1 gadu atpakaļ · 7f94878ae3
--- a/examples/Makefile
+++ b/examples/Makefile
@@ -16,7 +16,7 @@ obj-m += print_string.o
 
				 obj-m += kbleds.o
			
 
				 obj-m += sched.o
			
 
				 obj-m += chardev2.o
			
 
				-obj-m += syscall.o
			
 
				+obj-m += syscall_steal.o
			
 
				 obj-m += intrpt.o
			
 
				 obj-m += cryptosha256.o
			
 
				 obj-m += cryptosk.o
			
--- a/examples/syscall_steal.c
+++ b/examples/syscall_steal.c
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * syscall.c
			
 
				+ * syscall_steal.c
			
 
				  *
			
 
				  * System call "stealing" sample.
			
 
				  *
			
@@ -61,7 +61,7 @@ module_param(sym, ulong, 0644);
 
				 
			
 
				 #endif /* Version < v5.7 */
			
 
				 
			
 
				-static unsigned long **sys_call_table;
			
 
				+static unsigned long **sys_call_table_stolen;
			
 
				 
			
 
				 /* UID we want to spy on - will be filled from the command line. */
			
 
				 static uid_t uid = -1;
			
@@ -206,18 +206,18 @@ static void disable_write_protection(void)
 
				     __write_cr0(cr0);
			
 
				 }
			
 
				 
			
 
				-static int __init syscall_start(void)
			
 
				+static int __init syscall_steal_start(void)
			
 
				 {
			
 
				-    if (!(sys_call_table = acquire_sys_call_table()))
			
 
				+    if (!(sys_call_table_stolen = acquire_sys_call_table()))
			
 
				         return -1;
			
 
				 
			
 
				     disable_write_protection();
			
 
				 
			
 
				     /* keep track of the original open function */
			
 
				-    original_call = (void *)sys_call_table[__NR_openat];
			
 
				+    original_call = (void *)sys_call_table_stolen[__NR_openat];
			
 
				 
			
 
				     /* use our openat function instead */
			
 
				-    sys_call_table[__NR_openat] = (unsigned long *)our_sys_openat;
			
 
				+    sys_call_table_stolen[__NR_openat] = (unsigned long *)our_sys_openat;
			
 
				 
			
 
				     enable_write_protection();
			
 
				 
			
@@ -226,13 +226,13 @@ static int __init syscall_start(void)
 
				     return 0;
			
 
				 }
			
 
				 
			
 
				-static void __exit syscall_end(void)
			
 
				+static void __exit syscall_steal_end(void)
			
 
				 {
			
 
				-    if (!sys_call_table)
			
 
				+    if (!sys_call_table_stolen)
			
 
				         return;
			
 
				 
			
 
				     /* Return the system call back to normal */
			
 
				-    if (sys_call_table[__NR_openat] != (unsigned long *)our_sys_openat) {
			
 
				+    if (sys_call_table_stolen[__NR_openat] != (unsigned long *)our_sys_openat) {
			
 
				         pr_alert("Somebody else also played with the ");
			
 
				         pr_alert("open system call\n");
			
 
				         pr_alert("The system may be left in ");
			
@@ -240,13 +240,13 @@ static void __exit syscall_end(void)
 
				     }
			
 
				 
			
 
				     disable_write_protection();
			
 
				-    sys_call_table[__NR_openat] = (unsigned long *)original_call;
			
 
				+    sys_call_table_stolen[__NR_openat] = (unsigned long *)original_call;
			
 
				     enable_write_protection();
			
 
				 
			
 
				     msleep(2000);
			
 
				 }
			
 
				 
			
 
				-module_init(syscall_start);
			
 
				-module_exit(syscall_end);
			
 
				+module_init(syscall_steal_start);
			
 
				+module_exit(syscall_steal_end);
			
 
				 
			
 
				 MODULE_LICENSE("GPL");
			
--- a/lkmpg.tex
+++ b/lkmpg.tex
@@ -1491,7 +1491,7 @@ $ sudo grep sys_call_table /proc/kallsyms
 
				 ffffffff82000280 R x32_sys_call_table
			
 
				 ffffffff820013a0 R sys_call_table
			
 
				 ffffffff820023e0 R ia32_sys_call_table
			
 
				-$ sudo insmod syscall.ko sym=0xffffffff820013a0
			
 
				+$ sudo insmod syscall_steal.ko sym=0xffffffff820013a0
			
 
				 \end{verbatim}
			
 
				 
			
 
				 Using the address from \verb|/boot/System.map|, be careful about \verb|KASLR| (Kernel Address Space Layout Randomization).