__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
/*
* eset_rtp (ESET Real-time file system protection module)
* Copyright (C) 1992-2025 ESET, spol. s r.o.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* In case of any questions, you can contact us at ESET, spol. s r.o., Einsteinova 24, 851 01 Bratislava, Slovakia.
*/
#include "ertp_event_check.h"
#include <linux/fdtable.h>
#include <linux/magic.h>
#include <linux/stat.h>
#include "ertp.h"
#include "ertp_cache.h"
#include "ertp_excludes.h"
#include "ertp_qos.h"
bool ertp_check_interrupted_by_signal(int rv) {
return ((rv == -ERESTARTSYS) || (rv == -ERESTARTNOINTR));
}
static inline int ertp_convert_errno_to_syscall_exit_code(int errno) {
switch (errno) {
case -EPERM:
case -ENOMEM:
case -ERESTARTSYS:
case -ERESTARTNOINTR:
return errno;
}
return 0;
}
enum ertp_check_event_info_result {
ERTP_CHECK_CONTINUE,
ERTP_CHECK_DENY,
ERTP_CHECK_SCAN,
ERTP_CHECK_FORCE_SCAN
};
static bool ertp_scanner_ready(void) {
if (unlikely(ertp_qos_scanner_check_thread())) return false;
if (!ertp_qos_enabled()) return false;
return true;
}
static enum ertp_check_event_info_result ertp_check_file_info(
struct ertp_event_generic_info *info) {
int ret;
if (!ertp_scanner_ready()) return ERTP_CHECK_CONTINUE;
info->process_path = ertp_path_process_new();
if (unlikely(IS_ERR(info->process_path))) {
ertp_pr_edlog(
"check file info failed: cannot obtain process path: (errno: %ld)",
PTR_ERR(info->process_path));
return ERTP_CHECK_DENY;
}
if (ertp_proc_excluded(info->process_path->ptr)) return ERTP_CHECK_CONTINUE;
if (!ertp_get_inode(info->file)) return ERTP_CHECK_CONTINUE;
if (!S_ISREG(ertp_get_inode(info->file)->i_mode)) return ERTP_CHECK_CONTINUE;
ret = vfs_getattr_nosec(&info->file->f_path, &info->attr_info,
STATX_BASIC_STATS, 0);
if (unlikely(ret < 0)) {
ertp_pr_edlog(
"check file info failed: getattr failed: (errno: %d, process: %s)", ret,
info->process_path->ptr);
return ERTP_CHECK_DENY;
}
if (info->attr_info.size == 0) return ERTP_CHECK_CONTINUE;
if (info->type == ERTP_EVENT_TYPE_CLOSE &&
((info->file->f_flags & O_ACCMODE) == O_RDONLY))
return ERTP_CHECK_CONTINUE;
#ifdef SECRETMEM_MAGIC
if (ertp_get_sb_magic(info->file) == SECRETMEM_MAGIC)
return ERTP_CHECK_CONTINUE;
#endif
info->file_path = ertp_path_file_new(&info->file->f_path);
if (unlikely(IS_ERR(info->file_path))) {
ertp_pr_edlog(
"check file info failed: cannot obtain file path: (errno: %ld, "
"process: %s)",
PTR_ERR(info->file_path), info->process_path->ptr);
return ERTP_CHECK_DENY;
}
if (ertp_file_excluded(info->file_path->ptr)) return ERTP_CHECK_CONTINUE;
if (info->type == ERTP_EVENT_TYPE_CLOSE &&
(((info->file->f_flags & O_ACCMODE) == O_WRONLY) ||
((info->file->f_flags & O_ACCMODE) == O_RDWR)))
return ERTP_CHECK_FORCE_SCAN;
return ERTP_CHECK_SCAN;
}
static int ertp_check_file(const struct ertp_check_context *context,
const struct file *file, enum ertp_event_type type) {
int rv;
struct ertp_event_generic_info event_info = {
.file = file,
.type = type,
.modified = false,
.file_path = NULL,
.process_path = NULL,
.signal_handler = context->signal_handler,
};
switch (ertp_check_file_info(&event_info)) {
case ERTP_CHECK_CONTINUE:
rv = 0;
goto end;
case ERTP_CHECK_DENY:
rv = -EPERM;
ertp_pr_edlog("event denied (type: GENERIC)");
goto end;
