[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Kerne modul - at finde system kald tabellen



Hey alle

Jeg leger lidt med programmering af kernen og synes at et rootkit kunne være sjovt og få mig vidt omkring i kernen, så jeg kigger lidt på sebek og prøver at få dets funktionalitet til at virke i mit eget kerne modul. Men jeg kan ikke finde system kald tabellen. Sebek's kode til at finde SCT'en er:

u32** get_sct(void){

 unsigned long ptr;
 extern int loops_per_jiffy;

 for (ptr = (unsigned long)&loops_per_jiffy;
      ptr < (unsigned long)&boot_cpu_data; ptr += sizeof(void *)){

   unsigned long *p;
   p = (unsigned long *)ptr;
   //---- orig ver that looked for sys_exit didnt work on stock
   //---- kerns.
   if (p[__NR_close] == (u32) sys_close){
      return  (u32 **)p;
   }

 }

 return 0;
}

Og det brugte jeg så til at indsætte en hook på et par funktions kald...men det virkede ikke. Jeg ændrede koden lidt til at rende igennem hele hukommelsen og skrive alle adresser ud hvor SCT'en kunne være:

void print_sct(void) {
   unsigned long ptr;
   extern int loops_per_jiffy;

   for (ptr = (unsigned long)&loops_per_jiffy;
           ptr < (unsigned long)&boot_cpu_data; ptr += sizeof(void *)) {

       unsigned long *p;
       p = (unsigned long *)ptr;
       //---- orig ver that looked for sys_exit didnt work on stock
       //---- kerns.
       if (p[__NR_close] == (u32) sys_close) {
           printk(KERN_INFO "Possible call table: %p\n", (u32 **)p);
       }

   }
}

Det giver mig:
Possible call table: c03287bc
Possible call table: c03474f4

Altså to mulige. Jeg udviddede så get_sct med et ekstra tjek:
       if (p[__NR_close] == (u32) sys_close &&
           p[__NR_open] == (u32) sys_open) {
           return  (u32 **)p;
       }

...men så kan jeg ikke indsætte modulet:
robert-debian:~/code/kernel_module $ sudo insmod mymodule.ko
insmod: error inserting 'mymodule.ko': -1 Unknown symbol in module

dmesg siger:
mymodule: Unknown symbol sys_open

Men sys_open er i /proc/kallsyms:
robert-debian:~/code/kernel_module $ grep sys_open /proc/kallsyms
c0166470 T do_sys_open
c0166570 T sys_open

Ved I hvad jeg gør galt ?

Venlig hilsen
Robert


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2006-10-01, 02:01 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *