c - Generalizing system call hijacking to any kernel symbol -

-

i know how hijack system calls in modern linux kernels enough engineer simple replacements them. code use hijack system call looks like:

static unsigned long *sys_call_table = (unsigned long*)<address of system call table>; … int make_rw(unsigned long address) {     unsigned int level;     pte_t *pte = lookup_address(address, &level);     if (pte->pte &~ _page_rw) {         pte->pte |= _page_rw;     }     return 0; } int make_ro(unsigned long address) {     unsigned int level;     pte_t *pte = lookup_address(address, &level);     pte->pte = pte->pte &~ _page_rw;     return 0; } … asmlinkage long (*real_<system call name>)(<system call arguments>);  asmlinkage long hijacked_<system call name>(<hijacked system call arguments>) {     // replacement code goes here } … void hack(void) {     make_rw((unsigned long)sys_call_table);     real_<system call name> = (void*)*(sys_call_table + __nr_<system call name>);     *(sys_call_table + __nr_<system call name>) = (unsigned long)hijacked_<system call name>;     make_ro((unsigned long)sys_call_table); } void restore(void) {     make_rw((unsigned long)sys_call_table);     *(sys_call_table + __nr_<system call name>) = (unsigned long)real_<system call name>;     make_ro((unsigned long)sys_call_table); }

linux exports other functions (i think called "symbols") used internally kernel. 1 such symbol capable, defined in linux/capability.c as:

bool capable(int cap) {     return ns_capable(&init_user_ns, cap); }

my theory can use same code use hijacking system calls, without bits sys_call_table , __nr_<system call name>. suspect might case system calls, since hijacking them involves replacing pointers addresses. work other symbols? if not, how can hijack them in simple way?

the short answer: method won't work generic functions , want @ kprobes.

the long answer below:

the reason easy hijack system calls because replacing memory address of original system call own function when system call table looked function there instead of original function. system call functions called indirectly via system call table. if code directly called system call function hijack not work.

for hijacking function not have simple method generic function can called various ways. example, can't scan text , replace call instructions calls function function address might stored in data (think c function pointer).

the typical way done replace beginning of function wish hijack call function. if not care every returning original function isn't difficult, placing trampoline whenever intended function called first thing , thing intended function call function. if want return intended function, i.e. want have function called every time target function called , go target function, things little more difficult. because replaced machine code @ beginning of function need. can handled generating machine code replaced machine code , jumps rest of original function code. kprobes doing except kprobes puts debug instruction (int 3 x86) @ beginning of function , debug handler calls probe function opposed placing call instruction.

note high level explanation details architecture specific. example, when replace intended instructions if instructions instruction pointer relative instructions things complicated instruction pointer not typically be. suggest looking @ kprobes of architecture specific details.


Comments

Post a Comment

Popular posts from this blog

python - No exponential form of the z-axis in matplotlib-3D-plots -

-
Image
i have similar problem described in how prevent numbers being changed exponential form in python matplotlib figure : i don't want (in special case) weird scientific formatting of axis. problem different have problem @ z -axis. 2-d plots can use ax.get_yaxis().get_major_formatter().set_useoffset(false) . , there no function ax.get_zaxis() what use format z -axis same way? edit: example: from mpl_toolkits.mplot3d import axes3d import numpy np import sys import matplotlib import matplotlib.pyplot pyplot def func(xi, ti): res = 10e3 + np.cos(ti) * np.sin(xi) return res if __name__ == '__main__': timespacing = 20 timestart = 0 timeend = 1 time = np.linspace(timestart, timeend, timespacing) widthspacing = 50 widthstart = 0 widthend = 3 width = np.linspace(widthstart, widthend, widthspacing) reslist = [] matplotlib.rcparams['legend.fontsize'] = 10 fig = pyplot.figure() ax = fig.gca(projection = '3d...
Read more

php - Best Light server (Linux + Web server + Database) for Raspberry Pi -

-
i install web server database on raspberry pi (little computer). computer has 1gb ram. i want know best combination: linux distribution , web server , dbms run local server multiple users minimal latency, use php on server. , best settings performance , not have bugs (memory usage, disable plugin, disable service, etc)? i thought light debian , lighttpd server , sqlite database. solution? i think lighttpd + sqlite great choice. linux distro, debian @ centos or tiny core linux , although i'm not sure of compatibility pi. obviously, can't go wrong raspbian if want use in production , more stable performance, few more pi's , set them in cluster .
Read more

c# - "Newtonsoft.Json.JsonSerializationException unable to find constructor to use for types" error when deserializing class -

-
i developing app in xamarin android. have splash screen serialize class , pass mainactivity using intent . when try deserialize in mainactivity error message : "serializationexception unable find constructor use types" serialization : void loaddata() { currency currency = new currency(this); intent = new intent(this, typeof(mainactivity)); intent.putextra("currency", newtonsoft.json.jsonconvert.serializeobject(currency)); startactivity(intent); } deserialization : cur = newtonsoft.json.jsonconvert.deserializeobject<currency> (intent.getstringextra("currency")); // error here class constructor : public currency(context context) { thiscontext = context; } i began experiencing problem after added parameter context context constructor. has caused this? how can solve it? possible serialize/deserialize class has parameters? you need have empty constructor in currency class in order deserialize it. ...
Read more