堆栈内存溢出
  简体   繁体   English

替换Linux内核功能有错误

[英]there are errors to replace Linux kernel function

 原文  2011-06-27 13:33:12       c/ linux/ linux-kernel

问题描述

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/fs.h>
#include <linux/types.h>

#define CODESIZE 7

static unsigned char original_code[CODESIZE];

static unsigned char jump_code[CODESIZE] =
"\xb8\x00\x00\x00\x00" /* movq $0, %rax */
"\xff\xe0"                                                      /* jump *%rax */
    ;

void (*sync_readahead)( struct address_space *mapping, struct file_ra_state *ra, struct        file *filp, pgoff_t offset, unsigned long req_size ) = (void (*)(struct address_space *,  struct file_ra_state *, struct file *, pgoff_t , unsigned long ) )0xc0197100;


int hijack_start(void);
void hijack_stop(void);
void intercept_init(void);
void intercept_start(void);
void intercept_stop(void);
void fake_printk(struct address_space *mapping, struct file_ra_state *ra, struct file *filp, pgoff_t offset, unsigned long req_size);


int hijack_start()
{
printk(KERN_INFO "I can haz hijack?\n" );
intercept_init();

return 0;
}

void hijack_stop()
{
intercept_stop();
return;
}

void intercept_init()
{
printk(KERN_INFO "in the  intercept_init\n" );
memcpy( original_code, sync_readahead, 7 );
*(long *)&jump_code[1] = (long)fake_printk;

memcpy( sync_readahead, jump_code, 7 );

printk(KERN_INFO "in the  hijack?\n" );

//real_printk=NULL;

printk(KERN_INFO "begin the  hijack?\n" );
memcpy( sync_readahead, jump_code, CODESIZE );
printk(KERN_INFO "begin the  hijack?\n" );

return;
}



void intercept_stop()
{
memcpy( sync_readahead, original_code, CODESIZE );
}

void fake_printk(struct address_space *map, struct file_ra_state *a, struct file *fil,    pgoff_t offse, unsigned long req_siz)
{
printk(KERN_INFO "in the fake printk\n");
// return ret;
}
MODULE_LICENSE("GPL");

module_init( hijack_start );
module_exit( hijack_stop );

I want to replace Linux kernel function by address ( /proc/kallsyms ), but when I memcpy the new function to the address (Linux kernel): 我想用地址( /proc/kallsyms )替换Linux内核函数,但是当我将新函数memcpy替换到该地址(Linux内核)时: 

memcpy( sync_readahead, jump_code, CODESIZE );

there are errors (segmentation fault). 有错误(分段错误)。 I have seen some examples to replace Linux kernel function in the same way. 我已经看到了一些以相同方式替换Linux内核功能的示例。 Would you please help me to solve the problem? 您能帮我解决问题吗? Thank you very much. 非常感谢你。

Information as follows: 信息如下: 

ubuntu kernel: [  574.826458] *pde = 0087d067 *pte = 00197161 
ubuntu kernel: [  574.826468] Modules linked in: hijack(+) test(+) binfmt_misc bridge stp bnep input_polldev video output vmblock vsock vmmemctl vmhgfs pvscsi acpiphp lp ppdev pcspkr psmouse serio_raw snd_ens1371 gameport snd_ac97_codec ac97_bus snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device snd soundcore snd_page_alloc vmci i2c_piix4 parport_pc parport intel_agp agpgart shpchp mptspi mptscsih mptbase scsi_transport_spi floppy fbcon tileblit font bitblit softcursor vmxnet
ubuntu kernel: [  574.826491] 
ubuntu kernel: [  574.826493] Pid: 4694, comm: insmod Tainted: G      D    (2.6.28-11-generic #42-Ubuntu) VMware Virtual Platform
ubuntu kernel: [  574.826496] EIP: 0060:[<f7c92101>] EFLAGS: 00010246 CPU: 0
ubuntu kernel: [  574.826498] EIP is at intercept_init+0x41/0x70 [hijack]
ubuntu kernel: [  574.826499] EAX: f5ec4b60 EBX: 00000000 ECX: ffffffff EDX: 00004c4c
ubuntu kernel: [  574.826501] ESI: f7c9252c EDI: c0197100 EBP: f5edbe18 ESP: f5edbe0c
ubuntu kernel: [  574.826502]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
ubuntu kernel: [  574.826506]  f7c921a6 f7c92130 00000000 f5edbe24 f7c92147 f7c921d5 f5edbf8c c010111e
ubuntu kernel: [  574.826618] ---[ end trace ccc07e4b4d814976 ]---

1 个解决方案

解决方案1
 3  2011-06-27 14:27:35

Kernel function hijacking is very tricky business, and it needs to be exactly right in order to not run into all kinds of issues. 内核功能劫持是一件非常棘手的事情,它必须完全正确才能避免遇到各种问题。

I am currently working on a module that does this, and it (at the time of this writing) works for 2.6.18+ kernels: 我目前正在研究实现此目的的模块,并且在撰写本文时,它适用于2.6.18+内核:

https://github.com/cormander/tpe-lkm https://github.com/cormander/tpe-lkm

You'll be most interested in the hijacks.c file. 您会对hijacks.c文件最感兴趣。

Many portions of this process are architecture, kernel version dependent, and CPU feature dependent as well. 此过程的许多部分都取决于体系结构,内核版本以及CPU功能。

UPDATE 更新

The module now uses the 0XE9 jump opcode and should work for you. 该模块现在使用0XE9跳转操作码,应该可以使用。 The nitty gritty details are in hijacks.c, and the "high level" logic you'll be most interested in is in the hijack_syscalls() function in security.c 最详细的细节在hijacks.c中,而您最感兴趣的“高级”逻辑是在security.c中的hijack_syscalls()函数中

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我可以用模块替换Linux内核函数吗? - Can I replace a Linux kernel function with a module? Linux内核读取功能 - Linux kernel read function Linux内核:schedule()函数 - Linux kernel: schedule() function Linux内核:获取内核驱动程序的功能地址 - Linux kernel: get function address for kernel driver Linux内核中的major()和minor()函数 - major() and minor() function in linux kernel Linux内核write()和read()函数 - Linux Kernel write() and read() function Linux内核函数调用流程 - Linux kernel function call flow Linux 内核模块:kernel_write 函数有问题 - Linux Kernel Module : Problem with kernel_write function 无法理解linux内核中max函数的实现 - Cant understand the implementation of max function in the linux kernel Linux内核在驱动程序中读取功能 - Linux kernel sleeping in driver read function
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM