Sindbad~EG File Manager
# remap_file_pages ___________________________________________
#
# long sys_remap_file_pages(unsigned long start,
# unsigned long size,
# unsigned long __prot,
# unsigned long pgoff,
# unsigned long flags)
#
@define _SYSCALL_REMAP_FILE_PAGES_NAME
%(
name = "remap_file_pages"
%)
@define _SYSCALL_REMAP_FILE_PAGES_ARGSTR
%(
argstr = sprintf("%p, %p, %s, %p, %s", start, size, prot_str, pgoff, flags_str)
%)
@define _SYSCALL_REMAP_FILE_PAGES_REGARGS
%(
start = ulong_arg(1)
size = ulong_arg(2)
prot = ulong_arg(3)
prot_str = _mprotect_prot_str(prot)
pgoff = ulong_arg(4)
flags = ulong_arg(5)
flags_str = _mmap_flags(flags)
%)
@define _SYSCALL_REMAP_FILE_PAGES_REGARGS_STORE
%(
if (@probewrite(start))
set_ulong_arg(1, start)
if (@probewrite(size))
set_ulong_arg(2, size)
if (@probewrite(prot))
set_ulong_arg(3, prot)
if (@probewrite(pgoff))
set_ulong_arg(4, pgoff)
if (@probewrite(flags))
set_ulong_arg(5, flags)
%)
probe syscall.remap_file_pages = dw_syscall.remap_file_pages !,
nd_syscall.remap_file_pages ? {}
probe syscall.remap_file_pages.return = dw_syscall.remap_file_pages.return !,
nd_syscall.remap_file_pages.return ? {}
# dw_remap_file_pages _____________________________________________________
probe dw_syscall.remap_file_pages = kernel.function("sys_remap_file_pages").call ?
{
@_SYSCALL_REMAP_FILE_PAGES_NAME
start = __ulong($start)
size = __ulong($size)
prot = __ulong(@choose_defined($prot, $__prot))
prot_str = _mprotect_prot_str(prot)
pgoff = __ulong($pgoff)
flags = __ulong($flags)
flags_str = _mmap_flags(flags)
@_SYSCALL_REMAP_FILE_PAGES_ARGSTR
}
probe dw_syscall.remap_file_pages.return = kernel.function("sys_remap_file_pages").return ?
{
@_SYSCALL_REMAP_FILE_PAGES_NAME
@SYSC_RETVALSTR($return)
}
# nd_remap_file_pages _____________________________________________________
probe nd_syscall.remap_file_pages = nd1_syscall.remap_file_pages!, nd2_syscall.remap_file_pages!, tp_syscall.remap_file_pages
{ }
probe nd1_syscall.remap_file_pages = kprobe.function("sys_remap_file_pages") ?
{
@_SYSCALL_REMAP_FILE_PAGES_NAME
asmlinkage()
@_SYSCALL_REMAP_FILE_PAGES_REGARGS
@_SYSCALL_REMAP_FILE_PAGES_ARGSTR
}
/* kernel 4.17+ */
probe nd2_syscall.remap_file_pages = kprobe.function(@arch_syscall_prefix "sys_remap_file_pages") ?
{
__set_syscall_pt_regs(pointer_arg(1))
@_SYSCALL_REMAP_FILE_PAGES_NAME
@_SYSCALL_REMAP_FILE_PAGES_REGARGS
@_SYSCALL_REMAP_FILE_PAGES_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_REMAP_FILE_PAGES_REGARGS_STORE %)
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.remap_file_pages = kernel.trace("sys_enter")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR_remap_file_pages"), @const("__NR_compat_remap_file_pages"))
@_SYSCALL_REMAP_FILE_PAGES_NAME
@_SYSCALL_REMAP_FILE_PAGES_REGARGS
@_SYSCALL_REMAP_FILE_PAGES_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_REMAP_FILE_PAGES_REGARGS_STORE %)
}
probe nd_syscall.remap_file_pages.return = nd1_syscall.remap_file_pages.return!, nd2_syscall.remap_file_pages.return!, tp_syscall.remap_file_pages.return
{ }
probe nd1_syscall.remap_file_pages.return = kprobe.function("sys_remap_file_pages").return ?
{
@_SYSCALL_REMAP_FILE_PAGES_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 4.17+ */
probe nd2_syscall.remap_file_pages.return = kprobe.function(@arch_syscall_prefix "sys_remap_file_pages").return ?
{
@_SYSCALL_REMAP_FILE_PAGES_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.remap_file_pages.return = kernel.trace("sys_exit")
{
__set_syscall_pt_regs($regs)
@__syscall_compat_gate(@const("__NR_remap_file_pages"), @const("__NR_compat_remap_file_pages"))
@_SYSCALL_REMAP_FILE_PAGES_NAME
@SYSC_RETVALSTR($ret)
}
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists