Kernel Programming
Kernel Symbol Table
Intercepting Open System call
With 2.6 Kernel SYS_CALL_TABLE symbol is not exported. There are a few hacks to play with sys_call_table. This is one of the simple method to override the sys_call_table. I have implemented this as a kernel module to have my own implementation of OPEN system call. ( This code is tested on ubuntu 8.04 with 2.6.24-16-generic kernel).
System.map-2.6.24-16-generic is a file which will tell as to where the sys_call_table will be loaded in memory. shrikar@shrikar-desktop:/boot$ grep sys_call System* -i System.map-2.6.24-16-generic:c0320500 R sys_call_table
- System.map-2.6.24-16-generic is a file which will tell as
to where the sys_call_table will be loaded in memory.
shrikar@shrikar-desktop:/boot$ grep sys_call System* -i
System.map-2.6.24-16-generic:c0320500 R sys_call_table
Now with this command we can tell that the table is located at address starting from c0320500. -
__NR_open is the index into the syscall table which point to open system call. So a simple logic like this should work fine.
unsigned long *sys_call_table;
myval = simple_strtoul( "0xC0320500", NULL, 16 );
sys_call_table = (unsigned long *)myval;
/*
* Keep a pointer to the original function in
* original_call, and then replace the system call
* in the system call table with our_sys_open
*/
original_call = sys_call_table[__NR_open];
sys_call_table[__NR_open] = our_sys_open;
FYI: The chances of getting kernel panic is more if things are not done properly. Please use this method at your own risk.
Source
Linux Kernel Modules
1. What are LKMs
LKMs are Loadable Kernel Modules used by the Linux kernel to expand his functionality. The advantage of those LKMs : The can be loaded dynamically; there must be no recompilation of the whole kernel. Because of those features they are often used for specific device drivers (or filesystems) such as soundcards etc.Every LKM consist of two basic functions (minimum) :
#define __KERNEL__ /* We're part of the kernel */Loading a module - normally retricted to root - is managed by issuing the follwing command:
#define MODULE /* Not a permanent part, though. */
/* Standard headers for LKMs */
#include <linux/modversions.h>
#include <linux/module.h>
#include <linux/tty.h> /* console_print() interface */
/* Initialize the LKM */
int init_module()
{
printk("Hello, world - this is the kernel speaking\n");
/* If we return a non zero value, it means that
* init_module failed and the LKM can't be loaded
*/
return 0;
}
- Load the objectfile (here module.o)
- call create_module systemcall (for systemcalls -> see I.2) for Relocation of memory
- unresolved references are resolved by Kernel-Symbols with the systemcall get_kernel_syms
- after this the init_module systemcall is used for the LKM initialisation -> executing int init_module(void) etc.
So I think we can write our first little LKM just showing how it basicly works:
You only have a very restricted set of commands (see I.6). With those commands you cannot do much, so you will learn how to use lots of functions you know from your userspace applications helping you hacking the kernel. Just be patient, we have to do something else before...
The Example above can easily compiled by
Proc as Programmers tool
What Is /proc?
dr-xr-xr-x 2 shrikar shrikar 0 2009-07-26 14:33 attr
-r-------- 1 shrikar shrikar 0 2009-07-26 14:33 auxv
-r--r--r-- 1 shrikar shrikar 0 2009-07-26 14:33 cgroup
--w------- 1 shrikar shrikar 0 2009-07-26 14:33 clear_refs
-r--r--r-- 1 shrikar shrikar 0 2009-07-26 14:33 cmdline
-rw-r--r-- 1 shrikar shrikar 0 2009-07-26 14:33 coredump_filter
lrwxrwxrwx 1 shrikar shrikar 0 2009-07-26 14:26 cwd -> /proc
-r-------- 1 shrikar shrikar 0 2009-07-26 14:33 environ
lrwxrwxrwx 1 shrikar shrikar 0 2009-07-26 14:33 exe -> /bin/bash
Para 4