在Linux上Hook系统函数execve获取执行参数
根据linux系统在32位平台还是64位平台分别进行了hook代码的编写和测试,该功能是常见的rootkit技术
针对32位平台的Hook代码如下,已经在ubuntu12.04上测试过:
/*
* This kernel module locates the sys_call_table by scanning
* the system_call interrupt handler (int 0x80)
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/unistd.h>
#include <linux/utsname.h>
#include <asm/pgtable.h>
/*
** module macros
*/
MODULE_LICENSE("GPL");
MODULE_AUTHOR("geeksword");
MODULE_DESCRIPTION("hook sys_execve");
/*
** module constructor/destructor
*/
typedef void (*sys_call_ptr_t)(void);
sys_call_ptr_t *_sys_call_table = NULL;
typedef asmlinkage int (*orig_execve)(const char __user *filename, const char __user *const __user *argv, const char __user *const __user *envp);
orig_execve old_execve = NULL;
// hooked mkdir function
asmlinkage int hooked_execve(const char __user *filename, const char __user *const __user *argv, const char __user *const __user *envp) {
size_t exec_line_size;
char * exec_str = NULL;
char ** p_argv = (char **) argv;
static char* msg = "hooked sys_execve(): ";
exec_line_size = (strlen(filename) + 1);
/* Iterate through the execution arguments, to determine the final
size of the execution string. */
while (NULL != *p_argv) {
exec_line_size += (strlen(*p_argv) + 1);
(char **) p_argv++;
}
/* Allocate enough memory for the execution string */
exec_str = vmalloc(exec_line_size);
if (NULL != exec_str) {
snprintf(exec_str, exec_line_size, "%s", filename);
/* Iterate through the execution arguments */
p_argv = (char **) argv;
while (NULL != *p_argv) {
/* Concatenate each argument with our execution line */
snprintf(exec_str, exec_line_size,
"%s %s", exec_str, *p_argv);
(char **) p_argv++;
}
/* Send execution line to the user app */
//COMM_nl_send_exec_msg(exec_str);
printk("%s,%s\n", msg, exec_str);
}
//printk("%s%s---%s:%s\n", msg, filename, argv[0], envp[0]);
return old_execve(filename, argv, envp);
}
// memory protection shinanigans
unsigned int level;
pte_t *pte;
// initialize the module
static int hooked_init(void) {
printk("+ Loading hook_mkdir module\n");
// struct for IDT register contents
stru