get system call table in x86-64 Linux - 欢迎测试并报BUG

albcamus

1. #include <linux/kernel.h>
   
2. #include <linux/init.h>
   
3. #include <linux/module.h>
   
4. #include <asm/uaccess.h>
   
5. #include <asm/fcntl.h>
   
6. #include <asm/unistd.h>
   
7. #include <asm/ia32_unistd.h>
   
8. #include <asm/msr.h>
   
9. 
   
10. 
    
11. 
    
12. #define THIS_DESCRIPTION "Dynamically get sys_call_table/ia32_sys_call_table in kernel module.\n\t\tI don't think there would be anyone who won't enable CONFIG_IA32_EMULATION these days.\n\t\tso you can add the unessary check if you really want to."
    
13. MODULE_DESCRIPTION( THIS_DESCRIPTION );
    
14. MODULE_AUTHOR("albcamus <albcamus@gmail.com>");
    
15. MODULE_LICENSE("GPL");
    
16. 
    
17. 
    
18. /**
    
19. * TODO: if you want shut this up, comment the following line.
    
20. */
    
21. #define BY_IDT_DEBUG
    
22. 
    
23. #ifdef BY_IDT_DEBUG
    
24. #define dbgprint(format,args...) \
    
25.                  printk("get_syscall: function:%s-L%d: "format, __FUNCTION__, __LINE__, ## args);
    
26. #else
    
27. #define dbgprint(format,args...)  do {} while(0);
    
28. #endif
    
29. 
    
30. 
    
31. /**
    
32. * sys call table
    
33. */
    
34. void ** my_ia32_syscall_table;
    
35. void ** my_syscall_table;
    
36. 
    
37. 
    
38. 
    
39. /**
    
40. * 10 bytes  -- please refer to AMD64 Architecture Programmer's
    
41. *         Manuals for more information.
    
42. */
    
43. struct idtr {
    
44.     unsigned short limit;
    
45.     unsigned long base; //in 64bit mode, base address is 8 bytes
    
46. } __attribute__ ((packed));
    
47. 
    
48. 
    
49. /**
    
50. * in long mode -- 64bit mode and compatity mode,
    
51. * every IDT entry has a 16-byte size
    
52. */
    
53. struct idt {
    
54.     u16 offset_low;
    
55.     u16 segment;
    
56.     unsigned ist : 3, zero0 : 5, type : 5, dpl :2, p : 1;
    
57.     u16 offset_middle;
    
58.     u32 offset_high;
    
59.     u32 zero1;
    
60. } __attribute__ ((packed));
    
61. 
    
62. 
    
63. 
    
64. 
    
65. /**
    
66. * Return the first appearence of NEEDLE in HAYSTACK.  -- copied from PHRACK
    
67. * */
    
68. static void *memmem(const void *haystack, size_t haystack_len,
    
69.             const void *needle, size_t needle_len)
    
70. {/*{{{*/
    
71.     const char *begin;
    
72.     const char *const last_possible
    
73.         = (const char *) haystack + haystack_len - needle_len;
    
74. 
    
75.     if (needle_len == 0)
    
76.         /* The first occurrence of the empty string is deemed to occur at
    
77.            the beginning of the string.  */
    
78.         return (void *) haystack;
    
79. 
    
80.     /* Sanity check, otherwise the loop might search through the whole
    
81.        memory.  */
    
82.     if (__builtin_expect(haystack_len < needle_len, 0))
    
83.         return NULL;
    
84. 
    
85.     for (begin = (const char *) haystack; begin <= last_possible;
    
86.          ++begin)
    
87.         if (begin[0] == ((const char *) needle)[0]
    
88.             && !memcmp((const void *) &begin[1],
    
89.                    (const void *) ((const char *) needle + 1),
    
90.                    needle_len - 1))
    
91.             return (void *) begin;
    
92. 
    
93.     return NULL;
    
94. }/*}}}*/
    
95. 
    
96. 
    
97. /**
    
98. * Find the location of ia32_sys_call_table
    
99. */
    
100. static unsigned long get_syscall_table_ia32(void)
     
101. {/*{{{*/
     
102. #define OFFSET_SYSCALL 100    /* from system_call/ia32_syscall, we'll read first 150 bytes */
     
103. 
     
