clinux-kernelhook

Linux Kernel: System call hooking example


I'm trying to write some simple test code as a demonstration of hooking the system call table.

"sys_call_table" is no longer exported in 2.6, so I'm just grabbing the address from the System.map file, and I can see it is correct (Looking through the memory at the address I found, I can see the pointers to the system calls).

However, when I try to modify this table, the kernel gives an "Oops" with "unable to handle kernel paging request at virtual address c061e4f4" and the machine reboots.

This is CentOS 5.4 running 2.6.18-164.10.1.el5. Is there some sort of protection or do I just have a bug? I know it comes with SELinux, and I've tried putting it in to permissive mode, but it doesn't make a difference

Here's my code:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/unistd.h>

void **sys_call_table;

asmlinkage int (*original_call) (const char*, int, int);

asmlinkage int our_sys_open(const char* file, int flags, int mode)
{
   printk("A file was opened\n");
   return original_call(file, flags, mode);
}

int init_module()
{
    // sys_call_table address in System.map
    sys_call_table = (void*)0xc061e4e0;
    original_call = sys_call_table[__NR_open];

    // Hook: Crashes here
    sys_call_table[__NR_open] = our_sys_open;
}

void cleanup_module()
{
   // Restore the original call
   sys_call_table[__NR_open] = original_call;
}

Solution

  • I finally found the answer myself.

    https://web.archive.org/web/20190921093739/http://www.linuxforums.org/forum/linux-kernel/133982-cannot-modify-sys_call_table.html

    The kernel was changed at some point so that the system call table is read only.

    cypherpunk:

    Even if it is late but the Solution may interest others too: In the entry.S file you will find: Code:

    .section .rodata,"a"
    #include "syscall_table_32.S"
    

    sys_call_table -> ReadOnly You have to compile the Kernel new if you want to "hack" around with sys_call_table...

    The link also has an example of changing the memory to be writable.

    nasekomoe:

    Hi everybody. Thanks for replies. I solved the problem long ago by modifying access to memory pages. I have implemented two functions that do it for my upper level code:

    #include <asm/cacheflush.h>
    #ifdef KERN_2_6_24
    #include <asm/semaphore.h>
    int set_page_rw(long unsigned int _addr)
    {
        struct page *pg;
        pgprot_t prot;
        pg = virt_to_page(_addr);
        prot.pgprot = VM_READ | VM_WRITE;
        return change_page_attr(pg, 1, prot);
    }
    
    int set_page_ro(long unsigned int _addr)
    {
        struct page *pg;
        pgprot_t prot;
        pg = virt_to_page(_addr);
        prot.pgprot = VM_READ;
        return change_page_attr(pg, 1, prot);
    }
    
    #else
    #include <linux/semaphore.h>
    int set_page_rw(long unsigned int _addr)
    {
        return set_memory_rw(_addr, 1);
    }
    
    int set_page_ro(long unsigned int _addr)
    {
        return set_memory_ro(_addr, 1);
    }
    
    #endif // KERN_2_6_24
    

    Here's a modified version of the original code that works for me.

    #include <linux/kernel.h>
    #include <linux/module.h>
    #include <linux/moduleparam.h>
    #include <linux/unistd.h>
    #include <asm/semaphore.h>
    #include <asm/cacheflush.h>
    
    void **sys_call_table;
    
    asmlinkage int (*original_call) (const char*, int, int);
    
    asmlinkage int our_sys_open(const char* file, int flags, int mode)
    {
       printk("A file was opened\n");
       return original_call(file, flags, mode);
    }
    
    int set_page_rw(long unsigned int _addr)
    {
       struct page *pg;
       pgprot_t prot;
       pg = virt_to_page(_addr);
       prot.pgprot = VM_READ | VM_WRITE;
       return change_page_attr(pg, 1, prot);
    }
    
    int init_module()
    {
        // sys_call_table address in System.map
        sys_call_table = (void*)0xc061e4e0;
        original_call = sys_call_table[__NR_open];
    
        set_page_rw(sys_call_table);
        sys_call_table[__NR_open] = our_sys_open;
    }
    
    void cleanup_module()
    {
       // Restore the original call
       sys_call_table[__NR_open] = original_call;
    }