-
Notifications
You must be signed in to change notification settings - Fork 0
/
malicious_protector.c
88 lines (81 loc) · 1.47 KB
/
malicious_protector.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#include <signal.h>
#include <syscall.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/user.h>
#include <sys/reg.h>
#include <sys/syscall.h>
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
static const long auth_syscall[] =
{
3,
4,
5,
6,
11,
33,
45,
91,
125,
192,
197,
243,
252
};
#define TAB_SIZE (sizeof(auth_syscall) / sizeof(*auth_syscall))
static bool syscall_check(long syscall)
{
int i = 0;
while (i < TAB_SIZE)
{
if (auth_syscall[i] == syscall)
{
printf("syscall %ld is ok \n", syscall);
return false;
}
++i;
}
return true;
}
int main(int argc, char **argv)
{
int i;
pid_t child;
int status;
long orig_eax;
int kill_ret = 0;
child = fork();
if (child == -1)
return 1;
if(child == 0)
{
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl(argv[1], argv[1], NULL);
}
else
{
i = 0;
while(1)
{
wait(&status);
if (WIFEXITED(status) || WIFSIGNALED(status) )
break;
orig_eax = ptrace(PTRACE_PEEKUSER, child, 8 * ORIG_RAX, NULL);
if (syscall_check(orig_eax))
{
printf("program killed %d\n", child);
kill_ret = kill(child, SIGKILL);
ptrace(PTRACE_KILL, child, NULL, NULL);
}
printf("%d time, system call %ld\n", i++, orig_eax);
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
}
return 0;
}