拦截ELF加载Linux内核:FS /通过加载内核模块binfmt_elf.c文件 [英] Intercept ELF loader in linux kernel: fs/binfmt_elf.c file via loadable kernel module
问题描述
我是新内核编码,并在present我已经过修改一点点对,我需要看一些它的安全目的ELF文件时的自定义栏目标题并提取独特$从它命名为c $ C加密密钥为CPU解密修改ELF的内容。
I am new to kernel coding and at present I am working with ELF files which have been modified a little bit for the security purposes for which I need to look at some of it's custom section headers and extract the unique code encryption key from it for the CPU to decrypt the contents of the modified ELF.
在present上述逻辑已在 load_elf_binary 函数中实现的 FS / binfmt_elf.c 在内核源代码树中的文件,但它是只有约250 code修改的线,我需要重新编译整个内核,所以我期待通过实施其作为一个可加载的内核模块即兴此功能(LKM)因此每次一个ELF加载它检查是否它的改性的ELF与否,如果是则extacts从相应的部分密钥。
At present the above logic has been implemented within the load_elf_binary function in the fs/binfmt_elf.c file in the kernel source tree, however it is only about 250 lines of code change for which I need to recompile the whole kernel, so I am looking to improvise this functionality by implementing it as a loadable kernel module(LKM) so that every time an ELF is loaded it checks whether its the modified ELF or not and if it is then it extacts the key from the corresponding section.
编辑:总结一下,我期待在做一个可加载内核模块通过一个ELF的部分阅读和获取包含加密密钥和相关元数据的自定义部分的内容,并在CPU寄存器设置这些值。
To summarize it, I am looking at making a loadable kernel module to read through the sections of an ELF and fetch the contents of a custom section that contains the encryption key and related metadata and set those values in CPU registers.
推荐答案
是的,它的可能的,但绝对不容易。甚至有一个支持的内核设施Kprobes的,它允许你插入指定位置,以自己的code调用(请参阅文档/ kprobes.txt )。如果在插入到您自己的code调用是不够的,我想你会需要使用相同的排序机制kprobe:通过覆盖与 JMP 说明修补所需的位置s或呼叫 s转换自己的code。
Yes, it's possible, but definitely not easy. There is even a supported kernel facility "kprobes" that allows you to insert calls to your own code from specified locations (see Documentation/kprobes.txt). If inserting calls to your own code is insufficient, I think you would need to use the same sort of mechanisms as kprobe: patching the desired location by overwriting instructions with jmps or calls into your own code.
我曾经在其安全产品通过运行时修补Windows内核安装了钩子的公司。这是pretty类似的事情,但至少与Windows的时候有版本数量有限的,必须予以支持。
I once worked at a company whose security product installed its hooks by runtime-patching the Windows kernel. This is pretty much the same thing, though at least with Windows at the time there were a finite number of versions that had to be supported.
所以,这是绝对有可能的,但我不会想尝试一下。这将是非常脆;你会在效果试图击中一个移动的目标。每个内核安全补丁或版本升级可能会打破你的code。
So, it's definitely possible, but I wouldn't want to try it. It will be very brittle; you'll be in effect trying to hit a moving target. Every kernel security patch or version upgrade is likely to break your code.
这篇关于拦截ELF加载Linux内核:FS /通过加载内核模块binfmt_elf.c文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