104.     struct idtr idtr;
     
105.     struct idt idt;
     
106. 
     
107.     unsigned long sys_call_off;
     
108.     unsigned long retval;
     
109. 
     
110.     char sc_asm[OFFSET_SYSCALL], *p;
     
111. 
     
112. 
     
113. 
     
114. 
     
115.     /* well, let's read IDTR */
     
116.     asm("sidt %0"
     
117.         :"=m"(idtr)
     
118.         : );
     
119. 
     
120.     dbgprint("idtr base at %p\n", (void *)idtr.base);
     
121. 
     
122.     /**
     
123.      * Read in IDT for vector 0x80 (syscall)
     
124.      */
     
125.     memcpy(&idt, (char *) idtr.base + 16 * 0x80, sizeof(idt));
     
126.     sys_call_off =  ( ( (unsigned long)idt.offset_high ) << 32 ) |
     
127.         ( ((idt.offset_middle << 16 ) | idt.offset_low) & 0x00000000ffffffff );
     
128.     dbgprint("sys_call_off at %p\n", (void *)sys_call_off);
     
129. 
     
130.     /* we have syscall routine address now, look for syscall table
     
131.        dispatch (indirect call) */
     
132.     memcpy(sc_asm, (void *)sys_call_off, OFFSET_SYSCALL);
     
133.     /**
     
134.      * ia32_call > ia32_tracesys > ia32_do_syscall > 'call *ia32_sys_call_table(,%rax,8)'
     
135.      * Find callq *ia32_sys_call_table(,%rax,8)
     
136.      *
     
137.      * (gdb) disassemble ia32_syscall
     
138.      * Dump of assembler code for function ia32_syscall:
     
139.      * 0xffffffff81066b98 <ia32_syscall+0>:    swapgs
     
140.      * 0xffffffff81066b9b <ia32_syscall+3>:    sti
     
141.      * 0xffffffff81066b9c <ia32_syscall+4>:    mov    %eax,%eax
     
142.      * 0xffffffff81066b9e <ia32_syscall+6>:    push   %rax
     
143.      * 0xffffffff81066b9f <ia32_syscall+7>:    cld
     
144.      * 0xffffffff81066ba0 <ia32_syscall+8>:    sub    $0x48,%rsp
     
145.      * 0xffffffff81066ba4 <ia32_syscall+12>:   mov    %rdi,0x40(%rsp)
     
146.      * 0xffffffff81066ba9 <ia32_syscall+17>:   mov    %rsi,0x38(%rsp)
     
147.      * 0xffffffff81066bae <ia32_syscall+22>:   mov    %rdx,0x30(%rsp)
     
148.      * 0xffffffff81066bb3 <ia32_syscall+27>:   mov    %rcx,0x28(%rsp)
     
149.      * 0xffffffff81066bb8 <ia32_syscall+32>:   mov    %rax,0x20(%rsp)
     
150.      * 0xffffffff81066bbd <ia32_syscall+37>:   mov    %gs:0x10,%r10
     
151.      * 0xffffffff81066bc6 <ia32_syscall+46>:   sub    $0x1fd8,%r10
     
152.      * 0xffffffff81066bcd <ia32_syscall+53>:   orl    $0x2,0x14(%r10)
     
153.      * 0xffffffff81066bd2 <ia32_syscall+58>:   testl  $0x181,0x10(%r10)
     
154.      * 0xffffffff81066bda <ia32_syscall+66>:   jne    0xffffffff81066c04 <ia32_tracesys>
     
155.      * End of assembler dump.
     
