mirror of
https://github.com/sysprog21/lkmpg.git
synced 2024-11-22 15:05:54 +08:00
870b26fa2d
Known issues with current example code: If you using newer kernel(e.g linux 5.11.x) to compile the example code, you may meet following error: 1. syscall.c:83:50: error: ‘ksys_close’ undeclared; 2. cryptosk.c:17:24: error: field ‘sg’ has incomplete type 3. cryptosk.c:143:9: error: implicit declaration of function ‘get_random_bytes’ 4. error: macro "DECLARE_TASKLET" passed 3 arguments, but takes just 2 Solutions/workaround: 1. In syscall.c, replace #include <linux/syscalls.h> with #include <linux/fdtable.h> and replace ksys_close with close_fd if the kernel version >= 5.11. [1][2] 2. Add #include <linux/scatterlist.h> into cryptosk.c 3. Add #include <linux/random.h> into cryptosk.c 4. In bottomhalf.c and example_tasklet.c, replace DECLARE_TASKLET with DECLARE_TASKLET_OLD and dispose third argument(0L). [3] [1] - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572bfdf21d4d50e51941498ffe0b56c2289f783 [2] - https://www.mail-archive.com/meta-arago@arago-project.org//msg11939.html [3] - https://patchwork.kernel.org/project/kernel-hardening/patch/20200716030847.1564131-3-keescook@chromium.org/
147 lines
4.1 KiB
C
147 lines
4.1 KiB
C
/*
|
|
* syscall.c
|
|
*
|
|
* System call "stealing" sample.
|
|
*
|
|
* Disables page protection at a processor level by changing the 16th bit
|
|
* in the cr0 register (could be Intel specific).
|
|
*
|
|
* Based on example by Peter Jay Salzman and
|
|
* https://bbs.archlinux.org/viewtopic.php?id=139406
|
|
*/
|
|
|
|
#include <linux/delay.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/module.h>
|
|
#include <linux/moduleparam.h> /* which will have params */
|
|
#include <linux/unistd.h> /* The list of system calls */
|
|
#include <linux/version.h>
|
|
|
|
/* For the current (process) structure, we need this to know who the
|
|
* current user is.
|
|
*/
|
|
#include <linux/sched.h>
|
|
#include <linux/uaccess.h>
|
|
|
|
/* The in-kernel calls to the ksys_close() syscall were removed in Linux v5.11+.
|
|
*/
|
|
#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 11, 0))
|
|
#include <linux/syscalls.h> /* ksys_close() wrapper for backward compatibility */
|
|
#define close_fd ksys_close
|
|
#else
|
|
#include <linux/fdtable.h> /* For close_fd */
|
|
#endif
|
|
|
|
unsigned long **sys_call_table;
|
|
unsigned long original_cr0;
|
|
|
|
/* UID we want to spy on - will be filled from the command line. */
|
|
static int uid;
|
|
module_param(uid, int, 0644);
|
|
|
|
/* A pointer to the original system call. The reason we keep this, rather
|
|
* than call the original function (sys_open), is because somebody else
|
|
* might have replaced the system call before us. Note that this is not
|
|
* 100% safe, because if another module replaced sys_open before us,
|
|
* then when we are inserted, we will call the function in that module -
|
|
* and it might be removed before we are.
|
|
*
|
|
* Another reason for this is that we can not get sys_open.
|
|
* It is a static variable, so it is not exported.
|
|
*/
|
|
asmlinkage int (*original_call)(const char *, int, int);
|
|
|
|
/* The function we will replace sys_open (the function called when you
|
|
* call the open system call) with. To find the exact prototype, with
|
|
* the number and type of arguments, we find the original function first
|
|
* (it is at fs/open.c).
|
|
*
|
|
* In theory, this means that we are tied to the current version of the
|
|
* kernel. In practice, the system calls almost never change (it would
|
|
* wreck havoc and require programs to be recompiled, since the system
|
|
* calls are the interface between the kernel and the processes).
|
|
*/
|
|
asmlinkage int our_sys_open(const char *filename, int flags, int mode)
|
|
{
|
|
int i = 0;
|
|
char ch;
|
|
|
|
/* Report the file, if relevant */
|
|
pr_info("Opened file by %d: ", uid);
|
|
do {
|
|
get_user(ch, filename + i);
|
|
i++;
|
|
pr_info("%c", ch);
|
|
} while (ch != 0);
|
|
pr_info("\n");
|
|
|
|
/* Call the original sys_open - otherwise, we lose the ability to
|
|
* open files.
|
|
*/
|
|
return original_call(filename, flags, mode);
|
|
}
|
|
|
|
static unsigned long **aquire_sys_call_table(void)
|
|
{
|
|
unsigned long int offset = PAGE_OFFSET;
|
|
unsigned long **sct;
|
|
|
|
while (offset < ULLONG_MAX) {
|
|
sct = (unsigned long **) offset;
|
|
|
|
if (sct[__NR_close] == (unsigned long *) close_fd)
|
|
return sct;
|
|
|
|
offset += sizeof(void *);
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static int __init syscall_start(void)
|
|
{
|
|
if (!(sys_call_table = aquire_sys_call_table()))
|
|
return -1;
|
|
|
|
original_cr0 = read_cr0();
|
|
|
|
write_cr0(original_cr0 & ~0x00010000);
|
|
|
|
/* keep track of the original open function */
|
|
original_call = (void *) sys_call_table[__NR_open];
|
|
|
|
/* use our open function instead */
|
|
sys_call_table[__NR_open] = (unsigned long *) our_sys_open;
|
|
|
|
write_cr0(original_cr0);
|
|
|
|
pr_info("Spying on UID:%d\n", uid);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void __exit syscall_end(void)
|
|
{
|
|
if (!sys_call_table)
|
|
return;
|
|
|
|
/* Return the system call back to normal */
|
|
if (sys_call_table[__NR_open] != (unsigned long *) our_sys_open) {
|
|
pr_alert("Somebody else also played with the ");
|
|
pr_alert("open system call\n");
|
|
pr_alert("The system may be left in ");
|
|
pr_alert("an unstable state.\n");
|
|
}
|
|
|
|
write_cr0(original_cr0 & ~0x00010000);
|
|
sys_call_table[__NR_open] = (unsigned long *) original_call;
|
|
write_cr0(original_cr0);
|
|
|
|
msleep(2000);
|
|
}
|
|
|
|
module_init(syscall_start);
|
|
module_exit(syscall_end);
|
|
|
|
MODULE_LICENSE("GPL");
|