可加载内核模块编程和系统调用拦截 [英] Loadable Kernel Module Programming and System Call Interception
问题描述
假设我们要拦截退出系统调用和控制台上显示消息时的任何进程调用它。为了做到这一点,我们必须写我们自己的假退出系统调用,然后进行内核调用我们的假退出函数,而不是原来的出口通话。在我们的假退出通话结束的时候,我们可以调用原有的退出呼叫。为了做到这一点,我们必须操纵系统调用表数组(sys_call_table)找到。
与sys_call_table的阵列武装,我们可以操纵它使sys_exit切入点,我们的新的假退出调用。我们必须存储的指针到原来的sys_exit呼叫,并调用它,当我们完成打印我们的信息到控制台。来源$ C $ C:
Assume that we want to intercept the exit system call and print a message on the console when any process invokes it. In order to do this, we have to write our own fake exit system call, then make the kernel call our fake exit function instead of the original exit call. At the end of our fake exit call, we can invoke the original exit call. In order to do this, we must manipulate the system call table array (sys_call_table). Armed with the sys_call_table array, we can manipulate it to make the sys_exit entry point to our new fake exit call. We must store a pointer to the original sys_exit call and call it when we are done printing our message to the console. Source code :
#include <linux/kernel.h>
#include <linux/module.h>
#include <sys/syscall.h>
extern void *sys_call_table[];
asmlinkage int (*original_sys_exit)(int);
asmlinkage int our_fake_exit_function(int error_code)
{
/*print message on console every time we
*are called*/
printk("HEY! sys_exit called with error_code=%d\n",error_code);
/*call the original sys_exit*/
return original_sys_exit(error_code);
}
/*this function is called when the module is
*loaded (initialization)*/
int init_module()
{
/*store reference to the original sys_exit*/
original_sys_exit=sys_call_table[__NR_exit];
/*manipulate sys_call_table to call our
*fake exit function instead
*of sys_exit*/
sys_call_table[__NR_exit]=our_fake_exit_function;
}
/*this function is called when the module is
*unloaded*/
void cleanup_module()
{
/*make __NR_exit point to the original
*sys_exit when our module
*is unloaded*/
sys_call_table[__NR_exit]=original_sys_exit;
}
当我编译这个节目,我得到了警告:
When I compile this program I got warning :
警告:sys_call_table的[/home/roiht/driver/one.ko]未定义
WARNING: "sys_call_table" [/home/roiht/driver/one.ko] undefined!
由于我做的搜索,我发现,内核版本2.5以后改变sys_call表的概念。
所以,我的问题是什么是另一种方法在新的内核版本来做到这一点?
As I did search, I found that kernel version after 2.5 changed the concept of sys_call table. So, my question is what is alternative method to do this in new kernel version ?
推荐答案
任何内核变量可以在模块中使用,如果使用了EXPORT_SYMBOL显式导出在内核()。由于内核版本2.6,出口为sys_call_table中已被删除。所以,如果你想用这个办法,明确导出的变量。根据约定,泰斯导出变量声明之后做的,但我想从那里定义了这一变量也将做任何文件导出。要检查方法的工作,只是看在猫的/ proc / kallsyms的输出。
Any kernel variable can be used in a module if it has been explicitly exported in the kernel using EXPORT_SYMBOL(). Since kernel version 2.6, export for sys_call_table has been removed. So if you want to use this approach, explicitly export the variable. As a convention, theis export is done right after the variable declaration, but I guess exporting from any file where this variable is defined will also do. To check if the approach worked, simply look in the output of "cat /proc/kallsyms".
捕捉退出系统调用的另一种方法将是挂上了钩在系统调用执行的SYSENTER一部分。在这里寻找更多详情: http://articles.manugarg.com/systemcallinlinux2_6.html
Another approach to capture the exit syscall will be to put a hook in the sysenter part of syscall execution. Look here for more details: http://articles.manugarg.com/systemcallinlinux2_6.html
这篇关于可加载内核模块编程和系统调用拦截的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
