My best guess is that you've mixed up the legacy and "64" versions of the getdents
syscall. Even on 64-bit systems, there seems to be a legacy version (without the 64) that writes a structure lacking the d_type
member (so the first character of the name would get misinterpreted as the d_type
member if you're using the modern "64" version of the structure) in addition to the (correct) getdents64
syscall.
Question
I am trying to write a getdents() system call to list all the directories entries returned by a call to getdents(), but I am having a small problem that I can not seem to solve, not sure if this is a C error (since I am still learning it) or something with the call itself. When I print d_name of each struct, I am always missing the first letter of the directory/file.
Feb 13 11:39:04 node35 kernel: [ 911.353033] entry: ootkit.c
Feb 13 11:39:04 node35 kernel: [ 911.353035] entry: ootkit.mod.c
Feb 13 11:39:04 node35 kernel: [ 911.353036] entry: ootkit.ko
The name of the files are rootkit.*
My code :
asmlinkage int new_getdents(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
int nread;
int bpos;
struct linux_dirent64 *d;
int (*orig_func)(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
t_syscall_hook *open_hook;
open_hook = find_syscall_hook(__NR_getdents);
orig_func = (void*) open_hook->orig_func;
nread = (*orig_func)(fd, dirp, count);
d = dirp;
for (bpos = 0; bpos < nread;) {
d = (struct linux_dirent64 *) ((char*)dirp + bpos);
printk(KERN_INFO "%s\n", d->d_name);
bpos += d->d_reclen;
}
return nread;
}
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow