hook系统调用表函数sys_execve后如何打印argv参数

问题描述 投票:0回答:1

如标题,我通过ftrace hook了系统调用表函数sys_execve,但是当我打印argv参数和envp参数时,printk函数打印了一堆不可见的字符,我该怎么做才能正常打印argv参数

enter image description here

我的操作系统是ubuntu18.04,内核版本是5.4.0,编译器是gcc-7.5

我的钩子代码看起来像这样

static asmlinkage long (*orig_sysexecve)(const struct pt_regs*);

asmlinkage int hook_sysexecve(const struct pt_regs *regs)
{
        char __user *filename = (char *)regs->di;
        char file_name[NAME_MAX] = {0};
        char __user *argv = (char *)regs->si;
        char __user *envp = (char *)regs->dx;
        char envp_list[NAME_MAX] = {0};
        char argv_list[NAME_MAX] = {0};

        long error1 = strncpy_from_user(file_name,filename,NAME_MAX);
        long error2 = strncpy_from_user(argv_list,argv,NAME_MAX);
        long error3 = strncpy_from_user(envp_list,envp,NAME_MAX);
        if(error1 > 0 && error2 > 0 && error3 > 0)
        {
            printk(KERN_INFO "[TestSysExecve]: filename = %s | argv = %s | envp = %s\n",file_name,argv_list,envp_list);
        }
        orig_sysexecve(regs);
    return 0;
}

我尝试使用

char __user **argv = (char**)regs->si; char **argvs; long error = strncpy_from_user(argvs,argv,NAME_MAX)
,但是直接编译失败。

也尝试用

char **argv = (char**)regs->si;printk(KERN_INFO "%s",argv[0]);
,但是这个系统直接坏了

linux-kernel hook system-calls
1个回答
0
投票

https://github.com/NoviceLive/research-rootkit/tree/master
为例 效果很好!

#define MKVAR(Type, Name, From) Type Name = (Type)(From);
    char *join_strings_from_user(const char __user *const __user *ups, const char *delim, char *buff, size_t bufcap)
    {
        int index;
        const char __user* up;
        char tmp[1024];
    
        if (copy_from_user(&up, ups, sizeof up))
            return NULL;
        if (strncpy_from_user(buff, up, bufcap) <= 0)
            return NULL;
    
        index = 1;
        if (copy_from_user(&up, ups + index, sizeof up))
            return NULL;
        while (up) {
            strlcat(buff, delim, bufcap);
            if (strncpy_from_user(tmp, up, sizeof tmp) <= 0)
                return NULL;
            strlcat(buff, tmp, bufcap);
            index += 1;
            if (copy_from_user(&up, ups + index, sizeof up))
                return NULL;
        }
    
        return buff;
    }
    
    static asmlinkage long our_sys_execve(const struct pt_regs *regs)
    {
        MKVAR(const char __user *const __user *, argv, regs->si);
        char tmp[1024];
        pr_info("execve: %s\n", join_strings_from_user(argv, " ", tmp, sizeof tmp));
    } 

输出示例:

© www.soinside.com 2019 - 2024. All rights reserved.