156.      * (gdb) disassemble ia32_tracesys
     
157.      * Dump of assembler code for function ia32_tracesys:
     
158.      * 0xffffffff81066c04 <ia32_tracesys+0>:   sub    $0x30,%rsp
     
159.      * 0xffffffff81066c08 <ia32_tracesys+4>:   mov    %rbx,0x28(%rsp)
     
160.      * 0xffffffff81066c0d <ia32_tracesys+9>:   mov    %rbp,0x20(%rsp)
     
161.      * 0xffffffff81066c12 <ia32_tracesys+14>:  mov    %r12,0x18(%rsp)
     
162.      * 0xffffffff81066c17 <ia32_tracesys+19>:  mov    %r13,0x10(%rsp)
     
163.      * 0xffffffff81066c1c <ia32_tracesys+24>:  mov    %r14,0x8(%rsp)
     
164.      * 0xffffffff81066c21 <ia32_tracesys+29>:  mov    %r15,(%rsp)
     
165.      * 0xffffffff81066c25 <ia32_tracesys+33>:  movq   $0xffffffffffffffda,0x50(%rsp)
     
166.      * 0xffffffff81066c2e <ia32_tracesys+42>:  mov    %rsp,%rdi
     
167.      * 0xffffffff81066c31 <ia32_tracesys+45>:  callq  0xffffffff81073a02 <syscall_trace_enter>
     
168.      * 0xffffffff81066c36 <ia32_tracesys+50>:  mov    0x30(%rsp),%r11
     
169.      * 0xffffffff81066c3b <ia32_tracesys+55>:  mov    0x38(%rsp),%r10
     
170.      * 0xffffffff81066c40 <ia32_tracesys+60>:  mov    0x40(%rsp),%r9
     
171.      * 0xffffffff81066c45 <ia32_tracesys+65>:  mov    0x48(%rsp),%r8
     
172.      * 0xffffffff81066c4a <ia32_tracesys+70>:  mov    0x58(%rsp),%rcx
     
173.      * 0xffffffff81066c4f <ia32_tracesys+75>:  mov    0x60(%rsp),%rdx
     
174.      * 0xffffffff81066c54 <ia32_tracesys+80>:  mov    0x68(%rsp),%rsi
     
175.      * 0xffffffff81066c59 <ia32_tracesys+85>:  mov    0x70(%rsp),%rdi
     
176.      * 0xffffffff81066c5e <ia32_tracesys+90>:  mov    0x78(%rsp),%rax
     
177.      * 0xffffffff81066c63 <ia32_tracesys+95>:  mov    (%rsp),%r15
     
178.      * 0xffffffff81066c67 <ia32_tracesys+99>:  mov    0x8(%rsp),%r14
     
179.      * 0xffffffff81066c6c <ia32_tracesys+104>: mov    0x10(%rsp),%r13
     
180.      * 0xffffffff81066c71 <ia32_tracesys+109>: mov    0x18(%rsp),%r12
     
181.      * 0xffffffff81066c76 <ia32_tracesys+114>: mov    0x20(%rsp),%rbp
     
182.      * 0xffffffff81066c7b <ia32_tracesys+119>: mov    0x28(%rsp),%rbx
     
183.      * 0xffffffff81066c80 <ia32_tracesys+124>: add    $0x30,%rsp
     
184.      * 0xffffffff81066c84 <ia32_tracesys+128>: jmpq   0xffffffff81066bdc <ia32_do_syscall>
     
185.      * End of assembler dump.
     
186.      * (gdb) disassemble ia32_do_syscall
     
187.      * Dump of assembler code for function ia32_do_syscall:
     
188.      * 0xffffffff81066bdc <ia32_do_syscall+0>: cmp    $0x13d,%eax
     
189.      * 0xffffffff81066be1 <ia32_do_syscall+5>: ja     0xffffffff81066c89 <ia32_badsys>
     
190.      * 0xffffffff81066be7 <ia32_do_syscall+11>:        mov    %edi,%r8d
     
191.      * 0xffffffff81066bea <ia32_do_syscall+14>:        mov    %ebp,%r9d
     
192.      * 0xffffffff81066bed <ia32_do_syscall+17>:        xchg   %ecx,%esi
     
193.      * 0xffffffff81066bef <ia32_do_syscall+19>:        mov    %ebx,%edi
     
194.      * 0xffffffff81066bf1 <ia32_do_syscall+21>:        mov    %edx,%edx
     
195.      * 0xffffffff81066bf3 <ia32_do_syscall+23>:        callq  *0xffffffff812e7c70(,%rax,8)
     
196.      * End of assembler dump.
     
