On the first code:
#include
#include
#include
#include
#include
#include
#include
#include
//log out put
Void PRINT_LOGS (const char * data, int changeLine)
{
Char buf [256]={0};
Char rbuf [512]={0};
Mm_segment_t fs.
Loff_t pos=0;
Struct file * fp_w=filp_open ("/home/x/Projects/log ", O_RDWR | O_CREAT, 0644);
Strcpy (buf, data);
If (changeLine) strcat (buf, "\ n");
If (IS_ERR (fp_w)) return;
Fs=get_fs ();
Set_fs (KERNEL_DS);
Pos=0;
Vfs_read (fp_w rbuf, 1024, & amp; Pos);
Strcat (rbuf, buf);
Pos=0;
Vfs_write (fp_w rbuf, strlen (rbuf), & amp; Pos);
Filp_close (fp_w, NULL);
Set_fs (fs);
}
Void PRINT_LOG (unsigned long ul)
{
Char buf [256]={0};
Sprintf (buf, "% lu", ul);
PRINT_LOGS (buf, 1);
}
//find the kallsyms_lookup_name addr
Unsigned long (* kallsyms_lookup_name_fun) (const char * name)=NULL;
Int noop_pre (struct kprobe * p, struct pt_regs * regs) {
return 0;
}
The static struct kprobe KP={
. Symbol_name="kallsyms_lookup_name",
};
Int find_kallsyms_lookup_name (void) {
Int ret=1;
KP. Pre_handler=noop_pre;
Ret=register_kprobe (& amp; KP);
If (ret & lt; 0 {
Register_kprobe PRINT_LOGS (" failed ", 1);
return ret;
}
PRINT_LOGS (" kallsyms_lookup_name addr: ", 0). PRINT_LOG ((unsigned long) KP. Addr);
KP kallsyms_lookup_name_fun=(void *). Addr;
Unregister_kprobe (& amp; KP);
return ret;
}
//hook function
Sys_openat_original asmlinkage long (*) (int, const char *, int, umode_t);
Asmlinkage long sys_openat_new (int DFD, const char * filename, int flags, umode_t mode)
{
PRINT_LOGS (" filename ", 0); PRINT_LOGS (filename, 1);
Return sys_openat_original (DFD, filename, flags, mode).
}
//the enable and disable write protecion
The static unsigned long __lkm_order;
The static inline unsigned long lkm_read_cr0 (void)
{
Unsigned long val.
Asm volatile (" mov cr0, % % % 0 \ n \ t ":"=r (val), ""=" m "(__lkm_order));
return val;
}
The static inline void lkm_write_cr0 (unsigned long val)
{
Asm volatile (" mov % 0, % % cr0 ": :" r "(val), and" m "(__lkm_order));
}
Void disable_write_protection (void)
{
Unsigned long cr0=lkm_read_cr0 ();
Clear_bit (16, & amp; Cr0);
Lkm_write_cr0 (cr0);
PRINT_LOGS (" disable_write_protection complete!" , 1);
}
Void enable_write_protection (void)
{
Unsigned long cr0=lkm_read_cr0 ();
Set_bit (16, & amp; Cr0);
Lkm_write_cr0 (cr0);
PRINT_LOGS (" enable_write_protection complete!" , 1);
}
//the module init
The static void * * sys_call_table;
Static int mod_init (void)
{
Find_kallsyms_lookup_name ();
Sys_call_table=(void * *) kallsyms_lookup_name_fun (" sys_call_table ");
if (! Sys_call_table) {
PRINT_LOGS (" find sys_call_table failed!" , 1);
return 0;
}
Disable_write_protection ();
Sys_openat_original=sys_call_table [__NR_openat];
PRINT_LOGS (" sys_openat_old: ", 0); PRINT_LOG ((unsigned long) sys_openat_original);
Sys_call_table [__NR_openat]=sys_openat_new;
PRINT_LOGS (" sys_open_new: ", 0); PRINT_LOG ((unsigned long) sys_openat_new);
Enable_write_protection ();
PRINT_LOGS (" init complete!" , 1);
return 0;
}
The static void mod_exit (void)
{
Disable_write_protection ();
Sys_call_table [__NR_openat]=sys_openat_original;
Enable_write_protection ();
}
The module_init (mod_init);
Module_exit (mod_exit);
MODULE_LICENSE (" GPL ");
System: UBUNTU 20.04 LTS (virtual machine and machine) and CENTOS8 (virtual machine) X64 phenomenon consistent
Questions as follows: when I insmod system instantly collapse, look at the log to find problems in mod_init sys_openat_original=sys_call_table [__NR_openat]; This line should be read sys_call_table __NR_openat what error occurred, and then I tried to hook calls for __NR_open, can normal insmod, watch call sys_open address can also be written to, whether dalao know what reason be?