我正在研究rootkit,并尝试挂钩系统调用表。由于我已经可以从/boot/System.map-$(uname -r)中动态检索表的地址,因此我将有问题的代码部分跟踪并隔离到一个独立的,更简单的模块中,如下所示。它尝试检索并显示kill系统调用的地址,但是insmod在模块加载时返回“ Killed”,这是在强调的行上特别引起的错误。
内核字符串:5.2.0-3-amd64
模块
::#include <linux/module.h> #include <linux/kernel.h> typedef asmlinkage int (*sys_kill_ptr_t)(pid_t, int); static sys_kill_ptr_t sys_kill_ptr; static unsigned long *syscall_table; static int __init lkm_init(void) { printk("[+] LKM: init\n"); // System call table address in /boot/System.map-$(uname -r) syscall_table = (unsigned long *)0xffffffff81c002a0; printk(KERN_INFO "[+] LKM: syscall_table @ 0x%p\n", syscall_table); printk(KERN_INFO "[+] LKM: syscall_table @ 0x%lx\n", (unsigned long)syscall_table); /* Error */ sys_kill_ptr = (sys_kill_ptr_t)syscall_table[__NR_kill]; /* Error */ printk(KERN_INFO "[+] LKM: sys_kill_ptr @ 0x%p\n", (void *)sys_kill_ptr); return 0; } static void __exit lkm_exit(void) { printk("[-] LKM: exit\n"); } module_init(lkm_init); module_exit(lkm_exit);dmesg
(重启后:)>[ 3708.343306] [+] LKM: init [ 3708.343309] [+] LKM: syscall_table @ 0x000000004853bd64 [ 3708.343360] [+] LKM: syscall_table @ 0xffffffff81c002a0 [ 3708.343407] BUG: unable to handle page fault for address: ffffffff81c00490 [ 3708.343460] #PF: supervisor read access in kernel mode [ 3708.343501] #PF: error_code(0x0000) - not-present pagedmesg
[ 86.822522] [+] LKM: init [ 86.822525] [+] LKM: syscall_table @ 0x0000000000248a4b [ 86.822644] [+] LKM: syscall_table @ 0xffffffff81c002a0 [ 86.822757] BUG: unable to handle page fault for address: ffffffff81c00490 [ 86.822903] #PF: supervisor read access in kernel mode [ 86.823005] #PF: error_code(0x0000) - not-present page我有以下问题:(0。为什么会崩溃,我该怎么办?)1.为什么“%p”打印的值不同于“%lx”的值?2.为什么“%p”在重新启动后打印不同的值,而“%lx”总是打印正确的值?
我正在研究rootkit,并尝试挂钩系统调用表。由于我已经可以从/boot/System.map-$(uname -r)动态检索表的地址,因此我跟踪并隔离了有问题的部分...
((0。为什么会崩溃,我该怎么办?)