[Fwd: anti-ptrace]

To: Yuan-Chen Cheng <ycheng@oss.sinica.edu.tw>
Cc: KaLUG <kalug@kalug.linux.org.tw>, "Debian Chinese list." <debian-chinese-big5@lists.debian.org>, TLUG-en <tlug_en@linux.org.tw>
Subject: [Fwd: anti-ptrace]
From: Rex Tsai <chihchun@kalug.linux.org.tw>
Date: Sat, 05 Apr 2003 16:01:03 +0800
Message-id: <[🔎] 3E8E8D3F.2030600@kalug.linux.org.tw>

  在 Debian 系統上，舊的核心還有 ptrace 的 bug，以下這個模組可以暫時的防止這
個問題。

-------- Original Message --------
Subject: anti-ptrace
Resent-Date: Tue,  1 Apr 2003 15:10:58 -0600 (CST)
Resent-From: debian-security@lists.debian.org
Date: Tue, 01 Apr 2003 14:53:39 -0600
From: Steve Meyer <steve11523@hotmail.com>
To: debian-security@lists.debian.org

Has anyone else beside me tried this anti-ptrace script?  I downloaded it
from packetstormsecurity.com and ran and loaded the module and it works like
a charm.  If anyone tries to use ptrace besides root it echo's that event to
the root terminal, and denies it.  Well here is a copy of the script

 #!/bin/sh
# MAKE ME EXECUTABLE !!!
#
# root@Hogwarts:/home/sacrine/TEST# chmod +x anti-ptrace
# root@Hogwarts:/home/sacrine/TEST# ./anti-ptrace
#  [+] making anti-ptrace.c: OK
#  [+] compiling the script: OK
#  [+] loading the module  : OK
#


echo -n " [+] making anti-ptrace.c: "
cat > anti-ptrace.c <<NETRIC

/*
* Noodoplossing voor de ptrace race vuln
* anti-ptrace.c by sacrine
* netric.org
*/

#define __KERNEL__
#define MODULE
#define LINUX

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/version.h>
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/fs.h>
#include <linux/ctype.h>
#include <linux/tty.h>
#include <sys/syscall.h>

#include <linux/ptrace.h>

long (*o_ptrace) ( pid_t pid,
		   void *addr,
		   void *data );

extern void* sys_call_table[];

int anti_ptrace( pid_t pid,
		 uid_t uid,
		 void *addr,
		 void *data )
{
  uid_t o_uid;

  if(current->uid == 0)
    {
	return(o_ptrace(pid,addr,data));
    }

  printk("warning: ptrace(); violation\n"
	  "pid=[%i] uid=[%i]\n"
	  ,current->pid
	  ,current->uid);

  console_print("warning: non-root users are not allowed to use
ptrace();\n");
  return EPERM;
}

int init_module(void)
{
  o_ptrace=sys_call_table[SYS_ptrace];
  sys_call_table[SYS_ptrace]=anti_ptrace;

  printk("anti-ptrace kernel module loaded with pid=[%i]\n",
	  current->pid);

  return(0);
}

void cleanup_module(void)
{
  sys_call_table[SYS_ptrace]=o_ptrace;
  printk("anti-ptrace kernel module ended with pid=[%i]\n",
	  current->pid);
}

NETRIC
echo "OK";
echo -n " [+] compiling the script: ";
gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include
echo "OK";
echo -n " [+] loading the module  : ";
/sbin/insmod anti-ptrace.o >/dev/null
echo "OK";

# sacrine [Netric Security]


-- 
-Rex, geek by nature linux by choice

Reply to:

Follow-Ups:
- Re: [Fwd: anti-ptrace]
  - From: Geoffrey Lee <glee@gnupilgrims.org>

Prev by Date: [Fwd: anti-ptrace]
Next by Date: Re: [Fwd: anti-ptrace]
Previous by thread: [Fwd: anti-ptrace]
Next by thread: Re: [Fwd: anti-ptrace]
Index(es):
- Date
- Thread