int) + sizeof(pid_t) + sizeof(int); int total_count = 0; int *count, *syscall; pid_t *pid; count = (int *) buf; pid = (pid_t *) (buf + sizeof(int)); syscall = (int *) (buf + sizeof(int) + sizeof(pid_t)); result = read(STDIN, buf, record_size); if (result == record_size) { total_count = *count; printf("%d %d\n", *pid, *syscall); while ( result = read(STDIN, buf, record_size) == record_size ) { if (*count != total_count + 1) { fprintf(stderr, "Count jumped from %d to %d\n", total_count, *count); } total_count = *count; printf("%d %d\n", *pid, *syscall); } } if (result != 0) { fprintf(stderr, "File ended prematurely\n"); return 1; } else { return 0; } } |
| 地主 发表时间: 04-04-04 19:19 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: UNIX系统 标题: 向高手老大请教问题!!