case ERTP_CHECK_SCAN:
break;
case ERTP_CHECK_FORCE_SCAN: {
ertp_cache_remove(event_info.attr_info.ino,
new_encode_dev(event_info.attr_info.dev));
event_info.modified = true;
goto scan;
}
}
switch (ertp_cache_check(&event_info)) {
case ERTP_CACHE_FOUND:
rv = 0;
goto end;
case ERTP_CACHE_MODIFIED:
event_info.modified = true;
break;
case ERTP_CACHE_NOT_FOUND:
break;
}
scan:
rv = ertp_qos_handle_generic_event(&event_info);
end:
ertp_path_unref(event_info.file_path);
ertp_path_unref(event_info.process_path);
return ertp_convert_errno_to_syscall_exit_code(rv);
}
static enum ertp_check_event_info_result ertp_check_memory_info(
struct ertp_event_memory_info *info) {
if (!ertp_scanner_ready()) return ERTP_CHECK_CONTINUE;
info->process_path = ertp_path_process_new();
if (unlikely(IS_ERR(info->process_path))) return ERTP_CHECK_DENY;
if (ertp_proc_excluded(info->process_path->ptr)) return ERTP_CHECK_CONTINUE;
return ERTP_CHECK_SCAN;
}
static int ertp_check_memory(const struct ertp_check_context *context,
const unsigned char *memory, size_t size,
enum ertp_event_type type) {
int rv;
struct ertp_event_memory_info event_info = {
.type = type,
.process_path = NULL,
.memory_to_scan = memory,
.size = size,
.signal_handler = context->signal_handler,
};
switch (ertp_check_memory_info(&event_info)) {
case ERTP_CHECK_CONTINUE:
rv = 0;
goto end;
case ERTP_CHECK_DENY:
rv = -EPERM;
ertp_pr_edlog("event denied (type: MEMORY)");
goto end;
case ERTP_CHECK_SCAN:
case ERTP_CHECK_FORCE_SCAN:
break;
}
rv = ertp_qos_handle_memory_event(&event_info);
end:
ertp_path_unref(event_info.process_path);
return ertp_convert_errno_to_syscall_exit_code(rv);
}
int ertp_check_open(const struct ertp_check_context *context,
const struct file *file) {
return ertp_check_file(context, file, ERTP_EVENT_TYPE_OPEN);
}
int ertp_check_close(const struct ertp_check_context *context,
const struct file *file) {
return ertp_check_file(context, file, ERTP_EVENT_TYPE_CLOSE);
}
int ertp_check_exec(const struct ertp_check_context *context,
const struct file *file) {
return ertp_check_file(context, file, ERTP_EVENT_TYPE_EXEC);
}
int ertp_check_init_module(const struct ertp_check_context *context,
const unsigned char *memory, size_t size) {
return ertp_check_memory(context, memory, size, ERTP_EVENT_TYPE_EXEC);
}
int ertp_check_all_open_files(
const struct ertp_check_context *context,
int (*file_check_fn)(const struct ertp_check_context *context,
const struct file *)) {
unsigned fd, max_fds;
int rv = 0;
rcu_read_lock();
max_fds = files_fdtable(current->files)->max_fds;
rcu_read_unlock();
for (fd = 0; fd < max_fds; fd++) {
struct file *file = fget(fd);
if (likely(file)) {
int check_result = file_check_fn(context, file);
fput(file);
if (check_result != 0) {
rv = check_result;
if (ertp_check_interrupted_by_signal(rv)) {
break;
}
}
}
}
return ertp_convert_errno_to_syscall_exit_code(rv);
}
void ertp_check_remove(const struct ertp_check_context *context,
const struct ertp_path *file_path, struct path *path) {
struct ertp_event_remove_info event_info = {
.path = path,
.process_path = NULL,
.file_path = file_path,
.signal_handler = context->signal_handler,
};
if (!ertp_scanner_ready()) goto end;
if (likely(!IS_ERR(file_path)) &&
ertp_file_excluded_by_default(file_path->ptr)) {
goto end;
}