197.      * (gdb) x/xw ia32_do_syscall+23
     
198.      * 0xffffffff81066bf3 <ia32_do_syscall+23>:        0x70c514ff
     
199.      * (gdb)
     
200.      *
     
201.      */
     
202.     p = (char *) memmem(sc_asm, OFFSET_SYSCALL, "\xff\x14\xc5", 3);
     
203.     if (p == NULL) {
     
204.         printk("opcode not found, meats that we cannot find sys_call_table.\n");
     
205.         return 0;
     
206.     }
     
207. 
     
208.     retval = *(unsigned long *) (p + 3);
     
209.     return retval;
     
210. #undef OFFSET_SYSCALL
     
211. }/*}}}*/
     
212. 
     
213. 
     
214. /**
     
215. * Find the location of long-mode sys_call_table
     
216. */
     
217. static unsigned long get_syscall_table_long(void)
     
218. {/*{{{*/
     
219. #define OFFSET_SYSCALL 150
     
220.     unsigned long syscall_long, retval;
     
221.     char sc_asm[OFFSET_SYSCALL];
     
222. 
     
223.     rdmsrl(MSR_LSTAR, syscall_long);
     
224.     dbgprint("long mode: system_call is at %p\n", (void *)syscall_long);
     
225. 
     
226.     memcpy(sc_asm, (char *)syscall_long, OFFSET_SYSCALL);
     
227. 
     
228. 
     
229.     /**
     
230.      * Find callq *sys_call_table(,%rax,8)
     
231.      * -------------------------------------
     
232.      * (gdb) disassemble system_call
     
233.      * Dump of assembler code for function system_call:
     
234.      * 0xffffffff81063750 <system_call+0>:     swapgs
     
235.      * 0xffffffff81063753 <system_call+3>:     mov    %rsp,%gs:0x18
     
236.      * 0xffffffff8106375c <system_call+12>:    mov    %gs:0x10,%rsp
     
237.      * 0xffffffff81063765 <system_call+21>:    sti
     
238.      * 0xffffffff81063766 <system_call+22>:    sub    $0x50,%rsp
     
239.      * 0xffffffff8106376a <system_call+26>:    mov    %rdi,0x40(%rsp)
     
240.      * 0xffffffff8106376f <system_call+31>:    mov    %rsi,0x38(%rsp)
     
241.      * 0xffffffff81063774 <system_call+36>:    mov    %rdx,0x30(%rsp)
     
242.      * 0xffffffff81063779 <system_call+41>:    mov    %rax,0x20(%rsp)
     
243.      * 0xffffffff8106377e <system_call+46>:    mov    %r8,0x18(%rsp)
     
244.      * 0xffffffff81063783 <system_call+51>:    mov    %r9,0x10(%rsp)
     
245.      * 0xffffffff81063788 <system_call+56>:    mov    %r10,0x8(%rsp)
     
246.      * 0xffffffff8106378d <system_call+61>:    mov    %r11,(%rsp)
     
247.      * 0xffffffff81063791 <system_call+65>:    mov    %rax,0x48(%rsp)
     
248.      * 0xffffffff81063796 <system_call+70>:    mov    %rcx,0x50(%rsp)
     
249.      * 0xffffffff8106379b <system_call+75>:    mov    %gs:0x10,%rcx
     
250.      * 0xffffffff810637a4 <system_call+84>:    sub    $0x1fd8,%rcx
     
251.      * 0xffffffff810637ab <system_call+91>:    testl  $0x181,0x10(%rcx)
     
252.      * 0xffffffff810637b2 <system_call+98>:    jne    0xffffffff81063889 <tracesys>
     
253.      * 0xffffffff810637b8 <system_call+104>:   cmp    $0x117,%rax
     
254.      * 0xffffffff810637be <system_call+110>:   ja     0xffffffff8106387b <badsys>
     
255.      * 0xffffffff810637c4 <system_call+116>:   mov    %r10,%rcx
     
256.      * 0xffffffff810637c7 <system_call+119>:   callq  *0xffffffff812e6d60(,%rax,8)
     
257.      * 0xffffffff810637ce <system_call+126>:   mov    %rax,0x20(%rsp)
     
258.      * End of assembler dump.
     
