-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhooking.c
152 lines (137 loc) · 3.94 KB
/
hooking.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#define _GNU_SOURCE
#include<stdio.h>
#include<dlfcn.h>
#include<stdlib.h>
#include<string.h>
#include<openssl/ssl.h>
extern char * __progname;
static int (*hook_open)(const char *path , int flags, mode_t mode)= NULL;
static int (*hook_open64)(const char *path , int flags, mode_t mode)= NULL;
static FILE *(*hook_fopen)(const char *path, const char *mode) = NULL;
static int (*hook_unlinkat)(int dirfd, const char *path, int flags) = NULL;
static int (*hook_unlink)(const char *path) = NULL;
static int (*hook_SSL_read)(SSL *ssl, void *path, int num) = NULL;
static int (*hook_SSL_write)(SSL *ssl, const void *path, int num) = NULL;
#define MAX 0x100
#define DEFAULT_FILTER "/tmp/"
char FILTER[MAX] ="/tmp/";
FILE * cf_file = NULL;
void getNamePID(int pid, char *pName)
{
int fp = 0;
char buff[MAX]={0,};
snprintf(buff,MAX,"/proc/%d/cmdline",pid);
fp = hook_open(buff,0,0);
read(fp,(char *)pName,MAX);
close(fp);
}
void CheckConfig()
{
if ( cf_file == NULL )
{
cf_file = hook_fopen("/tmp/hook.ini","r");
if(cf_file) fscanf(cf_file,"%s",FILTER);
if(strlen(FILTER)<1) strncpy(FILTER,DEFAULT_FILTER,sizeof(FILTER));
}
}
void PrintLog(char * real_path)
{
char pName[MAX] = {0,};
FILE *fp = NULL;
if( strstr(real_path,FILTER) > 0 )
{
if( fp = hook_fopen("/tmp/file_log.txt", "a+") )
{
getNamePID(getppid(),pName);
fprintf(fp,"[-] Caller-> pName:[%s]:[%d],ppName:[%s]:[%d]->%s\n" \
,__progname, getpid(),pName,getppid(),real_path );
fclose(fp);
}
}
}
int unlinkat(int dirfd, const char *path, int flags)
{
if (hook_unlinkat == NULL)hook_unlinkat = dlsym(RTLD_NEXT, "unlinkat");
char *real_path = realpath(path,0);
if ( real_path )
{
CheckConfig();
PrintLog(real_path);
}
return hook_unlinkat(dirfd, path, flags);
}
int unlink(const char *path)
{
if (hook_unlink == NULL) hook_unlink = dlsym(RTLD_NEXT, "unlink");
char *real_path = realpath(path,0);
if ( real_path )
{
CheckConfig();
PrintLog( real_path );
}
return hook_unlink(path);
}
int open(const char * path, int flags, mode_t mode)
{
if (hook_open == NULL) hook_open = dlsym(RTLD_NEXT, "open");
int hook_ret = hook_open(path,flags,mode);
char *real_path = realpath(path,0);
if ( real_path )
{
CheckConfig();
PrintLog( real_path );
}
return hook_ret;
}
int open64(const char * path, int flags, mode_t mode)
{
if (hook_open64 == NULL) hook_open64 = dlsym(RTLD_NEXT, "open64");
int hook_ret = hook_open64(path,flags,mode);
char *real_path = realpath(path,0);
if ( real_path )
{
CheckConfig();
PrintLog( real_path );
}
return hook_ret;
}
FILE * fopen(const char *path, const char *mode)
{
if (hook_fopen == NULL) hook_fopen = dlsym(RTLD_NEXT, "fopen");
FILE *hook_ret = hook_fopen(path,mode);
char *real_path = realpath(path,0);
if ( real_path )
{
CheckConfig();
PrintLog( real_path );
}
return hook_ret;
}
int SSL_read(SSL *ssl, void *path, int num){
if (hook_SSL_read == NULL) hook_SSL_read = dlsym(RTLD_NEXT, "SSL_read");
int hook_ret = hook_SSL_read(ssl,path,num);
FILE *fp = fopen("/tmp/file_log.txt", "a+");
//fputs("read : \n", fp);
fputs(path, fp);
fclose(fp);
return hook_ret;
}
int SSL_write(SSL *ssl, const void *path, int num){
if (hook_SSL_write == NULL) hook_SSL_write = dlsym(RTLD_NEXT, "SSL_write");
int hook_ret = hook_SSL_write(ssl,path,num);
FILE *fp = fopen("/tmp/file_log.txt", "a+");
//fputs("Write : \n", fp);
fputs(path, fp);
fclose(fp);
return hook_ret;
}
void __attribute__ ((constructor)) before_load(void)
{
if (hook_open == NULL) hook_open = dlsym(RTLD_NEXT, "open");
if (hook_open64 == NULL) hook_open64 = dlsym(RTLD_NEXT, "open64");
if (hook_fopen == NULL) hook_fopen = dlsym(RTLD_NEXT, "fopen");
if (hook_unlink == NULL) hook_unlink = dlsym(RTLD_NEXT, "unlink");
if (hook_unlinkat == NULL) hook_unlinkat = dlsym(RTLD_NEXT, "unlinkat");
if (hook_SSL_read == NULL) hook_SSL_read = dlsym(RTLD_NEXT, "SSL_read");
if (hook_SSL_write == NULL)hook_SSL_write = dlsym(RTLD_NEXT, "SSL_write");
}