如何用LKM挂断中断门

时间:2018-02-27 19:03:34

标签: c assembly linux-kernel hook interrupt

我正在研究做一个rootkit。

我尝试使用LKM挂接门禁中断4,处理VirtualBox。

但是当我触发门时,VM会冻结。 挂钩和脱钩似乎有效,但我不知道为什么它会被冻结。

这可能是与VirtualBox有关的问题吗?或者我错过了什么/做错了什么? 挂钩门的方式是per-cpu IDT。 我在每个CPU中创建一个内核线程,然后我安装新的门。 在VirtualBox中,每个CPU使用相同的IDTR,因此我必须添加一些检查才能兼容。

任何帮助都将不胜感激。

我粘贴下面的代码。

生成文件 

#include <linux/module.h>

extern int hook_int(void);
extern void unhook_int(void);

int init_module(void) {
        return hook_int();
}

void cleanup_module(void) {
        unhook_int();
}

MODULE_LICENSE("GPL");

的main.c 

#include <asm/desc.h>
#include <linux/uaccess.h>
#include <linux/kthread.h>
#include <linux/mman.h>

#define VECTOR 4

extern void my_int_handler(void);
void for_each_idt(void (*cb)(gate_desc *idt));
void install_hook(gate_desc *idt);
void uninstall_hook(gate_desc *idt);
int kthread_fn(void *arg);
gate_desc *last_idt = NULL;
gate_desc gate_backup;
void *real_int_handler = NULL;
extern int my_memcpy(void *dst, void *src, size_t len);

int kthread_fn(void *arg) {
        void (*cb)(gate_desc *idt) = arg;
        struct desc_ptr idtr;
        gate_desc *idt = NULL;

        store_idt(&idtr);
        idt = (gate_desc *) idtr.address;
        if (last_idt != idt) {
                cb(idt);
                last_idt = idt;
        }

        return 0;
}

void for_each_idt(void (*cb)(gate_desc *idt)) {
        size_t cpus = 0, i = 0;
        struct task_struct *thread = NULL;

        last_idt = NULL;
        cpus = num_present_cpus();
        while (i != cpus) {
                thread = kthread_create(kthread_fn, cb, "kworker/%d:%d", (int) i, (int) cpus);
                kthread_bind(thread, i);
                wake_up_process(thread);
                i++;
        }
}

void install_hook(gate_desc *idt) {
        gate_desc gate;

        my_memcpy(&gate, &idt[VECTOR], sizeof(gate));
        my_memcpy(&gate_backup, &idt[VECTOR], sizeof(gate));
        printk("segment = %x\n", gate.segment);
        printk("bits.ist = %x\n", gate.bits.ist);
        printk("bits.zero = %x\n", gate.bits.zero);
        printk("bits.type = %x\n", gate.bits.type);
        printk("bits.dpl = %x\n", gate.bits.dpl);
        printk("bits.p = %x\n", gate.bits.p);
        printk("reserved = %x\n", gate.reserved);
        printk("offset_low = %x\n", gate.offset_low);
        printk("offset_middle = %x\n", gate.offset_middle);
        printk("offset_high = %x\n", gate.offset_high);
        gate.offset_low    = (u16) my_int_handler;
        gate.offset_middle = (u16) ((long) my_int_handler >> 16);
        gate.offset_high   = (u32) ((long) my_int_handler >> 32);
        real_int_handler = idt[VECTOR].offset_low | ((int) idt[VECTOR].offset_middle << 16) | ((long) idt[VECTOR].offset_high << 32);
        printk("after\n");
        printk("offset_low = %x\n", gate.offset_low);
        printk("offset_middle = %x\n", gate.offset_middle);
        printk("offset_high = %x\n", gate.offset_high);
        printk("my_int_handler = %lx\n", (long)my_int_handler);
        printk("real_int_handler = %lx\n", (long)real_int_handler);
        asm("cli\n\tmov\t%%cr0, %%rax\n\tand\t$0xfffffffffffeffff, %%rax\n\tmov\t%%rax, %%cr0" ::: "rax");
        my_memcpy(&idt[VECTOR], &gate, sizeof(gate));
        asm("mov\t%%cr0, %%rax\n\tor\t$0x10000, %%rax\n\tmov\t%%rax, %%cr0\n\tsti" ::: "rax");
}

void uninstall_hook(gate_desc *idt) {
        asm("cli\n\tmov\t%%cr0, %%rax\n\tand\t$0xfffffffffffeffff, %%rax\n\tmov\t%%rax, %%cr0" ::: "rax");
        my_memcpy(&idt[VECTOR], &gate_backup, sizeof(gate_backup));
        asm("mov\t%%cr0, %%rax\n\tor\t$0x10000, %%rax\n\tmov\t%%rax, %%cr0\n\tsti" ::: "rax");
}

int hook_int(void) {
        for_each_idt(install_hook);
        return 0;
}

void unhook_int(void) {
        for_each_idt(uninstall_hook);
}

core.c 

        .extern real_int_handler
        .text
        .globl my_memcpy
        .type my_memcpy, @function
my_memcpy:
        mov %rdx, %rcx
        rep movsb
        mov %rcx, %rax
        ret
        .size my_memcpy, .-my_memcpy

        .globl my_int_handler
        .type my_int_handler, @function
my_int_handler:
        jmp *real_int_handler(%rip)
        .size my_int_handler, .-my_int_handler

asmcore.s 

        .globl main
        .type main, @function
main:
        int $4
        ret

        .size main, .-main

trigger.s 

[ 1000.001717] segment = 10
[ 1000.001718] bits.ist = 0
[ 1000.001718] bits.zero = 0
[ 1000.001719] bits.type = e
[ 1000.001719] bits.dpl = 3
[ 1000.001720] bits.p = 1
[ 1000.001720] reserved = 0
[ 1000.001721] offset_low = 1030
[ 1000.001721] offset_middle = 9480
[ 1000.001722] offset_high = ffffffff
[ 1000.001722] after
[ 1000.001723] offset_low = 1513
[ 1000.001723] offset_middle = c052
[ 1000.001724] offset_high = ffffffff
[ 1000.001724] my_int_handler = ffffffffc0521513
[ 1000.001725] real_int_handler = ffffffff94801030
加载

dmesg 

diwou@diwou-VirtualBox:~/arpso2$ ./trigger
Violación de segmento (`core' generado)

执行./trigger而不挂钩 

.mov

1 个答案:

答案 0 :(得分:0)

源代码是正确的。问题出在VirtualBox上。 修改IDT,GDT和MSR可能是它被冻结的原因。

我能够添加一个新的IDT条目,但似乎问题是在更改已写入的值时。例如,更改MSR_LSTAR寄存器,向GDT添加调用门,或修改IDT上的中断处理程序。

相关问题
最新问题