doxygen/html/deploy_8c_source.html

 /*
  * Copyright (c) 2020 Bitdefender
  * SPDX-License-Identifier: Apache-2.0
  */
 #include "../common.h"

 typedef void * (filp_open_fn)(const char *filename, int flags, unsigned short mode);
 typedef int (filp_close_fn)(void *filp, void *id);
 typedef void * (vmalloc_fn)(unsigned long size);
 typedef unsigned int (__kernel_write_fn)(void *file, const void *buf, unsigned int count, long long *pos);
 typedef int (kernel_write_fn)(void *file, const char *buf, size_t count, unsigned long pos);
 typedef void (vfree_fn)(void *ptr);
 typedef char ** (argv_split_fn)(unsigned int gfp, const char *str, int *argcp);
 typedef void (argv_free_fn)(char **argv);
 typedef void *(call_usermodehelper_setup_fn)(const char *path, char **argv, char **envp, unsigned long gfp_mask,
         int (*init)(void *info, void *new), void (*cleanup)(void *info), void *data);
 typedef int (call_usermodehelper_exec_fn)(void *sub_info, int wait);
 typedef void (do_exit_fn)(long code);
 typedef int (printk_fn)(const char *fmt, ...);

 #pragma pack(push, 1)
 struct  data {
     struct {
         unsigned long hypercall;
         unsigned long completion;
         unsigned long error;
     } token;

     struct {
         filp_open_fn *filp_open;
         filp_close_fn *filp_close;
         kernel_write_fn *kernel_write;
         __kernel_write_fn *__kernel_write;
         vmalloc_fn *vmalloc;
         vfree_fn *vfree;
         argv_split_fn *argv_split;
         argv_free_fn *argv_free;
         call_usermodehelper_setup_fn *call_usermodehelper_setup;
         call_usermodehelper_exec_fn *call_usermodehelper_exec;
         do_exit_fn *do_exit;
         printk_fn *printk;
     } func;

     struct {
         unsigned long kernel_version;

         unsigned long vmalloc_size;
         char root[1];
         char name[128];

         struct {
             unsigned long wait_proc;
             unsigned long wait_exec;
         } umh;
     } args;
 };

 #pragma pack(pop)

 struct data _data __section(".adata") __aligned(1) = { 0 };

 extern void *__address;

 __default_fn_attr
 int call_usermodehelper(const char *path, char **argv, char **envp, unsigned int wait)
 {
     unsigned long gfp_mask = GFP_KERNEL;
     void *info = _data.func.call_usermodehelper_setup(path, argv, envp, gfp_mask, NULL, NULL, NULL);
     if (!info)
     {
         breakpoint_2(_data.token.error, _data.func.call_usermodehelper_setup, info);
         return -1;
     }

     return _data.func.call_usermodehelper_exec(info, wait);
 }


 __default_fn_attr
 void deploy(void)
 {
     int ret = 0;
     void *file = _data.func.filp_open(_data.args.root, O_CREAT | O_RDWR | O_TRUNC, 0400);
     if (IS_ERR_VALUE(file))
     {
         breakpoint_1(_data.token.error, _data.func.filp_open);
         return;
     }

     void *ptr = _data.func.vmalloc(_data.args.vmalloc_size);
     if (!ptr)
     {
         breakpoint_1(_data.token.error, _data.func.vmalloc);
         goto _exit;
     }

     unsigned int count = 0;
     long long pos = 0;
     do
     {
         count = breakpoint_1(_data.token.hypercall, ptr);
         if (count == 0)
         {
             break;
         }

         if (_data.args.kernel_version <= KERNEL_VERSION(2, 6, 72))
         {
             ret = _data.func.kernel_write(file, ptr, count, pos);
             if (ret < 0)
             {
                 breakpoint_1(_data.token.error, _data.func.__kernel_write);
                 goto _exit;
             }

             pos += ret;
         }
         else
         {
             ret = _data.func.__kernel_write(file, ptr, count, &pos);
             if (ret < 0)
             {
                 breakpoint_1(_data.token.error, _data.func.__kernel_write);
                 goto _exit;
             }
         }
     } while (count);

     breakpoint(_data.token.completion);

 _exit:
     if (file)
     {
         _data.func.filp_close(file, 0);
     }

     if (ptr)
     {
         _data.func.vfree(ptr);
     }

     if (ret < 0)
     {
         char *argv_remove[4];
         argv_remove[0] = "/bin/rm";
         argv_remove[1] = "-f";
         argv_remove[2] = _data.args.root;
         argv_remove[3] = NULL;

         char *envp[4];
         envp[0] = "HOME=/";
         envp[1] = "TERM=linux";
         envp[2] = "PATH=/sbin:/bin:/usr/sbin:/usr/bin";
         envp[3] = NULL;

         call_usermodehelper(argv_remove[0], argv_remove, envp, _data.args.umh.wait_exec);
     }
 }


 __fn_naked __section(".start")
 void trampoline(void)
 {
     deploy();

     __exit;
     __do_exit(__address, _data.func.do_exit, _data.func.vfree);
 }
O_CREAT
#define O_CREAT
Definition: common.h:20

call_usermodehelper
__default_fn_attr int call_usermodehelper(const char *path, char **argv, char **envp, unsigned int wait)
Definition: deploy.c:69

data::args
struct data::@2 args
The arguments of the agent.

