如标题,我通过ftrace hook了系统调用表函数sys_execve,但是当我打印argv参数和envp参数时,printk函数打印了一堆不可见的字符,我该怎么做才能正常打印argv参数
我的操作系统是ubuntu18.04,内核版本是5.4.0,编译器是gcc-7.5
我的钩子代码看起来像这样
static asmlinkage long (*orig_sysexecve)(const struct pt_regs*);
asmlinkage int hook_sysexecve(const struct pt_regs *regs)
{
char __user *filename = (char *)regs->di;
char file_name[NAME_MAX] = {0};
char __user *argv = (char *)regs->si;
char __user *envp = (char *)regs->dx;
char envp_list[NAME_MAX] = {0};
char argv_list[NAME_MAX] = {0};
long error1 = strncpy_from_user(file_name,filename,NAME_MAX);
long error2 = strncpy_from_user(argv_list,argv,NAME_MAX);
long error3 = strncpy_from_user(envp_list,envp,NAME_MAX);
if(error1 > 0 && error2 > 0 && error3 > 0)
{
printk(KERN_INFO "[TestSysExecve]: filename = %s | argv = %s | envp = %s\n",file_name,argv_list,envp_list);
}
orig_sysexecve(regs);
return 0;
}
我尝试使用
char __user **argv = (char**)regs->si; char **argvs; long error = strncpy_from_user(argvs,argv,NAME_MAX)
,但是直接编译失败。
也尝试用
char **argv = (char**)regs->si;printk(KERN_INFO "%s",argv[0]);
,但是这个系统直接坏了
以 https://github.com/NoviceLive/research-rootkit/tree/master
为例
效果很好!
#define MKVAR(Type, Name, From) Type Name = (Type)(From);
char *join_strings_from_user(const char __user *const __user *ups, const char *delim, char *buff, size_t bufcap)
{
int index;
const char __user* up;
char tmp[1024];
if (copy_from_user(&up, ups, sizeof up))
return NULL;
if (strncpy_from_user(buff, up, bufcap) <= 0)
return NULL;
index = 1;
if (copy_from_user(&up, ups + index, sizeof up))
return NULL;
while (up) {
strlcat(buff, delim, bufcap);
if (strncpy_from_user(tmp, up, sizeof tmp) <= 0)
return NULL;
strlcat(buff, tmp, bufcap);
index += 1;
if (copy_from_user(&up, ups + index, sizeof up))
return NULL;
}
return buff;
}
static asmlinkage long our_sys_execve(const struct pt_regs *regs)
{
MKVAR(const char __user *const __user *, argv, regs->si);
char tmp[1024];
pr_info("execve: %s\n", join_strings_from_user(argv, " ", tmp, sizeof tmp));
}