-
Notifications
You must be signed in to change notification settings - Fork 0
s0xxu/hook-mod
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Learning the linux kernel: This is a kernel module I wrote for intercepting the openat syscall function, using kprobe to resolve syscall addresses in memory via kallsyms_lookup_name. After we have resolved the address, ftrace will then intercept the address and redirect it to our ftrace_handler function by patching a 5 byte call instruction prior at the beginning of the syscall function. In our ftrace handler, we will build our own function, and extract CPU registers via the ftrace API, which will be be used in our function to print the userspace values. __x64_sys_openat is expecting a pointer to pt_regs in RDI, this is subtle and I found it tough, from the moment we enter our ftrace handler function, rdi is expected to be a pointer to user arguments, but upon entering __x64_sys_openat rdi is expected to be a pointer to pt_regs, this caused alot of crashes and I spent alot of time figuring this out. Below are some of the results I got after a long time of working on this, these results were captured while the device was running as it normally would, except with our syscall intercept being in the background. Building this gave me an introduction into ftrace, and using kprobe to resolve addresses in the kernel, and ftrace for intercepting functions in the kernel. I'd also like to think that this made me stronger in debugging, and gave me a bit more understanding in the domain of the kernel, after a large amount of kernel panics. It's very unstable if you decide to run it, you cannot unload the module without crashing the kernel for example. [ +0.000994] parent_ip: ffffffffa7005ee8 [ +0.000284] parent_ip: ffffffffa7005ee8 [ +0.000005] rsi string [ +0.000001] ip ffffffffa74dc750 hook at ffffffffc0b2e190 [ +0.000001] HOOKED dfd: -100 path: /proc/661/cgroup flags: 524288 [ +0.000002] HOOK sys_openat ffffffffa74dc755 [ +0.004083] rsi string [ +0.000645] ip ffffffffa74dc750 hook at ffffffffc0b2e190 [ +0.001284] HOOKED dfd: -100 path: /var/lib/systemd/timesync/clock flags: 2752512 [ +0.001097] HOOK sys_openat ffffffffa74dc755 [Dec25 19:28] rip: ffffffffa74dc755 rax: ffff8fbcc03c8000 rdx: 0 rdi: ffffa09e40013f58 [ +0.001638] PID: 1 [ +0.000358] parent_ip: ffffffffa7005ee8 [ +0.000566] rsi string [ +0.000001] ip ffffffffa74dc750 hook at ffffffffc0b2e190 [ +0.001101] HOOKED dfd: -100 path: /proc/803/cgroup flags: 524288 [ +0.000783] HOOK sys_openat ffffffffa74dc755 [ +0.000168] rip: ffffffffa74dc755 rax: ffff8fbcc03c8000 rdx: 0 rdi: ffffa09e40013f58 [ +0.001568] PID: 1 [ +0.000372] parent_ip: ffffffffa7005ee8 [ +0.000543] rsi string [ +0.000001] ip ffffffffa74dc750 hook at ffffffffc0b2e190 [ +0.001110] HOOKED dfd: -100 path: /proc/654/cgroup flags: 524288 [ +0.000805] HOOK sys_openat ffffffffa74dc755 [ +0.000072] rip: ffffffffa74dc755 rax: ffff8fbcc03c8000 rdx: 0 rdi: ffffa09e40013f58 [ +0.001595] PID: 1 [ +0.000336] parent_ip: ffffffffa7005ee8 [ +0.000539] rsi string [ +0.000001] ip ffffffffa74dc750 hook at ffffffffc0b2e190 [ +0.001070] HOOKED dfd: -100 path: /proc/442/cgroup flags: 524288 [ +0.000781] HOOK sys_openat ffffffffa74dc755 [ +0.000071] rip: ffffffffa74dc755 rax: ffff8fbcc03c8000 rdx: 0 rdi: ffffa09e40013f58 [ +0.001550] PID: 1 [ +0.000342] parent_ip: ffffffffa7005ee8 [ +0.000546] rsi string [ +0.000001] ip ffffffffa74dc750 hook at ffffffffc0b2e190 [ +0.001071] HOOKED dfd: -100 path: /proc/862/cgroup flags: 524288
About
kernel module for 6.8.0-31-generic, using kprobe to get syscall addresses, and passing them to ftrace for patching
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published