event_info.process_path = ertp_path_process_new();
if (unlikely(IS_ERR(event_info.process_path))) goto end;
if (ertp_proc_excluded_by_default(event_info.process_path->ptr)) goto end;
ertp_qos_handle_remove_event(&event_info);
end:
ertp_path_unref(event_info.process_path);
}
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| .ertp_array.o.cmd | File | 67.01 KB | 0644 |
|
| .ertp_cache.o.cmd | File | 62.05 KB | 0644 |
|
| .ertp_cache_container.o.cmd | File | 51.03 KB | 0644 |
|
| .ertp_debug.o.cmd | File | 61.29 KB | 0644 |
|
| .ertp_dev.o.cmd | File | 70.46 KB | 0644 |
|
| .ertp_event.o.cmd | File | 62.23 KB | 0644 |
|
| .ertp_event_check.o.cmd | File | 62.68 KB | 0644 |
|
| .ertp_excludes.o.cmd | File | 50.98 KB | 0644 |
|
| .ertp_ftrace_hook.o.cmd | File | 88.2 KB | 0644 |
|
| .ertp_ftrace_utils.o.cmd | File | 75.37 KB | 0644 |
|
| .ertp_handlers.o.cmd | File | 88.06 KB | 0644 |
|
| .ertp_handlers_close.o.cmd | File | 88.18 KB | 0644 |
|
| .ertp_handlers_execve.o.cmd | File | 88.54 KB | 0644 |
|
| .ertp_handlers_exit.o.cmd | File | 88.51 KB | 0644 |
|
| .ertp_handlers_mmap.o.cmd | File | 88.69 KB | 0644 |
|
| .ertp_handlers_module.o.cmd | File | 88.39 KB | 0644 |
|
| .ertp_handlers_open.o.cmd | File | 88.58 KB | 0644 |
|
| .ertp_handlers_rename.o.cmd | File | 88.54 KB | 0644 |
|
| .ertp_handlers_unlink.o.cmd | File | 88.54 KB | 0644 |
|
| .ertp_heap.o.cmd | File | 67 KB | 0644 |
|
| .ertp_logs.o.cmd | File | 15.1 KB | 0644 |
|
| .ertp_memory_dev.o.cmd | File | 70.16 KB | 0644 |
|
| .ertp_mod.o.cmd | File | 88.99 KB | 0644 |
|
| .ertp_path.o.cmd | File | 65.63 KB | 0644 |
|
| .ertp_qos.o.cmd | File | 67.84 KB | 0644 |
|
| .ertp_qos_event_data.o.cmd | File | 61.74 KB | 0644 |
|
| .ertp_qos_queue.o.cmd | File | 61.73 KB | 0644 |
|
| .ertp_stats.o.cmd | File | 61.66 KB | 0644 |
|
| .ertp_sysfs.o.cmd | File | 68.08 KB | 0644 |
|
| .eset_rtp.ko.cmd | File | 256 B | 0644 |
|
| .eset_rtp.mod.cmd | File | 612 B | 0644 |
|
| .eset_rtp.mod.o.cmd | File | 67.08 KB | 0644 |
|
| .eset_rtp.o.cmd | File | 139 B | 0644 |
|
| .modules.order.cmd | File | 95 B | 0644 |
|
| Makefile | File | 1.44 KB | 0644 |
|
| ertp.h | File | 2.24 KB | 0644 |
|
| ertp_array.c | File | 4.44 KB | 0644 |
|
| ertp_array.h | File | 2.02 KB | 0644 |
|
| ertp_array.o | File | 37.93 KB | 0644 |
|
| ertp_cache.c | File | 6.42 KB | 0644 |
|
| ertp_cache.h | File | 1.51 KB | 0644 |
|
| ertp_cache.o | File | 152.7 KB | 0644 |
|
| ertp_cache_container.c | File | 4.91 KB | 0644 |
|
| ertp_cache_container.h | File | 1.84 KB | 0644 |
|
| ertp_cache_container.o | File | 38.19 KB | 0644 |
|
| ertp_debug.c | File | 1.32 KB | 0644 |
|
| ertp_debug.h | File | 1.25 KB | 0644 |
|
| ertp_debug.o | File | 14.66 KB | 0644 |
|
| ertp_dev.c | File | 13.64 KB | 0644 |
|
| ertp_dev.o | File | 245.34 KB | 0644 |
|
| ertp_event.c | File | 20.85 KB | 0644 |
|
| ertp_event.h | File | 4.98 KB | 0644 |
|
| ertp_event.o | File | 258.2 KB | 0644 |
|
| ertp_event_check.c | File | 8.15 KB | 0644 |
|
| ertp_event_check.h | File | 1.92 KB | 0644 |
|
| ertp_event_check.o | File | 157.53 KB | 0644 |
|
| ertp_excludes.c | File | 6.42 KB | 0644 |
|
| ertp_excludes.h | File | 1.48 KB | 0644 |
|
| ertp_excludes.o | File | 56.93 KB | 0644 |
|
| ertp_ftrace_hook.c | File | 4.54 KB | 0644 |
|
