Find the answer to your Linux question:
Page 5 of 5 FirstFirst 1 2 3 4 5
Results 41 to 50 of 50
Originally Posted by gerard4143 Could you repost the code with the correction.. Code: #include <linux/kernel.h> #include <linux/module.h> #include <linux/unistd.h> void **sys_call_table = (void**)0xc0577150; //change with your sys_call_table adress! //cat /proc/kallsyms|grep ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #41
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23

    Quote Originally Posted by gerard4143 View Post
    Could you repost the code with the correction..
    Code:
    #include <linux/kernel.h>
    #include <linux/module.h>
    #include <linux/unistd.h>
    
    void **sys_call_table = (void**)0xc0577150;
    //change with your sys_call_table adress!
    //cat /proc/kallsyms|grep sys_call_table
    
    
    
    asmlinkage ssize_t (*original_call)(unsigned int fd, const char __user * buf, size_t count);
    asmlinkage int our_sys_call(unsigned int fd, const char __user * buf, size_t count)
    {
    	if(buf[0] == 'H' && buf[1] == 'E' && buf[2] == 'L' && buf[3] == 'L' && buf[4] == 'O')
    		printk("HELLO is written\n");
    	return original_call(fd, buf,count);
    }
    
    void *origaddr = (void*)0;
    void *origcr3 = (void*)0;
    void *direntry = (void*)0;
    void *mdentry = (void*)0;
    
    void myfunc(void)
    {
    	__asm__ __volatile__
    	(
    	 	"pushl	%eax\n\t"
    	       	"pushl	%ebx\n\t"
    		"movl	%cr3, %eax\n\t"
    		"movl	%eax, origcr3\n\t"
    		"andl	$0xfffff000, %eax\n\t"
    		"addl	$0xc0000000, %eax\n\t"
    		"movl	origaddr, %ebx\n\t"
    		"shrl	$22, %ebx\n\t"
    		"sall	$2, %ebx\n\t"
    		"addl	%ebx, %eax\n\t"
    		"movl	(%eax), %eax\n\t"
    		"movl	%eax, direntry\n\t"
    		"andl	$0xfffff000, %eax\n\t"
    		"addl	$0xc0000000, %eax\n\t"
    		"movl	origaddr, %ebx\n\t"
    		"andl	$0x003ff000, %ebx\n\t"
    		"shrl	$12, %ebx\n\t"
    		"sall	$2, %ebx\n\t"
    		"addl	%ebx, %eax\n\t"
    		"movl	%eax, %ebx\n\t"
    		"movl	(%eax), %eax\n\t"
    		"andl	$0xfffff000, %eax\n\t"
    		"addl	$0x67, %eax\n\t"
    		"movl	%eax, (%ebx)\n\t"
    		"movl	%eax, mdentry\n\t"
    		"popl	%ebx\n\t"
    		"popl	%eax\n\t"	
    	);
    	printk("origaddr->0x%p\n", origaddr);
    	printk("origcr3-->0x%p\n", origcr3);
    	printk("direntry->0x%p\n", direntry);
    	printk("mdentry-->0x%p\n", mdentry);
    }
    
    int init_module()
    {
    	original_call = sys_call_table[__NR_write];	
    	origaddr = &sys_call_table[__NR_write];
    	myfunc();
    	sys_call_table[__NR_write] = our_sys_call;
    	
    
    	return 0;
    }
    
    void cleanup_module()
    {
    	sys_call_table[__NR_write] = original_call;
    	printk("setting everything back...we're out of here!\n");
    }
    you can test it by compiling and executing this code

    Code:
    #include <stdio.h>
    #include <stdlib.h>
    
    int main(int argc, char**argv)
    {
    	fputs("HELLO\n", stdout);
    	exit(EXIT_SUCCESS);
    }

  2. #42
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    Try this one should clear up any misconceptions about kernel and user memory and what can write what...Notice the printed message "Hello, World"

    kernel module
    Code:
    #include <linux/kernel.h>
    #include <linux/module.h>
    #include <linux/unistd.h>
    
    void **sys_call_table = (void**)0xc07aa4f0;
    
    asmlinkage int (*original_call)(int fd, char *buf, int size);
    
    asmlinkage int our_sys_call(int fd, char *buf, int size)
    {
    	if ((size > 0) && (fd == 1) && (buf[0] == 'H'))
    		buf[0] = 'W';
    	return original_call(fd, buf, size);
    }
    
    void *origaddr = (void*)0;
    void *origcr3 = (void*)0;
    void *direntry = (void*)0;
    void *mdentry = (void*)0;
    
    void myfunc(void)
    {
    	__asm__ __volatile__
    	(
    	 	"pushl	%eax\n\t"
    	       	"pushl	%ebx\n\t"
    		"movl	%cr3, %eax\n\t"
    		"movl	%eax, origcr3\n\t"
    		"andl	$0xfffff000, %eax\n\t"
    		"addl	$0xc0000000, %eax\n\t"
    		"movl	origaddr, %ebx\n\t"
    		"shrl	$22, %ebx\n\t"
    		"sall	$2, %ebx\n\t"
    		"addl	%ebx, %eax\n\t"
    		"movl	(%eax), %eax\n\t"
    		"movl	%eax, direntry\n\t"
    		"andl	$0xfffff000, %eax\n\t"
    		"addl	$0xc0000000, %eax\n\t"
    		"movl	origaddr, %ebx\n\t"
    		"andl	$0x003ff000, %ebx\n\t"
    		"shrl	$12, %ebx\n\t"
    		"sall	$2, %ebx\n\t"
    		"addl	%ebx, %eax\n\t"
    		"movl	%eax, %ebx\n\t"
    		"movl	(%eax), %eax\n\t"
    		"andl	$0xfffff000, %eax\n\t"
    		"addl	$0x67, %eax\n\t"
    		"movl	%eax, (%ebx)\n\t"
    		"movl	%eax, mdentry\n\t"
    		"popl	%ebx\n\t"
    		"popl	%eax\n\t"	
    	);
    	printk("origaddr->0x%p\n", origaddr);
    	printk("origcr3-->0x%p\n", origcr3);
    	printk("direntry->0x%p\n", direntry);
    	printk("mdentry-->0x%p\n", mdentry);
    }
    
    int init_module()
    {
    	original_call = sys_call_table[__NR_write];	
    	origaddr = &sys_call_table[__NR_write];
    	myfunc();
    	sys_call_table[__NR_write] = our_sys_call;
    	return 0;
    }
    
    void cleanup_module()
    {
    	sys_call_table[__NR_write] = original_call;
    	printk("setting everything back...we're out of here!\n");
    }
    user executable
    Code:
    #include <stdio.h>
    #include <stdlib.h>
    
    int main(int argc, char**argv)
    {
    	fputs("Hello, World!\n", stdout);
    	exit(EXIT_SUCCESS);
    }
    Make mine Arch Linux

  3. #43
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    if fd == 1

    What is this for ? it's file's something (I saw when googling)


    In fact my home work is just getting the keys that user press. When my module get that "the user pressed 'H' ", the module will call a function that returns the system time or when my module realize that the user pressed 'p' the module will call a function that returns the current working directory and the module will print these to the logs that's the easy part. The system time and getcwd functions is ok. But I don't know how I can get the keys that user press. For that I found some articles that explanining "Writing Linux Kernel Keylogger" and in articles there is intercepting the sys_write call. This is ok with your help.

    But there is more : in articles
    There is tty hijacking. I think, it is using intercepting syscalls method to do this as reading the paragraph below. But I don't know what "TTY" is doing if you know Can you summarize that what tty is for. There is source codes for keyloggers in that articles but I must understand tty ioctl, the codes probably they will not work under 2.6.x kernels like intercepting system calls.

    whatever tell me something what you know tty,ioctl, tty.recievebuf(). sure if you want. I am stealing your time sorry. This will end at 17 january deadline for project I hope you like keyloggers


    [1]
    System calls
    ------------
    System calls
    ------------
    System calls. These are the lowest level of functions available, and
    are implemented within the kernel. In this article, we will discuss how
    they can be abused to let us write a very simplistic tty hijacker/monitor.
    All code was written and designed for linux machines, and will not compile
    on anything else, since we are mucking with the kernel.

    TTY Hijackers, such as tap and ttywatcher are common on Solaris,
    SunOS, and other systems with STREAMS, but Linux thus far has not had
    a useful tty hijacker (note: I don't consider pty based code such as
    telnetsnoop to be a hijacker, nor very useful since you must make
    preparations ahead of time to monitor users).

    Since linux currently lacks STREAMS (LinSTREAMS appears to be dead),
    we must come up with a alternative way to monitor the stream. Stuffing
    keystrokes is not a problem, since we can use the TIOCSTI ioctl to stuff
    keystrokes into the input stream. The solution, of course, is to redirect
    the write(2) system call to our own code which logs the contents of the
    write if it is directed at our tty; we can then call the real write(2)
    system call.

    Clearly, a device driver is going to be the best way to do things. We
    can read from the device to get the data that has been logged, and add
    a ioctl or two in order to tell our code exactly what tty we want to log.



    articles:

    http://freeworld.thc.org/papers/writ...-keylogger.txt

    inthis article the writer is telling the "Writing Linux Kernel Keylogger" and referencing the below articles.

    [1] OpenNET: ?????? - [Phrack] Abuse of the Linux Kernel for Fun and Profit (security linux kernel)

    (nearly) Complete Linux Loadable Kernel Modules

  4. #44
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    Quote Originally Posted by fenerista View Post
    if fd == 1

    what is this for ? it's file's something (I saw when googling)
    In this case its stdout.
    Make mine Arch Linux

  5. #45
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    I won't use this method for a keylogger...its too far down the path. I would use the keyboard interrupt functionality.

    Just my opinion.
    Make mine Arch Linux

  6. #46
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    Quote Originally Posted by gerard4143 View Post
    I won't use this method for a keylogger...its too far down the path. I would use the keyboard interrupt functionality.

    Just my opinion.
    I don't know any thing that interrupt so I am trying all what I found

    Yes there is interrupt handling approach for doing keylogger in the article but I don't know it. Tell me anything what you know making keylogger in linux.



    ----[ 3.1 - Interrupt handler

    To log keystrokes, we will use our own keyboard interrupt handler. Under
    Intel architectures, the IRQ of the keyboard controlled is IRQ 1. When
    receives a keyboard interrupt, our own keyboard interrupt handler read the
    scancode and keyboard status. Keyboard events can be read and written via
    port 0x60(Keyboard data register) and 0x64(Keyboard status register).

    /* below code is intel specific */
    #define KEYBOARD_IRQ 1
    #define KBD_STATUS_REG 0x64
    #define KBD_CNTL_REG 0x64
    #define KBD_DATA_REG 0x60

    #define kbd_read_input() inb(KBD_DATA_REG)
    #define kbd_read_status() inb(KBD_STATUS_REG)
    #define kbd_write_output(val) outb(val, KBD_DATA_REG)
    #define kbd_write_command(val) outb(val, KBD_CNTL_REG)

    /* register our own IRQ handler */
    request_irq(KEYBOARD_IRQ, my_keyboard_irq_handler, 0, "my keyboard", NULL);

    In my_keyboard_irq_handler():
    scancode = kbd_read_input();
    key_status = kbd_read_status();
    log_scancode(scancode);

    This method is platform dependent. So it won't be portable among
    platforms. And you have to be very careful with your interrupt handler if
    you don't want to crash your box
    http://freeworld.thc.org/papers/writ...-keylogger.txt

    I don't know any thing about that IRQ what am I supossed to do.

    and your code's result Wello, World! that's verry good.

  7. #47
    Linux Enthusiast gerard4143's Avatar
    Join Date
    Dec 2007
    Location
    Canada, Prince Edward Island
    Posts
    714
    Code:
    Yes there is interrupt handling approach for doing keylogger in the article but I don't 
    know it.  Tell me anything what you know making keylogger in linux.
    Again the best approach is to get the Intel/AMD manuals and read the interrupt sections and then get a good Linux kernel reference. I know only the basic rudiments of interrupt handling and that's only from the Intel/AMD manuals - what Linux does on top of the basic functionality is a complete mystery to me...Sorry.
    Make mine Arch Linux

  8. #48
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    Quote Originally Posted by gerard4143 View Post
    Code:
    Yes there is interrupt handling approach for doing keylogger in the article but I don't know it. 
    Tell me anything what you know making keylogger in linux.
    Again the best approach is to get the Intel/AMD manuals and read the interrupt sections and then get a good Linux kernel reference. I know only the basic rudiments of interrupt handling and that's only from the Intel/AMD manuals - what Linux does on top of the basic functionality is a complete mystery to me...Sorry.
    Thx again for your help
    I will be in linux :9

  9. #49
    Just Joined!
    Join Date
    Jan 2010
    Posts
    13
    @fenerista!

    I am really sorry if my post will insult you in any way, but I am sure that I ought to tell you.
    gerard was write "things are a way up your head" !

    look you say it is no problem to do syscallmanipulation stuff in a virtual box, if you had any idea, you wouldn't claim this ****!
    1) Ever heard about virtual kernel rootkits ?
    A virtualSystem !might! "replace" your ring0 stuff to ring1 and set it's hypervisor to ring0 !
    If you would knew that, you would never state another thing!

    Second, you don't get userspace and kernelspace. When I am doing kernel space coding, why would I bother calling a userspace function? Get to basic c, if you want to call a userspace function!

