Topsy FreeBSD kernel module (1)

1. Introduce

First, the concept of kernel module, as well as the concept of system call, the point is FreeBSD security level issues, usually at level 2 can not load modules

You can adjust the settings with Sysctl or add the following entries to the/etc/rc.conf to adjust at startup:

Kern_securelevel_enable= "YES"

Kern_securelevel= "2"

This article is for educational purposes only: all the code involved can be found in Curiousyellow (CY).

1.2. Kernel module

Refer to the kernel link mechanism (KLD) Programming Guide for Scz@nsfocus's predecessors, which is well understood if you understand Linux lkm. There are simple examples in/usr/share/examples/kld/.

1.2 Some useful functions

Here are some useful functions, which are usually used in system calls using the COPYIN/COPYOUT/COPYINSTR/COPYOUTSTR function to get a continuous chunk of data from user space, Manpagecopy (9) can get more understanding, You can find it in kldtutorial.

Here is a small example to show the usage of copyin, we construct a system call with a string pointer as parameter, and move the string from user space to kernel space by copyin

structexample_call_args{
　　 char*buffer;
};
int
example_call(structproc*p,structexample_call_args*uap)
{
　　 interror;
　　 charkernel_buffer_copy[BUFSIZE];
　　 /*copyintheuserdata*/
　　 error=copyin(uap->buffer,&kernel_buffer_copy,BUFSIZE);
　　 [...]
}
fetch/store

These two functions are used to get smaller chunks of data, small to byte or word length.

Spl..

This function is used to adjust interrupt precedence, which can be used to prevent the execution of some interrupt handlers, in the following example when the interrupt handler function pointer Icmp_input modified, because it usually takes some time, so we want to prevent the processing of this interrupt.

2. Methods

This section lists some of the common methods that will be used in later specific techniques, such as hidden processes, network connections. Of course, these methods can also be used to achieve the other.

2.1. Modify function pointer

The oldest and most frequently used method, modify the function pointer to point to your function, or rewrite/dev/kmem to achieve the same purpose. Following

Note that when you modify the function pointer, your new function has the same invocation parameters as the original function. Here are some of the kernel functions that are typically used to hook

2.1.1 System call

The classic hook method, FreeBSD, maintains a series of system calls through a global array of sysent structures, see/SYS/KERN/INIT_SYSENT.C

structsysentsysent[]={
　　　　 {0,(sy_call_t*)nosys},　　　　　　　　　　　/*0=syscall*/
　　　　 {AS(rexit_args),(sy_call_t*)exit},　　　　　/*1=exit*/
　　　　 {0,(sy_call_t*)fork},　　　　　　　　　　　/*2=fork*/
　　　　 {AS(read_args),(sy_call_t*)read},　　　　　/*3=read*/
　　　　 {AS(write_args),(sy_call_t*)write},　　　　/*4=write*/
　　　　 {AS(open_args),(sy_call_t*)open},　　　　　/*5=open*/
　　　　 {AS(close_args),(sy_call_t*)close},　　　　/*6=close*/
　　　　 [...]

The structure sysent is defined in/sys/sys/syscall.h, and the system call number is also defined in this file. For example, you want to replace the open system call, which is done in the Mod_load section of your module's load function

sysent[sys_open]= (sy_call_t*) Your_new_open

Then fix the original system call in your module uninstall section

Sysent[sys_open].sy_call= (sy_call_t*) Open;