data::kernel_version
unsigned long kernel_version
The version of the kernel.
Definition: deploy.c:48

KERNEL_VERSION
#define KERNEL_VERSION(K, Patch, Sublevel)
Definition: common.h:60

data::token
struct data::@0 token
The tokens used to communicate with Intocore.

data::call_usermodehelper_exec
call_usermodehelper_exec_fn * call_usermodehelper_exec
Definition: deploy.c:41

data::hypercall
unsigned long hypercall
Definition: kthread.c:17

data::kernel_write
kernel_write_fn * kernel_write
Definition: deploy.c:34

data::root
char root[1]
The root path; allways &#39;/&#39;.
Definition: deploy.c:51

breakpoint
static __default_fn_attr unsigned long breakpoint(unsigned long token)
Generate INT3 instruction for hypercall.
Definition: common.h:167

kernel_write_fn
int() kernel_write_fn(void *file, const char *buf, size_t count, unsigned long pos)
Definition: deploy.c:11

GFP_KERNEL
#define GFP_KERNEL
Definition: common.h:15

IS_ERR_VALUE
#define IS_ERR_VALUE(x)
Definition: common.h:66

O_RDWR
#define O_RDWR
Definition: common.h:19

vmalloc_fn
void *() vmalloc_fn(unsigned long size)
Definition: deploy.c:9

init
__default_fn_attr void init(void)
Allocates memory for detours and agents.
Definition: init.c:15

filp_close_fn
int() filp_close_fn(void *filp, void *id)
Definition: deploy.c:8

data::call_usermodehelper_setup
call_usermodehelper_setup_fn * call_usermodehelper_setup
Definition: deploy.c:40

__fn_naked
#define __fn_naked
Definition: common.h:79

__exit
#define __exit
Generates the exit asm-code for agents.
Definition: common.h:120

__section
#define __section(S)
Definition: common.h:76

breakpoint_1
#define breakpoint_1(token, p1)
Hypercall using 1 argument.
Definition: common.h:177

data::wait_proc
unsigned long wait_proc
The value of UMH_WAIT_PROC.
Definition: deploy.c:55

data::filp_close
filp_close_fn * filp_close
Definition: deploy.c:33

__default_fn_attr
#define __default_fn_attr
Definition: common.h:78

breakpoint_2
#define breakpoint_2(token, p1, p2)
Hypercall using 2 argument.
Definition: common.h:185

data::name
char name[128]
The name of the deployed file.
Definition: deploy.c:52

O_TRUNC
#define O_TRUNC
Definition: common.h:22

data::filp_open
filp_open_fn * filp_open
Definition: deploy.c:32

__address
void * __address

call_usermodehelper_exec_fn
int() call_usermodehelper_exec_fn(void *sub_info, int wait)
Definition: deploy.c:17

data::wait_exec
unsigned long wait_exec
The value of UMH_WAIT_EXEC.
Definition: deploy.c:56

data::umh
struct data::@5::@6 umh

data::__kernel_write
__kernel_write_fn * __kernel_write
Definition: deploy.c:35

__aligned
struct data _data __aligned(1)
The section used for this agent is .adata&#39;.

data::func
struct data::@1 func
The functions used by this agent.

data::vmalloc_size
unsigned long vmalloc_size
The size of allocation.
Definition: kthread.c:32

__kernel_write_fn
unsigned int() __kernel_write_fn(void *file, const void *buf, unsigned int count, long long *pos)
Definition: deploy.c:10

data::argv_split
argv_split_fn * argv_split
Definition: deploy.c:38

argv_free_fn
void() argv_free_fn(char **argv)
Definition: deploy.c:14

do_exit_fn
void() do_exit_fn(long code)
Definition: deploy.c:18

data::completion
unsigned long completion
Definition: kthread.c:18

call_usermodehelper_setup_fn
void *() call_usermodehelper_setup_fn(const char *path, char **argv, char **envp, unsigned long gfp_mask, int(*init)(void *info, void *new), void(*cleanup)(void *info), void *data)
Definition: deploy.c:15

data::vfree
vfree_fn * vfree
Definition: deploy.c:37

__do_exit
#define __do_exit(address, do_exit_fn, vfree_fn)
Pushes the exit address on the stack and jumps to the &#39;do_exit&#39; function in order to terminate the th...
Definition: common.h:126

deploy
__default_fn_attr void deploy(void)
Creates a file using the provided name and writes the content given by Introcore in the file...
Definition: deploy.c:84

data::do_exit
do_exit_fn * do_exit
Definition: deploy.c:42

data::error
unsigned long error
Definition: kthread.c:19

trampoline
__fn_naked void trampoline(void)
The trampoline of the agent.
Definition: deploy.c:171

data::vmalloc
vmalloc_fn * vmalloc
Definition: deploy.c:36

data::argv_free
argv_free_fn * argv_free
Definition: deploy.c:39

printk_fn
int() printk_fn(const char *fmt,...)
Definition: deploy.c:19

argv_split_fn
char **() argv_split_fn(unsigned int gfp, const char *str, int *argcp)
Definition: deploy.c:13

data
Definition: kthread.c:14

data::printk
printk_fn * printk
Definition: deploy.c:43

filp_open_fn
void *() filp_open_fn(const char *filename, int flags, unsigned short mode)
Definition: deploy.c:7

vfree_fn
void() vfree_fn(void *ptr)
Definition: deploy.c:12