當(dāng)前位置：首頁 > 运维知识 > linux >内容正文

linux

linux 网络劫持编程,Linux下实现劫持系统调用的总结（上）--代码及实现

發(fā)布時間：2025/3/12 linux 37 豆豆

生活随笔收集整理的這篇文章主要介紹了 linux 网络劫持编程,Linux下实现劫持系统调用的总结（上）--代码及实现小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

Linux內(nèi)核版本2.6中已經(jīng)不再導(dǎo)出系統(tǒng)調(diào)用符號表了。因此，如果想實現(xiàn)劫持系統(tǒng)調(diào)用，就得想辦法找到系統(tǒng)調(diào)用表的地址。網(wǎng)上應(yīng)該可以搜到相關(guān)的實現(xiàn)。我這里找到了albcamus兄的精華文章，并在內(nèi)核版本2.6.18.3上實踐了其中的代碼。這里總結(jié)一下。

本文歡迎自由轉(zhuǎn)載，但請標(biāo)明出處和本文鏈接，并保持本文的完整性。

Dec 2, 2009

一、代碼及實現(xiàn)

(一) 劫持open系統(tǒng)調(diào)用的代碼

內(nèi)核態(tài)實現(xiàn)劫持系統(tǒng)調(diào)用的代碼如下，來自參考鏈接1，即albcamus兄提供的代碼。我這里屏蔽了一些代碼，僅實現(xiàn)了劫持open系統(tǒng)調(diào)用。

#include

MODULE_DESCRIPTION("Intercept the system

call table in Linux");

MODULE_AUTHOR("alert7 (alert7@xfocus.org)

\n\t\talbcamus ");

MODULE_LICENSE("GPL");

/* comment the following line to shut me up */

#define INTERCEPT_DEBUG

#ifdef INTERCEPT_DEBUG

#define dbgprint(format,args...) \

printk("intercept: function:%s-L%d: "format, __FUNCTION__,

__LINE__, ##args);

#else

#define dbgprint(format,args...)do {} while(0);

#endif

/**

* the system call table

void **my_table;

unsigned int orig_cr0;

/**

* the original syscall functions

asmlinkage long (*old_open) (char __user

*filename, int flags, int mode);

asmlinkage int(*old_execve) (struct pt_regs regs);

/** do_execve and do_fork */

unsigned int can_exec_fork = 0;

int(*new_do_execve) (char * filename,

char __user *__user *argv,

char __user *__user *envp,

struct pt_regs * regs);

struct idtr {

unsigned short limit;

unsigned int base;

} __attribute__ ((packed));

struct idt {

unsigned short off1;

unsigned short sel;

unsigned char none, flags;

unsigned short off2;

} __attribute__ ((packed));

#if 0

/**

*check

if we can intercept fork/vfork/clone/execve or not

*return

: 0 for no, 1 for yes

struct kprobe kp_exec;

unsigned int can_intercept_fork_exec(void)

{

int

ret = 0;

#ifndef CONFIG_KPROBES

return ret;

#endif

kp_exec.symbol_name = "do_execve";

ret =

register_kprobe(&kp_exec);

(ret != 0 ) {

dbgprint("cannot find do_execve by kprobe.\n");

return 0;

}

new_do_execve = ( int (*)

(char *,

char __user * __user *,

struct pt_regs *

)

) kp_exec.addr;

dbgprint("do_execve at %p\n", (void *)kp_exec.addr);

unregister_kprobe(&kp_exec);

return 1;

}

#endif

/**

* clear WP bit of CR0, and return the original

value

unsigned int clear_and_return_cr0(void)

{

unsigned int cr0 = 0;

unsigned

int ret;

asm

volatile ("movl %%cr0, %%eax"

: "=a"(cr0)

);

ret =

cr0;

clear the 20 bit of CR0, a.k.a WP bit */

cr0

&= 0xfffeffff;

asm

volatile ("movl %%eax, %%cr0"

: "a"(cr0)

);

return ret;

}

/** set CR0 with new value

* @val : new value to set in cr0

void setback_cr0(unsigned int val)

{

asm

volatile ("movl %%eax, %%cr0"

: "a"(val)

);

}

/**

* Return the first appearence of NEEDLE in

HAYSTACK.

* */

static void *memmem(const void *haystack,

size_t haystack_len,

const void *needle, size_t needle_len)

{/*{{{*/

const

char *begin;

const

char *const last_possible

(const char *) haystack + haystack_len - needle_len;

(needle_len == 0)

/* The first occurrence of the empty string is deemed to occur at

the beginning of the string.*/

return (void *) haystack;

Sanity check, otherwise the loop might search through the whole

memory.*/

(__builtin_expect(haystack_len < needle_len, 0))

return NULL;

for

(begin = (const char *) haystack; begin <= last_possible;

++begin)

if (begin[0] == ((const char *) needle)[0]

&& !memcmp((const void *) &begin[1],

(const void *) ((const char

*) needle + 1),

needle_len - 1))

return (void *) begin;

return NULL;

