SysCallTable testing stuff

[Linuxerlive]

Hello,

alexander@osiris:~$ uname -a
Linux osiris 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:04:26 UTC 2009 i686 GNU/Linux

I tried to change the sys_call_address to another location in memory.
The result was an OOPS!


sys_call_address is of course not exported, so I found it using:

grep sys_call_table /boot/System.map-2.6.31-14-generic
c0577150 R sys_call_table

My kernel prog looks like:

Code:

#include <linux/string.h> 
#include <linux/smp_lock.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
#include <linux/time.h>
#include <asm/unistd.h>
#include <linux/version.h>
#include <linux/errno.h>
#include <linux/dcache.h>
#include <linux/mm.h>
#include <asm/uaccess.h>
#include <asm/string.h>
#define __KERNEL_SYSCALLS__
#include <linux/dirent.h>
#include <linux/fcntl.h>
 
MODULE_LICENSE("GPL");
MODULE_AUTHOR("bli bla blu");



void** sys_call_table = (void**)0xc0577150; 
int (*orig_mkdir)(const char *path); 


int hacked_mkdir(const char *path) 
{ 
	return 0; 
} 

static int __init readlog_init(void) 
{ 
	printk("\n addr: " "%p", sys_call_table);

	orig_mkdir = sys_call_table[__NR_mkdir]; 
	sys_call_table[__NR_mkdir] = hacked_mkdir; 

	printk("\n I am still here \n");

	return 0; 
} 

static void __exit readlog_exit(void)
{ 
	sys_call_table[__NR_mkdir] = orig_mkdir; 
}



module_init(readlog_init);
module_exit(readlog_exit);

alexander@osiris:~/Desktop/Vorträge/kernel-exp/test$ sudo insmod test.ko
Killed

The result is something like:

dmesg

[67385.389666]
[67385.389669] addr: c0577150
[67385.389693] BUG: unable to handle kernel paging request at c05771ec
[67385.389701] IP: [<e078302c>] readlog_init+0x2c/0x46 [test]
[67385.389714] *pde = 1e22f063 *pte = 00577161
[67385.389723] Oops: 0003 [#3] SMP
[67385.389731] last sysfs file: /sys/devices/LNXSYSTM:00/device:00/PNP0C0A:00/power_supply/BAT0/voltage_now
[67385.389739] Modules linked in: test(+) test9(P+) test(+) arc4 lib80211_crypt_wep cbc aes_i586 aes_generic ecb binfmt_misc ppdev vboxnetflt vboxnetadp vboxdrv snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event dm_crypt snd_seq snd_timer pcmcia snd_seq_device iptable_filter tifm_sd joydev ipw2200 yenta_socket tifm_7xx1 ip_tables snd psmouse libipw rsrc_nonstatic x_tables lib80211 soundcore serio_raw pcmcia_core tifm_core lp nvidia(P) sony_laptop snd_page_alloc parport ohci1394 ieee1394 e100 mii video output intel_agp agpgart
[67385.389851]
[67385.389859] Pid: 7944, comm: insmod Tainted: P D (2.6.31-14-generic #48-Ubuntu) VGN-FS115M
[67385.389867] EIP: 0060:[<e078302c>] EFLAGS: 00210296 CPU: 0
[67385.389875] EIP is at readlog_init+0x2c/0x46 [test]
[67385.389881] EAX: c0577150 EBX: fffffffc ECX: ffffffcc EDX: c01f29a0
[67385.389888] ESI: e0780340 EDI: 00000000 EBP: c3335f5c ESP: c3335f54
[67385.389894] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[67385.389902] Process insmod (pid: 7944, ti=c3334000 task=de188000 task.ti=c3334000)
[67385.389907] Stack:
[67385.389911] e0780044 c0577150 c3335f88 c010112c e0780340 c0750a50 fffffffc e0780340
[67385.389926] <0> 00347ff4 e0783000 fffffffc e0780340 00347ff4 c3335fac c0173751 c5110738
[67385.389942] <0> de188000 c5110700 00000004 09c57018 09c57018 00004000 c3334000 c010336c
[67385.389960] Call Trace:
[67385.389972] [<c010112c>] ? do_one_initcall+0x2c/0x190
[67385.389982] [<e0783000>] ? readlog_init+0x0/0x46 [test]
[67385.389994] [<c0173751>] ? sys_init_module+0xb1/0x1f0
[67385.390003] [<c010336c>] ? syscall_call+0x7/0xb
[67385.390008] Code: 89 e5 83 ec 08 a1 28 03 78 e0 c7 04 24 44 00 78 e0 89 44 24 04 e8 e9 b3 de df a1 28 03 78 e0 8b 90 9c 00 00 00 89 15 9c 04 78 e0 <c7> 80 9c 00 00 00 00 00 78 e0 c7 04 24 4f 00 78 e0 e8 c2 b3 de
[67385.390096] EIP: [<e078302c>] readlog_init+0x2c/0x46 [test] SS:ESP 0068:c3335f54
[67385.390108] CR2: 00000000c05771ec
[67385.390116] ---[ end trace 4c2f5142834c75aa ]---

