#include<linux/init.h>
#include<linux/module.h>
#include<linux/moduleparam.h>
#include<linux/unistd.h>
#include<linux/sched.h>
#include<linux/syscalls.h>
#include<linux/string.h>
#include<linux/fs.h>
#include<linux/fdtable.h>
#include<linux/uaccess.h>
#include <linux/kallsyms.h>
#include<linux/rtc.h>
#include<linux/vmalloc.h>
#include <linux/slab.h>
//module macros
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("hook sys_mkdir");
unsigned long _sys_call_table = 0;
static void*
get_lstar_dosys_addr(void){
unsigned long lstar;
// temp variables for scan
unsigned int i;
unsigned char *off;
rdmsrl(MSR_LSTAR, lstar);
// print out int 0x80 handler
printk("[+] entry_SYSCALL_64 is at 0x%lx\n", lstar);
// scan for known pattern(0xff14c5xx)
// pattern is just before sys_call_table address
for(i = 0; i <= PAGE_SIZE; i++) {
off = (char*)lstar + i;
if(*(off) == 0x48 && *(off+1) == 0x89 && *(off+2) == 0xe6) {
return (off + 3); //call do_syscall_64
}
}
return NULL;
}
static void*
get_lstar_dosys(void)
{
unsigned long* lstar_dosys_addr = get_lstar_dosys_addr();
if(lstar_dosys_addr != NULL) {
printk("[+] call_do_syscall_64 at: 0x%lx\n", lstar_dosys_addr);
unsigned int offset = *(unsigned int*)((char*)lstar_dosys_addr + 1);
printk("[+] offset is: 0x%08x\n", offset);
unsigned long base = 0xffffffff00000000;
return (void*)(base | ((unsigned long)lstar_dosys_addr + 5 + offset));
}
return NULL;
}
static void*
get_sys_sct_addr(unsigned long* do_syscall_64_addr)
{
unsigned char* off;
int i;
for(i = 0; i <= PAGE_SIZE; i++) {
off = (char*)do_syscall_64_addr + i;
if(*(off) == 0x48 && *(off+1) == 0x8b && *(off+2) == 0x04 && *(off+3) == 0xfd) {
return (off+4);
}
}
return NULL;
}
static void*
get_sys_sct(unsigned long* do_syscall_64_addr)
{
unsigned long* sct_addr = get_sys_sct_addr(do_syscall_64_addr);
if(!sct_addr){
return NULL;
}
unsigned int offset = *(unsigned int*)(sct_addr);
unsigned long base = 0xffffffff00000000;
return (void*)(base | offset);
}
//hooked execve
static int hook_execve_init(void){
printk("[+] Finding sys_call_table\n");
unsigned long* do_syscall_64_addr = 0;
do_syscall_64_addr = get_lstar_dosys();
if(!do_syscall_64_addr){
printk("[x] Failed to find do_syscall_64_addr\n");
return 0;
}
printk("[+] Found do_syscall_64_addr at: 0x%lx\n", do_syscall_64_addr);
_sys_call_table = get_sys_sct(do_syscall_64_addr);
if(!_sys_call_table) {
printk("[x] Failed to find sys_call_table\n");
return 0;
}
printk("[+] Found sys_call_table at: 0x%lx\n", _sys_call_table);
return 0;
}
// initialize the module
static int hooked_init(void) {
get_lstar_dosys_addr();
return 0;
}
static void hooked_exit(void) {
}
/*entry/exit macros*/
module_init(hooked_init);
module_exit(hooked_exit);
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
· 没有源码,如何修改代码逻辑?
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 记一次.NET内存居高不下排查解决与启示
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
2020-04-09 Linux获得mac地址
2020-04-09 校对:思路
2020-04-09 拒绝手机浏览器短视频
2020-04-09 问题:每秒的问题
2020-04-09 黑马校对软件
2018-04-09 oepnni安装