劫持SYS电话 [英] Hijacking sys calls
问题描述
我正在写一个内核模块,我需要劫持/包一些SYS电话。我蛮力迫使sys_call_table的地址,我使用CR0禁用/启用页面保护。到目前为止好(我会让公众对整个code一旦做了,所以如果有人想我可以更新这个问题)。
I'm writing a kernel module and I need to hijack/wrap some sys calls. I'm brute-forcing the sys_call_table address and I'm using cr0 to disable/enable page protection. So far so good (I'll make public the entire code once it's done, so I can update this question if somebody wants).
不管怎么说,我已经注意到,如果我劫持 __ NR_sys_read 我得到一个内核哎呀,当我卸载内核模块,和所有konsoles(KDE)崩溃。请注意,这不符合 __ NR_sys_open 或 __ NR_sys_write 。
Anyways, I have noticed that if I hijack __NR_sys_read I get a kernel oops when I unload the kernel module, and also all konsoles (KDE) crash. Note that this doesn't happen with __NR_sys_open or __NR_sys_write.
我不知道为什么会这样。任何想法?
I'm wondering why is this happening. Any ideas?
PS:请不要走的路Kprobes的,我已经知道了它,这是不可能的,我用它作为最终产品应该是可用的,而无需重新编译整个内核
PS: Please don't go the KProbes way, I already know about it and it's not possible for me to use it as the final product should be usable without having to recompile the entire kernel.
修改:(添加信息)
我卸载前恢复原来的功能。另外,我还创建了两个测试情况,一是与 _write 只和一个与 _read 。有一个 _write 卸载罚款,但一个与 _read 卸载,然后崩溃内核)。
I restore the original function before unloading. Also, I have created two test-cases, one with _write only and one with _read. The one with _write unloads fine, but the one with _read unloads and then crashes the kernel).
修改(来源:code)
我目前在家里,所以我现在不能公布源$ C $ C,但如果有人愿意,我可以,只要我去上班后一个例子code。 (〜5小时)
I'm currently at home so I can't post the source code right now, but if somebody wants, I can post an example code as soon as I get to work. (~5 hours)
推荐答案
这可能是因为内核线程是目前在读 - 如果调用你读钩没有按'吨锁定模块,它不能被安全地卸下。
This may be because a kernel thread is currently inside read - if calling your read-hook doesn't lock the module, it can't be unloaded safely.
这可以解释konsoles(?)崩溃,因为他们很可能是目前执行读系统调用,等待数据。当他们从实际的系统调用返回,他们将跃入您的函数中使用这样的地方,导致了问题。
This would explain the "konsoles" (?) crashing as they are probably currently performing the read syscall, waiting for data. When they return from the actual syscall, they'll be jumping into the place where your function used to be, causing the problem.
卸载会乱码,但你需要先勾去掉,然后等待所有呼叫者退出钩子函数,然后卸载模块。
Unloading will be messy, but you need to first remove the hook, then wait for all callers exit the hook function, then unload the module.
我一直在玩linux的系统调用挂钩最近,但我绝不是一个内核大师,所以我appologise,如果这是关闭基地。
I've been playing with linux syscall hooking recently, but I'm by no means a kernel guru, so I appologise if this is off-base.
PS: 这种技术可能证明比更可靠的暴力破解该sys_call_table的。我见过的蛮力技术往往内核混乱,如果 SYS_CLOSE 已经上瘾了。
PS: This technique might prove more reliable than brute-forcing the sys_call_table. The brute-force techniques I've seen tend to kernel panic if sys_close is already hooked.
这篇关于劫持SYS电话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
