写入系统调用表函数地址时内核模块崩溃

时间:2019-10-25 14:51:58

标签: c linux-kernel kernel-module rootkit

我知道,由于KASLR,this module无法使用/boot/System.map-$(uname -r)中的系统调用表地址。通过使用nokaslr引导,该模块起作用了。解决了这个问题之后,我继续着手挂钩kill函数,但是没有成功; insmod再次在模块加载时返回“已杀死”,而dmesg现在记录了写访问权限错误,该错误发生在强调的行上。

我认为取消控制寄存器上写保护位的目的是为了“取消写保护”。除此之外(或我的代码)是否还有其他阻止内核模块覆盖系统调用表的内容?

代码

#include <linux/module.h>
#include <linux/kernel.h>

typedef asmlinkage int (*sys_kill_ptr_t)(pid_t, int);

static sys_kill_ptr_t sys_kill_ptr;
static unsigned long *syscall_table;

static inline void set_cr0_wp_bit(void)   { write_cr0(read_cr0() & ~0x1000); }
static inline void unset_cr0_wp_bit(void) { write_cr0(read_cr0() |  0x1000); }

asmlinkage int hooked_kill(pid_t pid, int sig)
{
    printk(KERN_INFO "[+] LKM: hooked_kill called\n");
    return sys_kill_ptr(pid, sig);
}

static int __init lkm_init(void)
{
    printk("[+] LKM: init\n");

    // System call table address in /boot/System.map-$(uname -r)
    syscall_table = (unsigned long *)0xffffffff81c002a0;

    printk(KERN_EMERG "[+] LKM: syscall_table @ 0x%lx\n",
           (unsigned long)syscall_table);

    sys_kill_ptr = (sys_kill_ptr_t)syscall_table[__NR_kill];
    printk(KERN_EMERG "[+] LKM: syscall_table[__NR_kill] @ 0x%lx\n",
           (unsigned long)sys_kill_ptr);

    set_cr0_wp_bit();

    /* Error */
    syscall_table[__NR_kill] = (unsigned long)hooked_kill;
    /* Error */

    unset_cr0_wp_bit();
    printk(KERN_EMERG "[+] LKM: syscall_table[__NR_kill] hooked @ %lx\n",
           (unsigned long)hooked_kill);

    return 0;
}

static void __exit lkm_exit(void)
{
    set_cr0_wp_bit();

    /* Error */
    syscall_table[__NR_kill] = (unsigned long)sys_kill_ptr;
    /* Error */

    unset_cr0_wp_bit();

    printk("[-] LKM: exit\n");
}

module_init(lkm_init);
module_exit(lkm_exit);

dmesg

[ 4218.114119] [+] LKM: init
[ 4218.115931] [+] LKM: syscall_table @ 0xffffffff81c002a0
[ 4218.117025] [+] LKM: syscall_table[__NR_kill] @ 0xffffffff81092fa0
[ 4218.118087] BUG: unable to handle page fault for address: ffffffff81c00490
[ 4218.119159] #PF: supervisor write access in kernel mode
[ 4218.120267] #PF: error_code(0x0003) - permissions violation

0 个答案:

没有答案