Linux kernel monitoring module--system Call Table address acquisition (Linux kernel version 3.13)

Then after the Linux kernel 2.6, can not directly export sys_call_table address, we want to get the address of the system call table, so as to achieve the interception of system calls.

First put on my implementation of the good code, and then to explain it.

Modu.c

#include <linux/init.h>#include<linux/module.h>#include<linux/moduleparam.h>#include<linux/unistd.h>#include<linux/sched.h>#include<linux/syscalls.h>#include<linux/string.h>#include<linux/fs.h>#include<linux/fdtable.h>#include<linux/uaccess.h>#include<linux/rtc.h>Module_license ("Dual BSD/GPL"); #define_debug#ifdef _DEBUG#defineKPRINTK (Fmt,args ...) printk (Kern_alert fmt,# #args)#definekprintf (Fmt,args ...) printf (fmt,# #args)#defineKperror (str) perror (str)#else#defineKprintk#definekprintf#defineKperror#endif/*Function Declaration*/Long* Get_sys_call_table (void);Long* G_SYS_CALL_TABLE=NULL;//Save address of sys_call_tablestruct_idtr{unsigned Shortlimit; unsignedint Base;} __ATTRIBUTE__ ((packed));struct_idt_descriptor{unsigned ShortOffset_low; unsigned Shortsel; unsignedCharNone,flags; unsigned ShortOffset_high;} __ATTRIBUTE__ ((packed));/*Get The address of sys_call_table*/Long* Get_sys_call_table (void){        struct_idt_descriptor *IDT; struct_IDTR IDTR; unsignedintSys_call_off; intsys_call_table=0; unsignedChar*p; inti; ASM ("Sidt%0":"=m"(IDTR)); KPRINTK ("Address of idtr:0x%x\n", (unsignedint) &IDTR); IDT=(struct_idt_descriptor *) (IDTR.Base+8*0x80); Sys_call_off= ((unsignedint) (idt->offset_high<< -)| (unsignedint) idt->Offset_low); KPRINTK ("address of IDT 0x80:0x%x\n", Sys_call_off); P= (unsignedChar*) Sys_call_off;  for(i=0;i< -; i++){        if(p[i]==0xFF&&p[i+1]==0x14&&p[i+2]==0x85) {sys_call_table=*(int*)((int) p+i+3); KPRINTK ("Address of sys_call_table:0x%x\n", sys_call_table); return(Long*) sys_call_table; }    }        return 0;}intMonitor_init (void) {KPRINTK ("Monitor init\n"); G_sys_call_table=get_sys_call_table (); return 0;}voidMonitor_exit (void) {KPRINTK ("Monitor exit\n");} Module_init (Monitor_init); Module_exit (monitor_exit);

View Code

Makefile

Obj-m: = modu.okerneldir:=/lib/modules/3.13. 0--generic/buildpwd:= $ (shell pwd) modules:    -C $ (kerneldir) m=$ (PWD) Modulesmodules_install:    -C $ (Kerneldir) m=$ (PWD) Modules_install

View Code

Put MODU.C and makefile in the same directory, execute "make", compile the program, generate Modu.ko file.

Execute "sudo insmod Modu.ko" to load the Modu.ko into the kernel.

Perform "DMESG" to view the system log.

The next step is to explain the rationale.

We know that the system call in the Linux system is fired by the user software call interrupt int0x80, and after int0x80 is executed, the kernel obtains control of the CPU and is referred to the System_call program for processing. That is, sys_call_table is called by System_call.

And System_call is int0x80 soft interrupt, that is int0x80 interrupt corresponding address is the address of the System_call function. And all the interrupt information in the Linux system is stored in an interrupt description form IDT, and the address of this table is stored in the IDTR register, so the whole interception process can be used as a representation.

That is, the address of the idt_table is obtained in the IDTR register, and then the address of int0x80 is obtained in idt_table, int0x80 corresponds to the address of the System_call function. Finally, the address of the sys_call_table is obtained through the address of the System_call function.

Linux kernel monitoring module--system Call Table address acquisition (Linux kernel version 3.13)