Hijacking of system calls in Linux 2.6 kernel

Article title: Hijacking of system calls in Linux 2.6 kernel. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
2.6 hijacking of system calls in the kernel
　　
Almost all operations between empty users are implemented through system calls in the system kernel. I also wrote an article about system calls, here we will briefly introduce the process. when a user executes an operation, the program that opens the file will call the open function in the glib Library, in the end, the implementation of the open function in the kernel is called by the open system. when you execute the open function, the user space will switch to the kernel and switch through int 80, enter the kernel space and a sys_call_table symbol will be found. sys_call_table is a pointer to the system call number list, and then find the expected system call number in sys_call_table, find the kernel system call by using the system call number, and then execute the system call.
　　
Hijacking of system calls means we construct a system call by ourselves and find a way to point the system call number of sys_call_table to our own function. In the original 2.2 kernel, sys_call_table can be exported directly, so that we can easily get control of sys_call_table to hijack the system call. However, after 2.4, considering the security issue, it is not allowed to export sys_call_table, which makes it more difficult to control sys_call_table. someone later reads the address of sys_call_table from/dev/kmem, then, the sys_call_table address is used to hijack the system call. later, a better method is found to directly find the address of sys_call_table without/dev/kmem. This method is particularly discussed here.
　　
The principle of this method is relatively simple, but the idea is good. The implementation process is to build a kernel module and export a sys_call_table in this module, because the kernel's sys_call_table cannot be exported, therefore, we can export sys_call_table in the self-compiled kernel module. In the module, we find the reference of int 80 to sys_call_table, find the address of sys_call_table, and point the sys_call_table to this address, in this way, the exported sys_call_table is no different from the actual sys_call_table.
　　
The implementation code is as follows:
　　
Getsyscall. c file
　　
Code ::
　　
# Ifndef _ SYSCALL_INCLUDE __
# Define _ SYSCALL_INCLUDE __
# Endif
# Ifdef MODVERSIONS
# Include
# Endif
# Include
# Include
MODULE_LICENSE ("GPL ");
MODULE_AUTHOR ("xinhe ");
MODULE_DESCRIPTION ("export the sys_call_table ");
# If! Defined (symname)
# Error symname not defined
# Endif
# Define CALLOFF 100
Unsigned symname;/* # define */
Struct {
Unsigned short limit;
Unsigned int base;
} _ Attribute _ (packed) idtr;
　　
Struct {
Unsigned short off1;
Unsigned short sel;
Unsigned char none,
Flags;
Unsigned short off2;
} _ Attribute _ (packed) * idt;
　　
Void set_symbol_addr (unsigned old_value, unsigned new_value)
{
Struct module * mod;
Struct kernel_symbol * s;
Int I;
For (mod = THIS_MODULE, s = mod-> syms, I = 0; I num_syms; ++ I, ++ s)
If (s-> value = old_value)
{
S-> value = new_value;
Return;
}
/* Traverses the symbol table of this module and calls an address of the symbol sys_call_table in this module.
Set it to the actual address of the system sys_call_table. */
}
　　
Char * findoffset (char * start)
{
Char * p;
For (p = start; p off2 off1;
/* Find the entry address of int 80 */
If (p = findoffset (char *) sys_call_off )))
{
Sct = * (unsigned *) (p + 3 );
Set_symbol_addr (unsigned) & symname, sct );
}
EXPORT_SYMBOL (sys_call_table );
Return 0;
}
　　
Static void _ exit fini (void)
{
}
Module_init (init );
Module_exit (fini );
　　
Makefile of getsyscall
Code ::
　　
Obj-m: = getsyscall. o
EXTRA_CFLAGS: =-Dsymname = sys_call_table
KDIR: =/lib/modules/$ (shell uname-r)/build
PWD: = $ (shell pwd)
Default:
$ (MAKE)-C $ (KDIR) SUBDIRS = $ (PWD) modules
Clean:
$ (RM)-rf. *. cmd *. mod. c *. o *. ko. tmp *
　　
To prove that sys_call_table is indeed exported, let's write a system call hijacking module to prove it.
Getmkdir. c file
Code ::
　　
# Ifndef _ GETMKDIR_INCLUDE __
# Define _ GETMKDIR_INCLUDE __
# Endif
# Include
# Include
# Include
# Include
# Include
# Include
# Include
MODULE_LICENSE ("GPL ");
MODULE_AUTHOR ("xinhe ");
MODULE_DESCRIPTION ("export the sys_call_table ");
Extern void * sys_call_table [];
Int (* orig_mkdir) (const char * path);/* points to the system's mkdir */
/* Construct your own mkdir */
Int hacked_mkdir (const char * path)
{
Printk ("this is a test ");
Return 0;
}
Static int _ init (void)
{
Orig_mkdir = sys_call_table [_ NR_mkdir];
Sys_call_table [_ NR_mkdir] = hacked_mkdir;
/* Point the mkdir of sys_call_table to the self-constructed hacked_mkdir */
}
Static void _ exit fini (void)
{
Sys_call_table [_ NR_mkdir] = orig_mkdir;
/* Restore */
}
Module_init (init );
Module_exit (fini );
　　
Corresponding makefile file
Code ::
　　
Obj-m: = getmkdir. o
KDIR: =/lib/modules/$ (shell uname-r)/build
PWD: = $ (shell pwd)
Default:
$ (MAKE)-C $ (KDIR) SUBDIRS = $ (PWD) modules
Clean:
$ (RM)-rf. *. cmd *. mod. c *. o *. ko. tmp *
　　
After the two modules are loaded, use mkdir to create a directory and you will find that you cannot create a directory.
　　
Note: All the above code has passed the test in 2.6.9.
　　
Problems:
　　
Some problems were also found during the test.
　　
When I compile in 2.6.11.4, it is okay to load getsyscall. when I load getmkdir, there is an error and the kernel is abnormal. Many gnome programs have problems, when executing the mkdir command, an error occurs.