c - Linux Kernel: System call hooking example -

-

i'm trying write simple test code demonstration of hooking system call table.

"sys_call_table" no longer exported in 2.6, i'm grabbing address system.map file, , can see correct (looking through memory @ address found, can see pointers system calls).

however, when try modify table, kernel gives "oops" "unable handle kernel paging request @ virtual address c061e4f4" , machine reboots.

this centos 5.4 running 2.6.18-164.10.1.el5. there sort of protection or have bug? know comes selinux, , i've tried putting in permissive mode, doesn't make difference

here's code:

#include <linux/kernel.h> #include <linux/module.h> #include <linux/moduleparam.h> #include <linux/unistd.h>  void **sys_call_table;  asmlinkage int (*original_call) (const char*, int, int);  asmlinkage int our_sys_open(const char* file, int flags, int mode) {    printk("a file opened\n");    return original_call(file, flags, mode); }  int init_module() {     // sys_call_table address in system.map     sys_call_table = (void*)0xc061e4e0;     original_call = sys_call_table[__nr_open];      // hook: crashes here     sys_call_table[__nr_open] = our_sys_open; }  void cleanup_module() {    // restore original call    sys_call_table[__nr_open] = original_call; }

i found answer myself.

http://www.linuxforums.org/forum/linux-kernel/133982-cannot-modify-sys_call_table.html

the kernel changed @ point system call table read only.

cypherpunk:

even if late solution may interest others too: in entry.s file find: code:

.section .rodata,"a" #include "syscall_table_32.s"

sys_call_table -> readonly have compile kernel new if want "hack" around sys_call_table...

the link has example of changing memory writable.

nasekomoe:

hi everybody. replies. solved problem long ago modifying access memory pages. have implemented 2 functions upper level code:

#include <asm/cacheflush.h> #ifdef kern_2_6_24 #include <asm/semaphore.h> int set_page_rw(long unsigned int _addr) {     struct page *pg;     pgprot_t prot;     pg = virt_to_page(_addr);     prot.pgprot = vm_read | vm_write;     return change_page_attr(pg, 1, prot); }  int set_page_ro(long unsigned int _addr) {     struct page *pg;     pgprot_t prot;     pg = virt_to_page(_addr);     prot.pgprot = vm_read;     return change_page_attr(pg, 1, prot); }  #else #include <linux/semaphore.h> int set_page_rw(long unsigned int _addr) {     return set_memory_rw(_addr, 1); }  int set_page_ro(long unsigned int _addr) {     return set_memory_ro(_addr, 1); }  #endif // kern_2_6_24

here's modified version of original code works me.

#include <linux/kernel.h> #include <linux/module.h> #include <linux/moduleparam.h> #include <linux/unistd.h> #include <asm/semaphore.h> #include <asm/cacheflush.h>  void **sys_call_table;  asmlinkage int (*original_call) (const char*, int, int);  asmlinkage int our_sys_open(const char* file, int flags, int mode) {    printk("a file opened\n");    return original_call(file, flags, mode); }  int set_page_rw(long unsigned int _addr) {    struct page *pg;    pgprot_t prot;    pg = virt_to_page(_addr);    prot.pgprot = vm_read | vm_write;    return change_page_attr(pg, 1, prot); }  int init_module() {     // sys_call_table address in system.map     sys_call_table = (void*)0xc061e4e0;     original_call = sys_call_table[__nr_open];      set_page_rw(sys_call_table);     sys_call_table[__nr_open] = our_sys_open; }  void cleanup_module() {    // restore original call    sys_call_table[__nr_open] = original_call; }

Comments

Post a Comment

Popular posts from this blog

ruby - When to use an ORM (Sequel, Datamapper, AR, etc.) vs. pure SQL for querying -

-
a colleague of mine designing sql queries 1 below produce reports, displayed in excel files through external data query. @ present, reporting processes on db required (no crud operations). i trying convince him better use ruby orm in order able display data in rails/sinatra app. despite obvious advantages in displaying data, advantages there him in learning use orm sequel or datamapper? the sql queries writing quite complex, , being relatively new sql, complains time-consuming , confusing. possible write extremely complex queries orm? , if so, suitable(i have heard sequel legacy dbs)? , advantages of learning ruby , using orm versus sticking plain sql, in making complex database queries? i'm datamapper maintainer, , think complex reporting should use sql. while think someday we'll have dsl provides power , conciseness of sql, i've seen far requires write more ruby code sql complex queries. rather maintain 5 line sql query 10-15 lines of ruby code desc...
Read more

php - PHPDoc: @return void necessary? -

-
is necessary this: /** * ... * * @return void */ i have quite few methods don't have return value, , seems redundant put in comment. considered bad form leave out? if makes clear documentation, leave in, isn't strictly necessary. it's entirely subjective decision. personally, leave out. edit stand corrected. after little googling, wikipedia page says: @return [type description] tag should not used constructors or methods defined void return type. the phpdoc.org website says: @return datatype description @return datatype1|datatype2 description the @return tag used document return value of functions or methods. @returns alias @return support tag formats of other automatic documentors the datatype should valid php type (int, string, bool, etc), class name type of object returned, or "mixed". if want explicitly show multiple possible return types, list them pipe-delimited without spaces (e.g. "@retur...
Read more

c++ - Convert big endian to little endian when reading from a binary file -

-
this question has answer here: how convert between big-endian , little-endian values in c++? 28 answers i've been looking around how convert big-endian little-endians. didn't find solve problem. seem there's many way can conversion. anyway following code works ok in big-endian system. how should write conversion function work on little-endian system well? this homework, since systems @ school running big-endian system. it's got curious , wanted make work on home computer also #include <iostream> #include <fstream> using namespace std; int main() { ifstream file; file.open("file.bin", ios::in | ios::binary); if(!file) cerr << "not able read" << endl; else { cout << "opened" << endl; int i_var; double d_var; while(!file.eof()) {...
Read more