歡迎您光臨本站 註冊首頁

Linux下實現劫持系統調用

←手機掃碼閱讀     火星人 @ 2014-03-09 , reply:0

  一、代碼及實現

  (一) 劫持open系統調用的代碼

  內核態實現劫持系統調用的代碼如下,來自參考鏈接1,即albcamus兄提供的代碼.我這裡屏蔽了一些代碼,僅實現了劫持open系統調用.

  #include <linux/kernel.h>

  #include <linux/init.h>

  #include <linux/module.h>

  #include <linux/kprobes.h>

  #include <linux/kallsyms.h>

  #include <linux/sched.h>

  #include <linux/ptrace.h>

  #include <linux/mm.h>

  #include <linux/smp.h>

  #include <linux/user.h>

  #include <linux/errno.h>

  #include <linux/cpu.h>

  #include <asm/uaccess.h>

  #include <asm/fcntl.h>

  #include <asm/unistd.h>

  MODULE_DESCRIPTION("Intercept the system call table in Linux");

  MODULE_AUTHOR("alert7 ([email]alert7@xfocus.org[/email]) \n\t\talbcamus <[email]albcamus@gmail.com[/email]>");

  MODULE_LICENSE("GPL");

  /* comment the following line to shut me up */

  #define INTERCEPT_DEBUG

  #ifdef INTERCEPT_DEBUG

  #define dbgprint(format,args...) \

  printk("intercept: function:%s-L%d: "format, __FUNCTION__, __LINE__, ##args);

  #else

  #define dbgprint(format,args...) do {} while(0);

  #endif

  /**

  * the system call table

  */

  void **my_table;

  unsigned int orig_cr0;

  /**

  * the original syscall functions

  */

  asmlinkage long (*old_open) (char __user *filename, int flags, int mode);

  asmlinkage int (*old_execve) (struct pt_regs regs);

  /** do_execve and do_fork */

  unsigned int can_exec_fork = 0;

  int (*new_do_execve) (char * filename,

  char __user *__user *argv,

  char __user *__user *envp,

  struct pt_regs * regs);

  struct idtr {

  unsigned short limit;

  unsigned int base;

  } __attribute__ ((packed));

  struct idt {

  unsigned short off1;

  unsigned short sel;

  unsigned char none, flags;

  unsigned short off2;

  } __attribute__ ((packed));

  #if 0

  /**

  * check if we can intercept fork/vfork/clone/execve or not

  *

  * return : 0 for no, 1 for yes

  */

  struct kprobe kp_exec;

  unsigned int can_intercept_fork_exec(void)

  {

  int ret = 0;

  #ifndef CONFIG_KPROBES

  return ret;

  #endif

  kp_exec.symbol_name = "do_execve";

  ret = register_kprobe(&kp_exec);

  if (ret != 0 ) {

  dbgprint("cannot find do_execve by kprobe.\n");

  return 0;

  }

  new_do_execve = ( int (*)

  (char *,

  char __user * __user *,

  char __user * __user *,

  struct pt_regs *

  )

  ) kp_exec.addr;

  dbgprint("do_execve at %p\n", (void *)kp_exec.addr);

  unregister_kprobe(&kp_exec);

  return 1;

  }

  #endif

  /**

  * clear WP bit of CR0, and return the original value

  */

  unsigned int clear_and_return_cr0(void)

  {

  unsigned int cr0 = 0;

  unsigned int ret;

  asm volatile ("movl %%cr0, %


[火星人 ] Linux下實現劫持系統調用已經有403次圍觀

http://coctec.com/docs/linux/show-post-50683.html