在64位的Linux内核4.15中获取sys调用表

时间:2018-05-02 00:44:11

标签: c linux-kernel linux-device-driver

所以我一直试图通过暴力强制获取sys调用表,并且模块在某个地址“ffffffff81000018”处不断出现错误。以下是我使用过的代码:

#include<linux/kernel.h>
#include<linux/module.h>
#include<linux/dirent.h>
#include<linux/syscalls.h>
#include<linux/sysfs.h>
#include<linux/list.h>
#include<linux/proc_fs.h>
#include<linux/string.h>
#include<linux/uaccess.h>
#include<linux/fs.h>
#include<linux/unistd.h>
#include<linux/cred.h>


#if defined __x86_64__
    #define START_ADDRESS 0xffffffff81000000
    #define END_ADDRESS 0xffffffffa2000000
#endif

MODULE_LICENSE("GPL");

void **syscall_table;

void **find_syscall_table(void)
{

    void **sctable;
    void *i = (void *) START_ADDRESS;

    while ( i < (void *) END_ADDRESS )
    {
        sctable = (void *)i;

        if (sctable[__NR_close] == (void *)sys_close)
        {
            return sctable;
        }

        i += sizeof(void *);
    }

    return NULL;

}

int init_module(void)
{
    syscall_table = (void *)find_syscall_table();

    if (syscall_table != NULL)
        pr_info("Found sys_call_table at %p\n", syscall_table);
    return 0;
}

void cleanup_module(void)
{
    pr_info("Good bye kernel!!!!");
    return;
}

我遇到的问题是以下

[ 1376.153652] BUG: unable to handle kernel paging request at ffffffff81000018
[ 1376.153660] IP: init_module+0x1b/0x50 [hide_file]
[ 1376.153662] PGD 1bc0e067 P4D 1bc0e067 PUD 1bc0f063 PMD 0 
[ 1376.153666] Oops: 0000 [#1] SMP PTI
[ 1376.153668] Modules linked in: hide_file(O+) fuse bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) binfmt_misc nls_ascii nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core snd_soc_skl videodev snd_hda_codec_hdmi media intel_rapl snd_soc_skl_ipc snd_hda_ext_core x86_pkg_temp_thermal btusb intel_powerclamp snd_soc_sst_dsp coretemp snd_soc_sst_ipc btrtl btbcm snd_soc_acpi btintel snd_hda_codec_realtek snd_hda_codec_generic snd_soc_core bluetooth snd_compress kvm drbg ansi_cprng snd_hda_intel ecdh_generic i915 irqbypass snd_hda_codec snd_hda_core arc4 wmi_bmof rtsx_pci_ms intel_cstate snd_hwdep iwlmvm snd_pcm mac80211 iwlwifi intel_uncore thinkpad_acpi drm_kms_helper mei_me snd_timer memstick nvram cfg80211 efi_pstore intel_rapl_perf snd evdev
[ 1376.153706]  efivars sg drm soundcore mei joydev pcspkr serio_raw rfkill wmi shpchp intel_pch_thermal iTCO_wdt iTCO_vendor_support battery ac video i2c_algo_bit button tpm_crb efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb hid_generic usbhid hid sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc rtsx_pci_sdmmc mmc_core aesni_intel aes_x86_64 crypto_simd glue_helper cryptd rtsx_pci ahci mfd_core e1000e libahci xhci_pci ptp psmouse pps_core libata xhci_hcd i2c_i801 scsi_mod usbcore usb_common thermal
[ 1376.153737] CPU: 0 PID: 2244 Comm: insmod Tainted: G           O     4.15.0-kali2-amd64 #1 Debian 4.15.11-1kali1
[ 1376.153742] RIP: 0010:init_module+0x1b/0x50 [hide_file]
[ 1376.153743] RSP: 0018:ffffc0adc85cfcc8 EFLAGS: 00010246
[ 1376.153745] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 1376.153747] RDX: 000000000004e55a RSI: ffffffff81000000 RDI: ffffffffc0eea030
[ 1376.153749] RBP: ffffffffc0eea030 R08: ffff9965a2424b60 R09: ffffffffbcb0b288
[ 1376.153750] R10: ffffea3746bc08c0 R11: 0000000000000000 R12: ffff9965521f7a60
[ 1376.153752] R13: ffffffffc0eec018 R14: 0000000000000001 R15: ffff9964ff2474e0
[ 1376.153754] FS:  00007f2e082e8b80(0000) GS:ffff9965a2400000(0000) knlGS:0000000000000000
[ 1376.153755] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1376.153757] CR2: ffffffff81000018 CR3: 0000000154c84002 CR4: 00000000003606f0
[ 1376.153758] Call Trace:
[ 1376.153763]  do_one_initcall+0x4e/0x18d
[ 1376.153768]  ? free_unref_page_commit+0x95/0x110
[ 1376.153770]  ? _cond_resched+0x15/0x40
[ 1376.153773]  ? kmem_cache_alloc_trace+0x14b/0x1a0
[ 1376.153777]  ? do_init_module+0x22/0x201
[ 1376.153779]  do_init_module+0x5b/0x201
[ 1376.153783]  load_module.constprop.54+0x2725/0x2c70
[ 1376.153786]  ? vfs_read+0x113/0x130
[ 1376.153789]  ? SYSC_finit_module+0xe9/0x110
[ 1376.153792]  SYSC_finit_module+0xe9/0x110
[ 1376.153795]  do_syscall_64+0x6e/0x130
[ 1376.153798]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 1376.153801] RIP: 0033:0x7f2e07c178f9
[ 1376.153802] RSP: 002b:00007ffd4e622498 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1376.153804] RAX: ffffffffffffffda RBX: 00005629814157b0 RCX: 00007f2e07c178f9
[ 1376.153806] RDX: 0000000000000000 RSI: 000056297fbc9a78 RDI: 0000000000000003
[ 1376.153807] RBP: 000056297fbc9a78 R08: 0000000000000000 R09: 00007f2e07edd000
[ 1376.153809] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[ 1376.153810] R13: 0000562981415760 R14: 0000000000000000 R15: 0000000000000000
[ 1376.153812] Code: c2 bc 75 ea f3 c3 31 c0 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 48 c7 c6 00 00 00 81 eb 0d 48 83 c6 08 48 81 fe 00 00 00 a2 74 19 <48> 81 7e 18 d0 c5 c2 bc 75 e9 48 85 f6 48 89 35 e1 22 00 00 75 
[ 1376.153844] RIP: init_module+0x1b/0x50 [hide_file] RSP: ffffc0adc85cfcc8
[ 1376.153845] CR2: ffffffff81000018
[ 1376.153847] ---[ end trace ec4600bb069abdd2 ]---

有人可以指导我如何解决这个问题,以便能够劫持系统调用。 感谢。

2 个答案:

答案 0 :(得分:1)

只需使用kallsyms_lookup_name("sys_call_table")中的内核函数"linux/kallsyms.h"。这将返回/proc/kallsyms文件中找到的系统调用表的地址。不用担心

中的地址
/boot/System.map-`uname -r`

是不同的;您仍然找到了sys_call_table

答案 1 :(得分:0)

这不是“某个地址”。 close syscall number是3,因此你测试的第一个地址是START_ADDRESS + 3 * sizeof(void *),它与故障地址完全相同。

这表明你在这里使用的params开头是错误的。

真正的问题是为什么要寻找系统调用表,更不用说以这种方式了。在绝大多数情况下,想要覆盖任何系统调用条目。