我正在尝试开发一个挂接read()系统调用的内核模块。由于某种原因,CCD_ 2函数似乎不起作用。
我看到了另一个这样的问题,但我真的不明白该怎么办。
我正在使用树莓派4 的Kali 4.19.93
我的代码:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/moduleparam.h>
#include <linux/syscalls.h>
#include <linux/kallsyms.h>
#include <linux/slab.h>
#include <linux/kern_levels.h>
#include <asm/unistd.h>
#include <asm/cacheflush.h>
#include <linux/semaphore.h>
#include <asm/set_memory.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Omri Ben David");
MODULE_DESCRIPTION("Hooking Linux System calls");
MODULE_VERSION("1.0");
unsigned long** SYS_CALL_TABLE = (unsigned long**) 0xc02011c4;
asmlinkage ssize_t (*original_read) (int fd, char *buf, size_t count);
asmlinkage ssize_t HookRead(unsigned int fd, char * buf, size_t count)
{
printk(KERN_INFO "Rootkit_Debug: Yay you entered my function!!n Now you can readn");
return (*original_read)(fd,buf,count);
}
void (*seek)(unsigned long, int);
void (*hide)(unsigned long, int);
static int __init SetHooks(void)
{
printk(KERN_INFO "Hooks Will now be set, hold on tightn");
printk(KERN_INFO "System calls table is at address %pn",SYS_CALL_TABLE);
original_read = (void*) SYS_CALL_TABLE[__NR_read];
seek = (void*) kallsyms_lookup_name("set_memory_rw");
hide = (void*) kallsyms_lookup_name("set_memory_ro");
(*seek)((unsigned long)SYS_CALL_TABLE, 1);
SYS_CALL_TABLE[__NR_read] = (unsigned long*)HookRead;
(*hide)((unsigned long)SYS_CALL_TABLE, 1);
printk(KERN_INFO "System calls hooked successfullyn");
return 0;
}
static void __exit HookCleanup(void)
{
printk(KERN_INFO "System calls restore initiatedn");
(*seek)((unsigned long)SYS_CALL_TABLE, 1);
SYS_CALL_TABLE[__NR_read] = (unsigned long*) original_read;
(*hide)((unsigned long)SYS_CALL_TABLE, 1);
printk(KERN_INFO "System successfully restored. hope you had fun");
}
module_init(SetHooks);
module_exit(HookCleanup);
如何使set_memory_rw()函数工作以覆盖系统调用表?或者我应该使用另一种方法?
因此,正如我在上面的评论中所说,函数change_memory_common()(由set_memory_ro/rw()使用(似乎在应用请求的权限之前进行了检查。这一点有一条注释:
/*
* Kernel VA mappings are always live, and splitting live section
* mappings into page mappings may cause TLB conflicts. This means
* we have to ensure that changing the permission bits of the range
* we are operating on does not result in such splitting.
*
* Let's restrict ourselves to mappings created by vmalloc (or vmap).
* Those are guaranteed to consist entirely of page mappings, and
* splitting is never needed.
*
* So check whether the [addr, addr + size) interval is entirely
* covered by precisely one VM area that has the VM_ALLOC flag set.
*/
area = find_vm_area((void *)addr);
if (!area ||
end > (unsigned long)area->addr + area->size ||
!(area->flags & VM_ALLOC))
return -EINVAL;
该函数似乎只适用于通过vmalloc()或vmap()创建的映射,而sys_call_table不存在于此类映射中。
人们关注的似乎是TLB冲突。这可能是因为该函数不拆分巨大的页面,因此无法设置具有单个(非巨大(页面粒度的权限。您需要对此进行测试,它对您的特定情况有效或无效。
在任何情况下,为了练习系统调用劫持,您可以重新编写自己版本的set_memory_common()和set_memory_rw/ro(),从而避免此检查。一个更简单的方法是为所需地址获取适当的PTE,然后更改权限,但我没有查看所有无数的宏。
最后,但同样重要的是,由于sys_call_table最终可能会跨越页面边界,因此在对页面应用更改时,最好使用syscall_table + __NR_read,而不是仅使用sys_call_table。
下面是一个工作示例:
// SPDX-License-Identifier: GPL-3.0
#include <linux/init.h> // module_{init,exit}()
#include <linux/module.h> // THIS_MODULE, MODULE_VERSION, ...
