一、代碼及實現
(一) 劫持open系統調用的代碼
內核態實現劫持系統調用的代碼如下,來自參考鏈接1,即albcamus兄提供的代碼.我這裡屏蔽了一些代碼,僅實現了劫持open系統調用.
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/kallsyms.h>
#include <linux/sched.h>
#include <linux/ptrace.h>
#include <linux/mm.h>
#include <linux/smp.h>
#include <linux/user.h>
#include <linux/errno.h>
#include <linux/cpu.h>
#include <asm/uaccess.h>
#include <asm/fcntl.h>
#include <asm/unistd.h>
MODULE_DESCRIPTION("Intercept the system call table in Linux");
MODULE_AUTHOR("alert7 ([email]alert7@xfocus.org[/email]) \n\t\talbcamus <[email]albcamus@gmail.com[/email]>");
MODULE_LICENSE("GPL");
/* comment the following line to shut me up */
#define INTERCEPT_DEBUG
#ifdef INTERCEPT_DEBUG
#define dbgprint(format,args...) \
printk("intercept: function:%s-L%d: "format, __FUNCTION__, __LINE__, ##args);
#else
#define dbgprint(format,args...) do {} while(0);
#endif
/**
* the system call table
*/
void **my_table;
unsigned int orig_cr0;
/**
* the original syscall functions
*/
asmlinkage long (*old_open) (char __user *filename, int flags, int mode);
asmlinkage int (*old_execve) (struct pt_regs regs);
/** do_execve and do_fork */
unsigned int can_exec_fork = 0;
int (*new_do_execve) (char * filename,
char __user *__user *argv,
char __user *__user *envp,
struct pt_regs * regs);
struct idtr {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed));
struct idt {
unsigned short off1;
unsigned short sel;
unsigned char none, flags;
unsigned short off2;
} __attribute__ ((packed));
#if 0
/**
* check if we can intercept fork/vfork/clone/execve or not
*
* return : 0 for no, 1 for yes
*/
struct kprobe kp_exec;
unsigned int can_intercept_fork_exec(void)
{
int ret = 0;
#ifndef CONFIG_KPROBES
return ret;
#endif
kp_exec.symbol_name = "do_execve";
ret = register_kprobe(&kp_exec);
if (ret != 0 ) {
dbgprint("cannot find do_execve by kprobe.\n");
return 0;
}
new_do_execve = ( int (*)
(char *,
char __user * __user *,
char __user * __user *,
struct pt_regs *
)
) kp_exec.addr;
dbgprint("do_execve at %p\n", (void *)kp_exec.addr);
unregister_kprobe(&kp_exec);
return 1;
}
#endif
/**
* clear WP bit of CR0, and return the original value
*/
unsigned int clear_and_return_cr0(void)
{
unsigned int cr0 = 0;
unsigned int ret;
asm volatile ("movl %%cr0, %
[火星人 ] Linux下實現劫持系統調用已經有416次圍觀