| ertp_ftrace_hook.h | File | 1.37 KB | 0644 |
|
| ertp_ftrace_hook.o | File | 50.73 KB | 0644 |
|
| ertp_ftrace_utils.c | File | 1.7 KB | 0644 |
|
| ertp_ftrace_utils.h | File | 1.63 KB | 0644 |
|
| ertp_ftrace_utils.o | File | 17.97 KB | 0644 |
|
| ertp_handlers.c | File | 7.86 KB | 0644 |
|
| ertp_handlers.h | File | 1.21 KB | 0644 |
|
| ertp_handlers.o | File | 44.59 KB | 0644 |
|
| ertp_handlers_close.c | File | 3.08 KB | 0644 |
|
| ertp_handlers_close.h | File | 1.72 KB | 0644 |
|
| ertp_handlers_close.o | File | 292.04 KB | 0644 |
|
| ertp_handlers_execve.c | File | 4.37 KB | 0644 |
|
| ertp_handlers_execve.h | File | 1.75 KB | 0644 |
|
| ertp_handlers_execve.o | File | 299.2 KB | 0644 |
|
| ertp_handlers_exit.c | File | 1.97 KB | 0644 |
|
| ertp_handlers_exit.h | File | 1.49 KB | 0644 |
|
| ertp_handlers_exit.o | File | 284.45 KB | 0644 |
|
| ertp_handlers_mmap.c | File | 1.92 KB | 0644 |
|
| ertp_handlers_mmap.h | File | 1.11 KB | 0644 |
|
| ertp_handlers_mmap.o | File | 280.8 KB | 0644 |
|
| ertp_handlers_module.c | File | 4.2 KB | 0644 |
|
| ertp_handlers_module.h | File | 1.53 KB | 0644 |
|
| ertp_handlers_module.o | File | 295.03 KB | 0644 |
|
| ertp_handlers_open.c | File | 3.77 KB | 0644 |
|
| ertp_handlers_open.h | File | 1.72 KB | 0644 |
|
| ertp_handlers_open.o | File | 291.44 KB | 0644 |
|
| ertp_handlers_rename.c | File | 5.14 KB | 0644 |
|
| ertp_handlers_rename.h | File | 1.75 KB | 0644 |
|
| ertp_handlers_rename.o | File | 292.21 KB | 0644 |
|
| ertp_handlers_unlink.c | File | 3.47 KB | 0644 |
|
| ertp_handlers_unlink.h | File | 1.49 KB | 0644 |
|
| ertp_handlers_unlink.o | File | 287.87 KB | 0644 |
|
| ertp_heap.c | File | 9.87 KB | 0644 |
|
| ertp_heap.h | File | 2.04 KB | 0644 |
|
| ertp_heap.o | File | 30 KB | 0644 |
|
| ertp_logs.c | File | 1.14 KB | 0644 |
|
| ertp_logs.h | File | 2.59 KB | 0644 |
|
| ertp_logs.o | File | 10.13 KB | 0644 |
|
| ertp_memory_dev.c | File | 8.34 KB | 0644 |
|
| ertp_memory_dev.h | File | 1.33 KB | 0644 |
|
| ertp_memory_dev.o | File | 224.05 KB | 0644 |
|
| ertp_mod.c | File | 3.18 KB | 0644 |
|
| ertp_mod.o | File | 28.85 KB | 0644 |
|
| ertp_path.c | File | 4.38 KB | 0644 |
|
| ertp_path.h | File | 1.31 KB | 0644 |
|
| ertp_path.o | File | 185.7 KB | 0644 |
|
| ertp_qos.c | File | 17.06 KB | 0644 |
|
| ertp_qos.h | File | 2.18 KB | 0644 |
|
| ertp_qos.o | File | 254.39 KB | 0644 |
|
| ertp_qos_event_data.c | File | 2.41 KB | 0644 |
|
| ertp_qos_event_data.h | File | 1.61 KB | 0644 |
|
| ertp_qos_event_data.o | File | 129.95 KB | 0644 |
|
| ertp_qos_queue.c | File | 4.32 KB | 0644 |
|
| ertp_qos_queue.h | File | 1.98 KB | 0644 |
|
| ertp_qos_queue.o | File | 34.61 KB | 0644 |
|
| ertp_stats.c | File | 8.53 KB | 0644 |
|
| ertp_stats.h | File | 1.53 KB | 0644 |
|
| ertp_stats.o | File | 46.95 KB | 0644 |
|
| ertp_sysfs.c | File | 5.51 KB | 0644 |
|
| ertp_sysfs.o | File | 185.59 KB | 0644 |
|
| ertp_types.h | File | 1.15 KB | 0644 |
|
| eset_rtp.h | File | 4.2 KB | 0644 |
|
| eset_rtp.ko | File | 4.46 MB | 0644 |
|
| eset_rtp.mod | File | 755 B | 0644 |
|
| eset_rtp.mod.c | File | 8.4 KB | 0644 |
|
| eset_rtp.mod.o | File | 159.15 KB | 0644 |
|
| eset_rtp.o | File | 4.29 MB | 0644 |
|
| eset_rtp_sysfs.h | File | 1.26 KB | 0644 |
|
| modules.order | File | 20 B | 0644 |
|