我试图创建一个内核模块,通过跟踪URB结构中的指针来定位键盘缓冲区。这是学术研究,基于哥伦比亚大学创建的概念验证。
http://www.cs.columbia.edu/mikepo/论文/gpukeylogger.eurosec13.pdf
*复制/粘贴到浏览器:链接不工作,如果你点击它。
<操作系统版本/strong>: Ubuntu 20.04.2 LTS
内核版本:5.8.0-43-generic
架构:x86_64
这是我的模块。如果成功,它定位键盘缓冲区并简单地向内核日志打印一条消息。然而,内核杀死模块。
#include <linux/usb.h>
#include <linux/module.h
#include <linux/kernel.h>
#include <linux/init.h>
#define MAX 0xFFFFFF
#define x(y) ((void *)((uint64_t)(y)+PAGE_OFFSET))
static int __init scan_start(void){
unsigned long long i;
for(i = 0; i < MAX; i += 0x10){
struct urb *urbp = (struct urb *)x(i);
if(((urbp->transfer_dma % 0x20) == 0) &&
(urbp->transfer_buffer_length == 8) &&
(urbp->transfer_buffer != NULL) &&
strncmp(urbp->dev->product, "usb", 32) &&
strncmp(urbp->dev->product, "keyboard", 32)){
// found possible keyboard buffer
printk(KERN_INFO "possible buffer");
return 0;
}
}
return 0;
}
static void __exit scan_end(void){
printk(KERN_INFO "End scann");
}
module_init(scan_start);
module_exit(scan_end);
obj-m = module.o
all:
make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
下面是这个进程的内核日志副本:
Feb 26 08:55:28 blackleopard kernel: [ 852.823948] ********This marks the log of the failed module********
Feb 26 08:55:55 blackleopard kernel: [ 879.653640] module: module license 'unspecified' taints kernel.
Feb 26 08:55:55 blackleopard kernel: [ 879.653642] Disabling lock debugging due to kernel taint
Feb 26 08:55:55 blackleopard kernel: [ 879.653911] module: module is already loaded
Feb 26 08:57:40 blackleopard kernel: [ 984.501842] Loading seperate module to mark start of kernel log...
Feb 26 08:57:49 blackleopard kernel: [ 993.703292] BUG: kernel NULL pointer dereference, address: 00000000000004d0
Feb 26 08:57:49 blackleopard kernel: [ 993.703297] #PF: supervisor read access in kernel mode
Feb 26 08:57:49 blackleopard kernel: [ 993.703300] #PF: error_code(0x0000) - not-present page
Feb 26 08:57:49 blackleopard kernel: [ 993.703302] PGD 0 P4D 0
Feb 26 08:57:49 blackleopard kernel: [ 993.703307] Oops: 0000 [#1] SMP PTI
Feb 26 08:57:49 blackleopard kernel: [ 993.703312] CPU: 3 PID: 16488 Comm: insmod Tainted: P OE 5.8.0-43-generic #49~20.04.1-Ubuntu
Feb 26 08:57:49 blackleopard kernel: [ 993.703315] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z87 Extreme3, BIOS P2.40 01/21/2014
Feb 26 08:57:49 blackleopard kernel: [ 993.703321] RIP: 0010:scan_start+0x3d/0x1000 [module2]
Feb 26 08:57:49 blackleopard kernel: [ 993.703325] Code: 54 53 31 db 49 8d 44 1d 00 f6 40 68 1f 75 4f 83 b8 80 00 00 00 08 75 46 48 83 78 60 00 74 3f 48 8b 40 40 48 c7 c6 3c 20 11 c1 <4c> 8b a0 d0 04 00 00 4c 89 e7 e8 d4 85 da c9 85 c0 74 21 48 c7 c6
Feb 26 08:57:49 blackleopard kernel: [ 993.703328] RSP: 0018:ffffa6758818fc38 EFLAGS: 00010206
Feb 26 08:57:49 blackleopard kernel: [ 993.703331] RAX: 0000000000000000 RBX: 0000000000096fa0 RCX: 0000000000000000
Feb 26 08:57:49 blackleopard kernel: [ 993.703334] RDX: 0000000000000010 RSI: ffffffffc111203c RDI: ffffffffc0e29000
Feb 26 08:57:49 blackleopard kernel: [ 993.703336] RBP: ffffa6758818fc50 R08: ffff97200ecf1060 R09: ffff97200d0079c0
Feb 26 08:57:49 blackleopard kernel: [ 993.703338] R10: 0000000000000000 R11: ffff97200ed6c7f0 R12: ffffffffc0e29000
Feb 26 08:57:49 blackleopard kernel: [ 993.703341] R13: ffff971c00000000 R14: 0000000000000000 R15: ffffffffc1113000
Feb 26 08:57:49 blackleopard kernel: [ 993.703344] FS: 00007f026887f540(0000) GS:ffff97200ecc0000(0000) knlGS:0000000000000000
Feb 26 08:57:49 blackleopard kernel: [ 993.703346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Feb 26 08:57:49 blackleopard kernel: [ 993.703348] CR2: 00000000000004d0 CR3: 00000003d72bc002 CR4: 00000000001606e0
Feb 26 08:57:49 blackleopard kernel: [ 993.703351] Call Trace:
Feb 26 08:57:49 blackleopard kernel: [ 993.703358] ? 0xffffffffc0e29000
Feb 26 08:57:49 blackleopard kernel: [ 993.703365] do_one_initcall+0x4a/0x200
Feb 26 08:57:49 blackleopard kernel: [ 993.703373] ? _cond_resched+0x19/0x30
Feb 26 08:57:49 blackleopard kernel: [ 993.703379] ? kmem_cache_alloc_trace+0x16c/0x240
Feb 26 08:57:49 blackleopard kernel: [ 993.703385] do_init_module+0x62/0x240
Feb 26 08:57:49 blackleopard kernel: [ 993.703390] load_module+0xfbb/0x11d0
Feb 26 08:57:49 blackleopard kernel: [ 993.703398] __do_sys_finit_module+0xbe/0x120
Feb 26 08:57:49 blackleopard kernel: [ 993.703402] ? __do_sys_finit_module+0xbe/0x120
Feb 26 08:57:49 blackleopard kernel: [ 993.703408] __x64_sys_finit_module+0x1a/0x20
Feb 26 08:57:49 blackleopard kernel: [ 993.703414] do_syscall_64+0x49/0xc0
Feb 26 08:57:49 blackleopard kernel: [ 993.703418] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Feb 26 08:57:49 blackleopard kernel: [ 993.703421] RIP: 0033:0x7f02689c489d
Feb 26 08:57:49 blackleopard kernel: [ 993.703425] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
Feb 26 08:57:49 blackleopard kernel: [ 993.703427] RSP: 002b:00007ffc2a1906f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
Feb 26 08:57:49 blackleopard kernel: [ 993.703431] RAX: ffffffffffffffda RBX: 000055db93e9b7c0 RCX: 00007f02689c489d
Feb 26 08:57:49 blackleopard kernel: [ 993.703433] RDX: 0000000000000000 RSI: 000055db92bfc358 RDI: 0000000000000003
Feb 26 08:57:49 blackleopard kernel: [ 993.703435] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f0268a98260
Feb 26 08:57:49 blackleopard kernel: [ 993.703437] R10: 0000000000000003 R11: 0000000000000246 R12: 000055db92bfc358
Feb 26 08:57:49 blackleopard kernel: [ 993.703439] R13: 0000000000000000 R14: 000055db93e9b780 R15: 0000000000000000
Feb 26 08:57:49 blackleopard kernel: [ 993.703443] Modules linked in: module2(POE+) hello(OE) btrfs blake2b_generic xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c cpuid rfcomm joydev input_leds cmac algif_hash algif_skcipher af_alg bnep nls_iso8859_1 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio nouveau snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event iwlmvm ttm mac80211 drm_kms_helper libarc4 intel_rapl_msr intel_rapl_common cec rc_core snd_rawmidi snd_seq i2c_algo_bit x86_pkg_temp_thermal btusb fb_sys_fops syscopyarea sysfillrect sysimgblt btrtl intel_powerclamp snd_seq_device snd_timer snd soundcore btbcm btintel coretemp iwlwifi bluetooth kvm_intel ecdh_generic ecc kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd mei_hdcp mei_me cryptd mei cfg80211 glue_helper at24 rapl intel_cstate mac_hid efi_pstore mxm_wmi intel_smartconnect sch_fq_codel parport_pc ppdev lp parport drm ip_tables x_tables autofs4
Feb 26 08:57:49 blackleopard kernel: [ 993.703490] hid_generic uas usbhid usb_storage hid crc32_pclmul ahci e1000e i2c_i801 libahci i2c_smbus xhci_pci lpc_ich xhci_pci_renesas video wmi [last unloaded: hello]
Feb 26 08:57:49 blackleopard kernel: [ 993.703503] CR2: 00000000000004d0
Feb 26 08:57:49 blackleopard kernel: [ 993.703506] ---[ end trace 5e61b9c07c62037a ]---
Feb 26 08:57:50 blackleopard kernel: [ 994.243861] RIP: 0010:scan_start+0x3d/0x1000 [module2]
Feb 26 08:57:50 blackleopard kernel: [ 994.243864] Code: 54 53 31 db 49 8d 44 1d 00 f6 40 68 1f 75 4f 83 b8 80 00 00 00 08 75 46 48 83 78 60 00 74 3f 48 8b 40 40 48 c7 c6 3c 20 11 c1 <4c> 8b a0 d0 04 00 00 4c 89 e7 e8 d4 85 da c9 85 c0 74 21 48 c7 c6
Feb 26 08:57:50 blackleopard kernel: [ 994.243865] RSP: 0018:ffffa6758818fc38 EFLAGS: 00010206
Feb 26 08:57:50 blackleopard kernel: [ 994.243867] RAX: 0000000000000000 RBX: 0000000000096fa0 RCX: 0000000000000000
Feb 26 08:57:50 blackleopard kernel: [ 994.243868] RDX: 0000000000000010 RSI: ffffffffc111203c RDI: ffffffffc0e29000
Feb 26 08:57:50 blackleopard kernel: [ 994.243869] RBP: ffffa6758818fc50 R08: ffff97200ecf1060 R09: ffff97200d0079c0
Feb 26 08:57:50 blackleopard kernel: [ 994.243870] R10: 0000000000000000 R11: ffff97200ed6c7f0 R12: ffffffffc0e29000
Feb 26 08:57:50 blackleopard kernel: [ 994.243871] R13: ffff971c00000000 R14: 0000000000000000 R15: ffffffffc1113000
Feb 26 08:57:50 blackleopard kernel: [ 994.243873] FS: 00007f026887f540(0000) GS:ffff97200ecc0000(0000) knlGS:0000000000000000
Feb 26 08:57:50 blackleopard kernel: [ 994.243874] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Feb 26 08:57:50 blackleopard kernel: [ 994.243875] CR2: 00000000000004d0 CR3: 00000003d72bc002 CR4: 00000000001606e0
当我试图加载模块insmod module.ko时,它立即被杀死。有谁知道哪里出了问题,对如何修改代码有什么建议吗?
链接到的PDF文件如下:
(我强调)扫描低内存地址的伪代码32位x86系统如图3所示。这种方法是否足够使用kmalloc()分配内存总是返回具有物理映射的内核虚拟地址(逻辑地址).
你没有指定编译到哪个体系结构,但我有一种强烈的感觉(unsigned long被uint32_t,unsigned long long i取代),这是一个64位的目标,而不是32位的。