Has anyone else beside me tried this anti-ptrace script? I downloaded it
from packetstormsecurity.com and ran and loaded the module and it works like
a charm. If anyone tries to use ptrace besides root it echo's that event to
the root terminal, and denies it. Well here is a copy of the script
#!/bin/sh
# MAKE ME EXECUTABLE !!!
#
# [EMAIL PROTECTED]:/home/sacrine/TEST# chmod +x anti-ptrace
# [EMAIL PROTECTED]:/home/sacrine/TEST# ./anti-ptrace
# [+] making anti-ptrace.c: OK
# [+] compiling the script: OK
# [+] loading the module : OK
#
echo -n [+] making anti-ptrace.c:
cat anti-ptrace.c NETRIC
/*
* Noodoplossing voor de ptrace race vuln
* anti-ptrace.c by sacrine
* netric.org
*/
#define __KERNEL__
#define MODULE
#define LINUX
#include linux/module.h
#include linux/kernel.h
#include linux/types.h
#include linux/version.h
#include linux/slab.h
#include linux/sched.h
#include linux/fs.h
#include linux/ctype.h
#include linux/tty.h
#include sys/syscall.h
#include linux/ptrace.h
long (*o_ptrace) ( pid_t pid,
void *addr,
void *data );
extern void* sys_call_table[];
int anti_ptrace( pid_t pid,
uid_t uid,
void *addr,
void *data )
{
uid_t o_uid;
if(current-uid == 0)
{
return(o_ptrace(pid,addr,data));
}
printk(warning: ptrace(); violation\n
pid=[%i] uid=[%i]\n
,current-pid
,current-uid);
console_print(warning: non-root users are not allowed to use
ptrace();\n);
return EPERM;
}
int init_module(void)
{
o_ptrace=sys_call_table[SYS_ptrace];
sys_call_table[SYS_ptrace]=anti_ptrace;
printk(anti-ptrace kernel module loaded with pid=[%i]\n,
current-pid);
return(0);
}
void cleanup_module(void)
{
sys_call_table[SYS_ptrace]=o_ptrace;
printk(anti-ptrace kernel module ended with pid=[%i]\n,
current-pid);
}
NETRIC
echo OK;
echo -n [+] compiling the script: ;
gcc -c anti-ptrace.c -I/lib/modules/$(uname -r)/build/include
echo OK;
echo -n [+] loading the module : ;
/sbin/insmod anti-ptrace.o /dev/null
echo OK;
# sacrine [Netric Security]
_
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]