#include <linux/kernel.h> // printk(), pr_*()
#include <linux/kallsyms.h> // kallsyms_lookup_name()
#include <asm/syscall.h> // syscall_fn_t, __NR_*
#include <asm/ptrace.h> // struct pt_regs
#include <asm/tlbflush.h> // flush_tlb_kernel_range()
#include <asm/pgtable.h> // {clear,set}_pte_bit(), set_pte()
#include <linux/vmalloc.h> // vm_unmap_aliases()
#include <linux/mm.h> // struct mm_struct, apply_to_page_range()
#include <linux/kconfig.h> // IS_ENABLED()
#ifdef pr_fmt
#undef pr_fmt
#endif
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
static struct mm_struct *init_mm_ptr;
static syscall_fn_t *syscall_table;
static syscall_fn_t original_read;
/********** HELPERS **********/
// From arch/arm64/mm/pageattr.c.
struct page_change_data {
pgprot_t set_mask;
pgprot_t clear_mask;
};
// From arch/arm64/mm/pageattr.c.
static int change_page_range(pte_t *ptep, unsigned long addr, void *data)
{
struct page_change_data *cdata = data;
pte_t pte = READ_ONCE(*ptep);
pte = clear_pte_bit(pte, cdata->clear_mask);
pte = set_pte_bit(pte, cdata->set_mask);
set_pte(ptep, pte);
return 0;
}
// From arch/arm64/mm/pageattr.c.
static int __change_memory_common(unsigned long start, unsigned long size,
pgprot_t set_mask, pgprot_t clear_mask)
{
struct page_change_data data;
int ret;
data.set_mask = set_mask;
data.clear_mask = clear_mask;
ret = apply_to_page_range(init_mm_ptr, start, size, change_page_range, &data);
flush_tlb_kernel_range(start, start + size);
return ret;
}
// Simplified set_memory_rw() from arch/arm64/mm/pageattr.c.
static int set_page_rw(unsigned long addr)
{
vm_unmap_aliases();
return __change_memory_common(addr, PAGE_SIZE, __pgprot(PTE_WRITE), __pgprot(PTE_RDONLY));
}
// Simplified set_memory_ro() from arch/arm64/mm/pageattr.c.
static int set_page_ro(unsigned long addr)
{
vm_unmap_aliases();
return __change_memory_common(addr, PAGE_SIZE, __pgprot(PTE_RDONLY), __pgprot(PTE_WRITE));
}
/********** ACTUAL MODULE **********/
static long myread(const struct pt_regs *regs)
{
pr_info("read() calledn");
return original_read(regs);
}
static int __init modinit(void)
{
int res;
pr_info("initn");
// Shouldn't fail.
init_mm_ptr = (struct mm_struct *)kallsyms_lookup_name("init_mm");
syscall_table = (syscall_fn_t *)kallsyms_lookup_name("sys_call_table");
original_read = syscall_table[__NR_read];
res = set_page_rw((unsigned long)(syscall_table + __NR_read) & PAGE_MASK);
if (res != 0) {
pr_err("set_page_rw() failed: %dn", res);
return res;
}
syscall_table[__NR_read] = myread;
res = set_page_ro((unsigned long)(syscall_table + __NR_read) & PAGE_MASK);
if (res != 0) {
pr_err("set_page_ro() failed: %dn", res);
return res;
}
pr_info("init donen");
return 0;
}
static void __exit modexit(void)
{
int res;
pr_info("exitn");
res = set_page_rw((unsigned long)(syscall_table + __NR_read) & PAGE_MASK);
if (res != 0) {
pr_err("set_page_rw() failed: %dn", res);
return;
}
syscall_table[__NR_read] = original_read;
res = set_page_ro((unsigned long)(syscall_table + __NR_read) & PAGE_MASK);
if (res != 0)
pr_err("set_page_ro() failed: %dn", res);
pr_info("goodbyen");
}
module_init(modinit);
module_exit(modexit);
MODULE_VERSION("0.1");
MODULE_DESCRIPTION("Syscall hijack on arm64.");
MODULE_AUTHOR("Marco Bonelli");
MODULE_LICENSE("GPL");