Find the answer to your Linux question:
Page 3 of 5 FirstFirst 1 2 3 4 5 LastLast
Results 21 to 30 of 50
Yes we have the same sys_call_address because of the same kernel version! But he is using a VirtualMachine, which could blow up everything, anyway.... I am using Ubuntu as stand ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #21
    Just Joined!
    Join Date
    Jan 2010
    Posts
    13

    Yes we have the same sys_call_address because of the same kernel version!
    But he is using a VirtualMachine, which could blow up everything, anyway....

    I am using Ubuntu as stand - alone machine, no windows, no virtual stuff...

    It is indeed strange.

    But I am nearly sure that they did not change anything crutial between these two kernel versions...

  2. #22
    Just Joined!
    Join Date
    Jan 2010
    Posts
    13
    By the way I tried to comment this line out:
    Code:
    sys_call_table[__NR_sync] = our_sys_call;
    And just let the assembly instructions be called, which resulted in:
    [ 1632.180931] origaddr->0xc05771e0
    [ 1632.180936] origcr3-->0x18914000
    [ 1632.180938] direntry->0x1e231063
    [ 1632.180940] mdentry-->0x00577067
    Which seems fine so far...

  3. #23
    Just Joined!
    Join Date
    Jan 2010
    Posts
    13
    DAMN!

    I solved it ... you know the problem was that you had misposted the code
    you posted:

    Code:
    	sys_call_table[__NR_sync] = our_sys_call;
    myfunc();
    Which does not really make sense, because you first try to overwrite the sys call address __NR_sync and later try to make it writeable...

    i just had some time to have a closer look at the code.
    it must be:
    Code:
    myfunc();
    	sys_call_table[__NR_sync] = our_sys_call;
    And everything ist fine of course!

    Would you mind explaining the assembly instructions to me?

    Thanks a lot !!!

  4. #24
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    Quote Originally Posted by Linuxerlive View Post
    DAMN!

    I solved it ... you know the problem was that you had misposted the code
    you posted:

    Code:
    	sys_call_table[__NR_sync] = our_sys_call;
    myfunc();
    Which does not really make sense, because you first try to overwrite the sys call address __NR_sync and later try to make it writeable...

    i just had some time to have a closer look at the code.
    it must be:
    Code:
    myfunc();
    	sys_call_table[__NR_sync] = our_sys_call;
    And everything ist fine of course!

    Would you mind explaining the assembly instructions to me?

    Thanks a lot !!!
    You should use virtual systems, when you're doing job like doing harmful things to your kernel I 'try your advice now Stay here

  5. #25
    Just Joined!
    Join Date
    Jan 2010
    Posts
    13
    No you shouldn't!

    Because VM might be changing pointers like sys_call_table or virtual addresses so that your program might not work...

  6. #26
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    hey the result

    [ 23.984138] eth0: no IPv6 routers present
    [ 48.377194] VMware PVSCSI driver - version 0.0.0.7
    [ 48.941824] VMware memory control driver initialized
    [ 48.942627] vmmemctl: started kernel thread pid=1473
    [ 101.654861] hrtimer: interrupt too slow, forcing clock min delta to 77202126 ns
    [ 331.232686] myfunc: module license 'unspecified' taints kernel.
    [ 331.232735] Disabling lock debugging due to kernel taint
    [ 331.234498] origaddr->0xc05771e0
    [ 331.234518] origcr3-->0x31316000
    [ 331.234533] direntry->0x30384063
    [ 331.234547] mdentry-->0x00577067
    [ 334.329524] This from our sync call!
    ~



    Thank God, gerard4143 and Linuxerlive.

    and maybe I can do my home work with this very valuable information.

    "When the user press a key in desktop or console or a browser or anywhere. I want to get the key that is pressed by user. (like a keylogger)"

    read and write system calls there is a connection between pressed keys

    ------[ 3.2.5 - sys_read/sys_write

    We will intercept sys_read/sys_write system calls to redirect it to our
    own code which logs the content of the read/write calls. This method was
    presented by halflife in Phrack 50 (see [4]). I highly recommend reading
    that paper and a great article written by pragmatic called "Complete Linux
    Loadable Kernel Modules" (see [2]).

    source: reeworld.thc.org/papers/writing-linux-kernel-keylogger.txt

    I'll try and see the result.

  7. #27
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    Quote Originally Posted by Linuxerlive View Post
    No you shouldn't!

    Because VM might be changing pointers like sys_call_table or virtual addresses so that your program might not work...
    so absolutely use VM , when I am doing this work I crashed my linux theree times
    but I had copied the virtual linux file somewhere.
    I wonder that asm codes like you. But the things that gerard wrote, it's enough

  8. #28
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    Quote Originally Posted by Linuxerlive View Post
    DAMN!

    I solved it ... you know the problem was that you had misposted the code
    you posted:
    Ooops, Sorry

    Quote Originally Posted by Linuxerlive View Post
    Would you mind explaining the assembly instructions to me?
    The assembler code is straight forward, its really not the problem in understanding the solution. The problem is understanding page tables and how Linux uses them and for that you have to consult a Linux kernel book and the AMD/Intel manuals. Sorry there is no easy explanation - try downloading the Intel/AMD manuals(system programming) and read the sections on memory pages...You could try googling "walking page tables" and see what's returned, when I tried the hits were pretty superficial, meaning no details...The info in the manuals, Intel/AMD, is detailed and somewhat confusing at first but its very readable...

    I would read the AMD/Intel manuals(memory page sections) first then find a good book or website that describes how Linux implements its paging...Good Luck Gerard4143
    Make mine Arch Linux

  9. #29
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    gerard4143

    I want to call getcwd system call on my module is that result is'nt suprised or in a module there is no current working directory(cwd) so PATH seems blank or I did a mistake ?

    Code:
    #include <linux/kernel.h>
    #include <linux/module.h>
    #include <linux/unistd.h>
    
    char buf[1000];
    
    void **sys_call_table = (void**)0xc0577150;
    
    asmlinkage void (*original_call)(char __user * buf, unsigned long size);
    
    int init_module()
    {
    	original_call = sys_call_table[__NR_getcwd];	
    	original_call(buf,1000);
    	printk(" \n\n PATH : %s\n\n ", buf);
    	return 0;
    }
    
    void cleanup_module()
    {
    	
    	printk("setting everything back...we're out of here!\n");
    }
    result

    [ 898.728981]
    [ 898.729055]
    [ 898.729057] PATH :
    [ 898.729058]
    [ 898.729059]

    and prototype for getcwd system call

    183 sys_getcwd long sys_getcwd(char __user * buf, unsigned long size)

  10. #30
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    There are functions in system calls like copy_to_user or put_user we are in kernel space and if these function don't work, sure my system calls won't work. I 'll try to call other system calls.

Page 3 of 5 FirstFirst 1 2 3 4 5 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •