Linux内核模块，用于检查内存完整性 [英] Linux kernel module to check memory integrity

问题描述

我正在编写一个内核模块，该模块通过控制校验和来检查用于运行任务的代码段的完整性.我遇到了一些障碍:

1. 如果内核未导出module_list变量(ksyms中没有这样的符号)，如何获取?我可以看到所有模块都调用lsmod命令，那么如何在我的模块中获取它?
2. 我的模块正在运行时，它表明某些代码段已更改.它总是在某些库中发生.为什么会发生?我以为代码段是恒定的.
3. 控制来自内核模块的过程数据的内存访问是否可行，以及如何做到?

解决方案

完全支持自修改代码.它没有任何问题，它可用于各种事物.您认为代码是恒定的，这是不正确的.可能是，但可能不是.

一个典型的例子是SMP与UP系统.例如，在奔腾4级Xeon机器上，未锁定的增量可以比锁定的增量少60个周期.仅在SMP计算机上才需要锁定的增量.为了使相同的代码在UP和SMP机器上都能工作，而又不增加运行时条件的开销，通常使用自修改代码.代替lock指令，使用了非法的操作码，例如ud2.捕获了非法指令中断，并在SMP系统上将ud2替换为lock，而在UP系统上将nop替换为nop.

内核导出模块接口.导出的是:

__module_text_address __symbol_get symbol_put_addr use_module
module_layout module_put __module_put_and_exit module_refcount 
register_module_notifier __symbol_put unregister_module_notifier module_get 

如果您确实愿意，也可以解析/proc/modules.

I'm writing a kernel module that checks the integrity of code segments for running tasks by controlling checksums. I ran into a few hurdles:

1. How can I get the module_list variable if it isn't exported by the kernel (there is no such symbol in ksyms)? I can see all modules calling the lsmod command, so how can I get it in my module?
2. While my module is running it shows that some code segments have been changed. It always happens with certain libraries. Why does it happen? I thought that code segments were constant.
3. Is it feasible to control memory access for process data from a kernel module and how to do it?

解决方案

Self-modifying code is fully supported. There is nothing wrong with it, and it is used for all kinds of things. Your assumption that code is constant is simply not correct. It may be, but it may not be.

One typical example is in SMP versus UP systems. On Pentium 4 class Xeon machines, for example, an unlocked increment can take 60 cycles fewer than a locked increment. The locked increment is needed only on SMP machines. To make the same code work on both UP and SMP machines without the overhead of a condition at run time, self-modifying code is typically used. In the place of the lock instruction, an illegal opcode such as ud2 is used. The illegal instruction interrupt is caught and the ud2 is replaced by lock on an SMP system and nop on a UP system.

The kernel exports a module interface. Exported are:

__module_text_address __symbol_get symbol_put_addr use_module
module_layout module_put __module_put_and_exit module_refcount 
register_module_notifier __symbol_put unregister_module_notifier module_get 

You could also parse /proc/modules if you really wanted to.

这篇关于Linux内核模块，用于检查内存完整性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！