使用可加载内核模块的syscall拦截中的参数似乎已损坏 [英] Arguments in syscall intercept using loadable kernel module seem to be broken
问题描述
第一篇文章,对于可能质量低下的解释,我深表歉意.
First post so I apologize for the possibly low quality explanation.
我试图编写一个可加载的内核模块,该模块除了拦截对SYS_open的系统调用,将参数打印到KERN_INFO,然后将参数转发到实际的系统调用之外,什么都不做. 从syscall拦截器功能的角度来看,转发部分似乎工作正常,但是我在打印方面遇到问题,参数似乎已损坏.
I was trying to write a loadable kernel module that does nothing but intercept syscalls to SYS_open, print the arguments to KERN_INFO and then forward the arguments to the real syscall. The forwarding part seems to be working just fine, but I'm having issues with the printing, arguments seem to be broken, from the syscall interceptor function's perspective.
以下是指向实际打开的系统调用以及拦截器定义的指针.
Following are the pointer to the real open syscall as well as the interceptor definition.
asmlinkage int (*real_open) (const char __user *, int, umode_t);
asmlinkage int fake_open(const char __user *filename, int flags, umode_t mode)
{
printk(KERN_INFO "interceptor: open() with flags = %d\n", flags);
return real_open(filename, flags, mode);
}
这是我正在测试的系统调用:
This is the syscall I'm testing:
syscall(SYS_open, argv[1], 3187236);
根据strace,这会导致以下呼叫:
Which leads to the following call, according to strace:
open("test", O_RDONLY|O_TRUNC|__O_SYNC|O_LARGEFILE|O_PATH|FASYNC|0x24) = -1 ENOENT (No such file or directory)
拦截器打印的信息:
[18191.407899] interceptor: open() with flags = 0
如您所见,即使我将3187236作为标志传递,flags参数也等于0. 甚至更奇怪的是,真正的开放系统调用似乎在处理参数方面没有问题.
As you can see, the flags argument is equal to 0, even though I passed 3187236 as flags. What's even weirder, the real open syscall seems to have no issue in dealing with the arguments.
感谢任何帮助,因为我几乎被困在这里.
Any kind of help is appreciated since I'm pretty much stuck here.
这里是完整的模块代码,以防万一:
Here's the full module code in case it's of any help:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/futex.h>
#include <linux/highmem.h>
#include <asm/unistd.h>
#include <linux/slab.h>
/*
SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, umode_t, mode)
*/
unsigned long long *sys_call_table = (unsigned long long*) 0xffffffffaf800260; //sudo cat /proc/kallsyms | grep sys_call_table (/boot/System.map)
asmlinkage int (*real_open) (const char __user *, int, umode_t);
asmlinkage int fake_open(const char __user *filename, int flags, umode_t mode)
{
printk("interceptor: open() with flags = %d\n", flags);
return real_open(filename, flags, mode);
}
//make the memory page writable
int make_rw(unsigned long long address)
{
unsigned int level;
pte_t *pte = lookup_address(address, &level);
if(pte->pte & ~_PAGE_RW)
pte->pte |= _PAGE_RW;
return 0;
}
//make the memory page read only
int make_ro(unsigned long long address)
{
unsigned int level;
pte_t *pte = lookup_address(address, &level);
pte->pte &= ~_PAGE_RW;
return 0;
}
static int __init init(void)
{
printk(KERN_INFO "Attempting to install hook.\n");
make_rw((unsigned long long) sys_call_table);
real_open = (void*) sys_call_table[__NR_open];
sys_call_table[__NR_open] = (unsigned long long) fake_open;
make_ro((unsigned long long) sys_call_table);
return 0; //no error
}
static void __exit clean(void)
{
printk(KERN_INFO "Uninstalling hook.\n");
make_rw((unsigned long long) sys_call_table);
sys_call_table[__NR_open] = (unsigned long long) real_open;
make_ro((unsigned long long) sys_call_table);
}
module_init(init);
module_exit(clean);
MODULE_LICENSE("GPL");
推荐答案
更新: 内核版本4.17及更高版本要求参数通过pt_regs结构传递.以前的代码最高可以达到4.16.
asmlinkage long (*real_open) (const struct pt_regs *);
asmlinkage long fake_open(const struct pt_regs *regs)
{
printk("interceptor: open() with flags = %ld\n", regs->si);
return real_open(regs);
}
更多信息: https://github.com/milabs /khook/issues/3
感谢所有发表评论的人!
Thanks for everyone who contributed in the comments!
这篇关于使用可加载内核模块的syscall拦截中的参数似乎已损坏的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