    If I get you right, "your homework" was to code a cwd? => This is an easy piece of code, which I can do using standard c functions in userspace. Maybe your work had to be in kernelspace? you didn't tell us!

    You have no idea about the sync call... well...

    You lack the ability to learn! If it would be me, I would have used man sync! Then I would know better! I spent the last week doing research on "walking pages" with linux and getting intel manuals to have a look at! I spent a half year finding a solution, on how to disable write protection, and gerard explained it to me and gave me code! Yet I do research that I fully understand it!

    You lack this ability, so forgive me, from my point of view you are a script kiddy which just copy pastes it stuff together and doesn't care about the sense and way why things work as they do!

    so long...

  10. #50
    Just Joined!
    Join Date
    Jan 2010
    Posts
    23
    Quote Originally Posted by Linuxerlive View Post
    @fenerista!

    I am really sorry if my post will insult you in any way, but I am sure that I ought to tell you.
    gerard was write "things are a way up your head" !

    look you say it is no problem to do syscallmanipulation stuff in a virtual box, if you had any idea, you wouldn't claim this ****!
    1) Ever heard about virtual kernel rootkits ?
    A virtualSystem !might! "replace" your ring0 stuff to ring1 and set it's hypervisor to ring0 !
    If you would knew that, you would never state another thing!

    Second, you don't get userspace and kernelspace. When I am doing kernel space coding, why would I bother calling a userspace function? Get to basic c, if you want to call a userspace function!

    If I get you right, "your homework" was to code a cwd? => This is an easy piece of code, which I can do using standard c functions in userspace. Maybe your work had to be in kernelspace? you didn't tell us!

    You have no idea about the sync call... well...

    You lack the ability to learn! If it would be me, I would have used man sync! Then I would know better! I spent the last week doing research on "walking pages" with linux and getting intel manuals to have a look at! I spent a half year finding a solution, on how to disable write protection, and gerard explained it to me and gave me code! Yet I do research that I fully understand it!

    You lack this ability, so forgive me, from my point of view you are a script kiddy which just copy pastes it stuff together and doesn't care about the sense and way why things work as they do!

    so long...
    I have limited days to do my homework I don't have a half year.
    for sync If I want to learn what sync does I learn it in 2 minutes. It was't important for my homework! I can't look manuals for now the deadline of homework was 17 january but now it'snt it's today! and I sent it to my teacher.

    "look you say it is no problem to do syscall manipulation stuff in a virtual box" I have no problem up to now when I am doing the syscallmanipulation. It is no problem with me If it is a problem for you OK it is a problem for you I don' care.
    I have no information about how effect a virtual system to do syscall manipulation. but I had no problem with that up to now and my code must study with virtual system. Because my teacher is using virtual system.

    userspace and kernelspace thing:

    I want to call getcwd system call on my module is that result is'nt suprised or in a module there is no current working directory(cwd) so PATH seems blank or I did a mistake ?
    this tells it is in kernel space I am saying on my module ?
    it is wrong ok. I am trying to call it in my module But I did'nt know that and I learnt that. When I wrote my code,

    Code:
    unsigned long *sys_call_table;
    unsigned long *myval;
    asmlinkage long (*getCwd)(char*, unsigned long );
    
    
    char buf[1000];
    
    int init_module(void)
    {
    	 printk(KERN_ALERT "*******start*********\n");
    	
    	myval = simple_strtoul("c0577150",NULL,16);
    	 sys_call_table = myval;
    	 printk(KERN_INFO " *******sys_call_table= %p*******\n",  sys_call_table);
    	getCwd=sys_call_table[__NR_getcwd];
    	 printk(KERN_INFO "*getCwd= %p,getCwd= %p\n", *getCwd,getCwd);
    	getCwd(buf,1000);
    	
            printk("********PATH:%s******\n",buf);
    
    	return 0;
    }
    void cleanup_module(void)
    {
            printk(KERN_ALERT "*******finish*********\n");
    }

    anyone did't tell that you can't call getcwd in your code. just I learnt that by lookin getcwd source code and see copy_to_user function in it and I understood why the getcwd syscall doesn't work in a module.(when I use my buf value(it's in kernel space it must be a userspace value)) and you see I don't copy paste that I researced and I found it. I understood it like you!

    You researched I had no time to understand the code just learn how to do.

    So you wrote your comments without know anything about my stutation.
    gerard wrote somethings for me He is right my english is not good. and I wrote wrong sentences. and I could't tell him well. But in the end we finished it well. that s important.

Page 5 of 5 FirstFirst 1 2 3 4 5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •