Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


(view this code in a separate window)

/*
 * noptrace kernel module.
 *
 * Copyright Bri Hatch, 2001. Released under the GPL.
 *
 * Disable the ptrace system call entirely.  Used
 * to help prevent attacks against setuserid binaries
 * on pre 2.2.19/2.4.9 kernels, which have a massive security
 * problem.
 *
 * NOTE: This defends against only one avenue of
 * attack for the vulnerable kernels, however most
 * script-kiddie exploits are using the ptrace
 * vulnerability, so this is a good first step.
 *
 * Install this at your own risk.  We suggest you
 * read chapter 10 of Hacking Linux Exposed for
 * discussion about how loadable kernel modules work
 * where we discuss some in detail.
 *
 * To compile:
 *    gcc -o noptrace.o -c noptrace.c
 *
 * Then copy noptrace.o into one of the default
 * insmod directories, such as /lib/modules/misc.
 *
 * Load it into the running kernel with 'modprobe noptrace'.
 *
 */

#define __KERNEL__
#define MODULE

#include <linux/config.h>
#include <linux/module.h>
#include <linux/version.h>
#include <sys/syscall.h>

#include <linux/sched.h>
#include <linux/types.h>




int (*real_ptrace) (int, int, int, int);
int new_ptrace  (int, int, int, int);
extern void *sys_call_table[];

int init_module() {

      /* Save a pointer to the old ptrace function */
      real_ptrace   = sys_call_table[ __NR_ptrace ];

      /* point to our new ptrace function in sys_call_table */
      sys_call_table[ __NR_ptrace ]   =  (void *)new_ptrace;

      printk(KERN_INFO "noptrace module installed\n");
      return 0;
}

int cleanup_module() {

      /* reset the pointer back to the actual function */
      sys_call_table[ __NR_ptrace ]   = (void *)real_ptrace;

      printk(KERN_INFO "noptrace module uninstalled\n");
        return 0;
}


/* The replacement function */

int new_ptrace(int request, int pid, int addr, int data) {
      return -1;
}