}/*}}}*/

/**

* Find the location of sys_call_table

static unsigned long get_sys_call_table(void)

{/*{{{*/

/* we'll read first 100 bytes of int $0x80 */

#define OFFSET_SYSCALL 100

struct idtr idtr;

struct idt idt;

unsigned sys_call_off;

unsigned retval;

char

sc_asm[OFFSET_SYSCALL], *p;

well, let's read IDTR */

asm("sidt %0":"=m"(idtr)

:"memory" );

dbgprint("idtr base at 0x%X, limit at 0x%X\n", (unsigned

int)idtr.base,(unsigned short)idtr.limit);

Read in IDT for vector 0x80 (syscall) */

memcpy(&idt, (char *) idtr.base + 8 * 0x80, sizeof(idt));

sys_call_off = (idt.off2 << 16) | idt.off1;

dbgprint("idt80: flags=%X sel=%X off=%X\n",

(unsigned) idt.flags, (unsigned) idt.sel, sys_call_off);

/* we

have syscall routine address now, look for syscall table

dispatch (indirect call) */

memcpy(sc_asm, (void *)sys_call_off, OFFSET_SYSCALL);

/**

Search opcode of `call sys_call_table(,eax,4)'

p =

(char *) memmem(sc_asm, OFFSET_SYSCALL, "\xff\x14\x85", 3);

if (p

== NULL)

return 0;

retval = *(unsigned *) (p + 3);

(p) {

dbgprint("sys_call_table at 0x%x, call dispatch at 0x%x\n",

retval, (unsigned int) p);

}

return

retval;

#undef OFFSET_SYSCALL

}/*}}}*/

/**

* new_open - replace the original sys_open when

initilazing,

*as well as be got rid of when removed

asmlinkage long new_open(char *filename, int

flags, int mode)

{

dbgprint("call open()\n");

return old_open (filename, flags, mode);

}

/**

* new_execve - you should change this function

whenever the kernel's sys_execve()

* changes

asmlinkage int new_execve(struct pt_regs regs)

{

int

error;

char

*filename;

dbgprint("Hello\n");

filename = getname( (char __user *) regs.ebx );

error

= PTR_ERR(filename);

if (

IS_ERR(filename) )

goto out;

dbgprint("file to execve: %s\n", filename);

error

= new_do_execve(filename,

(char __user * __user *)

regs.ecx,

(char __user * __user *)

regs.edx,

&regs);

(error == 0) {

task_lock(current);

current->ptrace &= ~PT_DTRACE;

task_unlock(current);

set_thread_flag(TIF_IRET);

}

putname (filename);

out:

return error;

}

static int intercept_init(void)

{

my_table = (void **)get_sys_call_table();

(my_table == NULL)

return -1;

dbgprint("sys call table address %p\n", (void *) my_table);

#define REPLACE(x) old_##x =

my_table[__NR_##x];\

my_table[__NR_##x] = new_##x

REPLACE(open);

#if 0

can_exec_fork = can_intercept_fork_exec();

if(can_exec_fork == 1)

REPLACE(execve);

#endif

#undef REPLACE

return 0;

}

static int __init this_init(void)

{

int

ret;

printk("syscall intercept: Hi, poor linux!\n");

orig_cr0 = clear_and_return_cr0();

ret =

intercept_init();

setback_cr0(orig_cr0);

return ret;

}

static void __exit this_fini(void)

{

printk("syscall intercept: bye, poor linux!\n");

#define RESTORE(x) my_table[__NR_##x] = old_##x

orig_cr0 = clear_and_return_cr0();

RESTORE(open);

#if 0

if(can_exec_fork == 1)

RESTORE(execve);

#endif

setback_cr0(orig_cr0);

#undef RESTORE

}

module_init(this_init);

module_exit(this_fini);

(二) 編譯及實踐

Makefile如下：

obj-m:=hack_open.o

EXTRA_CFLAGS :=

-Dsymname=sys_call_table

KDIR:= /lib/modules/$(shell uname -r)/build

PWD:= $(shell pwd)

default:

make -C $(KDIR) SUBDIRS=$(PWD) modules

clean:

rm -rf .*.cmd *.mod.c *.o *.ko .tmp*

*.symvers

編譯之后，加載模塊，然后查看日志信息

Sep 24 19:06:49

localhost kernel: intercept: function:get_sys_call_table-L220: sys_call_table

at 0xc11f14e0, call

dispatch at 0xcebeceaa

Sep 24 19:06:49 localhost kernel: intercept: function:intercept_init-L276: sys

call table address c11f14e0

Sep 24 19:06:50 localhost kernel: intercept: function:new_open-L234: hello

Sep 24 19:07:00 localhost last message repeated 460 times

可見open系統(tǒng)調(diào)用執(zhí)行次數(shù)之頻繁。

--未完待續(xù)

總結(jié)

以上是生活随笔為你收集整理的linux 网络劫持编程,Linux下实现劫持系统调用的总结（上）--代码及实现的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

上一篇：计算机的硬盘内存在哪查到,电脑硬盘内存
下一篇： linux nginx http cac