259.      * (gdb) x/xw system_call+119
     
260.      * 0xffffffff810637c7 <system_call+119>:   0x60c514ff
     
261.      * (gdb)
     
262.      */
     
263.     retval = (unsigned long) memmem(sc_asm, OFFSET_SYSCALL, "\xff\x14\xc5", 3);
     
264.     if ( retval != 0 ) {
     
265.         dbgprint("long mode : sys_call_table is at %p\n",
     
266.                 (void *) (* (unsigned long *)(retval+3)) ) ;
     
267.         retval = (unsigned long) ( * (unsigned long *)(retval+3) );
     
268.     } else {
     
269.         printk("long mode : memmem found nothing, returning NULL:( \n");
     
270.         retval = 0;
     
271.     }
     
272. 
     
273. #undef OFFSET_SYSCALL
     
274.     return retval;
     
275. }/*}}}*/
     
276. 
     
277. 
     
278. 
     
279. 
     
280. static int get_syscall_init_module(void)
     
281. {/*{{{*/
     
282.     printk(KERN_DEBUG "get_syscall: Hi, you fucking linux!\n");
     
283. 
     
284.     my_ia32_syscall_table = (void **) get_syscall_table_ia32();
     
285.     if (my_ia32_syscall_table == 0)
     
286.         return -1;
     
287. 
     
288.     my_syscall_table = (void **) get_syscall_table_long();
     
289.     if (my_syscall_table == 0)
     
290.         return -1;
     
291. 
     
292.     dbgprint("ia32_sys_call_table address : %p\n", (void *) my_ia32_syscall_table);
     
293.     dbgprint("long mode : sys_call_table address : %p\n", (void *) my_syscall_table);
     
294. 
     
295. #define REPLACE_IA32(x) o_sys_##x = my_ia32_syscall_table[__NR_ia32_##x];\
     
296.     my_ia32_syscall_table[__NR_ia32_##x] = my_sys_##x
     
297. 
     
298. #define GET_OLD_IA32_SYSCALL_ADDR(x) my_ia32_syscall_table[__NR_ia32_##x]
     
299. //    dbgprint("sys_read at %p, my_read at %p\n", (void *)GET_OLD_IA32_SYSCALL_ADDR(read), (void *)my_sys_read);
     
300. 
     
301. //    REPLACE_IA32(read);
     
302. #undef REPLACE_IA32
     
303. 
     
304. 
     
305.     return 0;
     
306. }/*}}}*/
     
307. 
     
308. 
     
309. static void get_syscall_exit_module(void)
     
310. {/*{{{*/
     
311.     printk(KERN_DEBUG "get_syscall: bye, you fucking linux!\n");
     
312. 
     
313. #define RESTORE_IA32(x) my_ia32_syscall_table[__NR_ia32_##x] = o_sys_##x
     
314. 
     
315. //    RESTORE_IA32(read);
     
316. 
     
317. #undef RESTORE_IA32
     
318. }/*}}}*/
     
319. 
     
320. module_init(get_syscall_init_module);
     
321. module_exit(get_syscall_exit_module);

复制代码

Reference :
http://phrack.org/archives/58/p58-0x07

[ 本帖最后由 albcamus 于 2007-1-19 09:33 编辑 ]

langue

不错。

朱熹之

不错，顶了

albcamus

这个程序前天刚刚做完， 没怎么测试， 我仅仅在linux-2.6.18  Turion64 X2上测试过， 欢迎大家测试， 把BUG发给我

anhongkui

直接oops，在替换系统调用的时候

我好像看过i386的一篇文章，应该也是你写的吧，在替换之前清掉cr0的第20位， 这个64位的不用清吗？

anhongkui

我现在是能够找到syscall_table的地址，但是，一替换就死机

anhongkui

我查了查，cr0的第5－30位都必须为0，第31位为PE位，
不知道第20位是干什么的，望解惑
谢谢

albcamus

原帖由 anhongkui 于 2008-2-17 08:50 发表
我查了查，cr0的第5－30位都必须为0，第31位为PE位，
不知道第20位是干什么的，望解惑
谢谢

看手册卷三图2-6

anhongkui

请问是什么手册？
哪里能够找到这个手册？

我只找到了一个关于讲保护模式的
谢谢

albcamus

http://www.intel.com/products/processor/manuals/index.htm
http://developer.amd.com/documentation/guides/Pages/default.aspx