Anybody any ideas?
Thx for your help!

[fenerista]

in kernel 2.6.x possibly that is forbidden and I had been tried that for 3 days. even I can't call/use a system call on a module Could you did that ? such as getcwd system call ?

[gerard4143]

The only way to modify this code is to modify the memory attributes on sys_call_table

void** sys_call_table = (void**)0xc0577150;

Someone did that very thing on this forum, in this section. You'll have to search around to find it..

Actually I did a quick query and well here it is:

http://www.linuxforums.org/forum/lin...all_table.html

[Linuxerlive]

Yes actually I saw this post and this was the reason why I posted here.

Problem is
change_page_attr(pg, 1, prot)
does not work for kernels > 2.6.24 ..

[gerard4143]

I'll have to give this a try, I have a program somewhere that modifies the memory attributes but it uses inline assembler to walk the page tables instead of kernel functionality to get the job done.

[Linuxerlive]

I'll have to give this a try, I have a program somewhere that modifies the memory attributes but it uses inline assembler to walk the page tables instead of kernel functionality to get the job done.

This really would be awesome!
I heard about some lowlevel intel debug code which should do exact the same thing, but never say any piece of code or any reference anywhere...

Thanks a lot for your help!

[gerard4143]

Well I tried my kernel module that uses inline assemble to walk the page tables and it works on a 32 bit intel kernel 2.6.26.37. So I can modify the sys_call_table entry __NR_sync to call my own version of __NR_sync and it works...So I would try attacking the problem with inline assemble...

[Linuxerlive]

Well I tried my kernel module that uses inline assemble to walk the page tables and it works on a 32 bit intel kernel 2.6.26.37. So I can modify the sys_call_table entry __NR_sync to call my own version of __NR_sync and it works...So I would try attacking the problem with inline assemble...

Would you mind sharing your script with me?
If you dont want to paste it here we can talk over msn/icq or email?


thanks a lot

[fenerista]

Well I tried my kernel module that uses inline assemble to walk the page tables and it works on a 32 bit intel kernel 2.6.26.37. So I can modify the sys_call_table entry __NR_sync to call my own version of __NR_sync and it works...So I would try attacking the problem with inline assemble...

and do you know How a system call can be used in a module I can't use

I did these

baron@baron:~$ grep sys_call_table /boot/System.map-2.6.31-14-generic
c0577150 R sys_call_table

Code:

unsigned long *sys_call_table;
unsigned long *myval;
asmlinkage long (*getCwd)(char*, unsigned long );


char buf[1000];

int init_module(void)
{
	 printk(KERN_ALERT "*******start*********\n");
	
	myval = simple_strtoul("c0577150",NULL,16);
	 sys_call_table = myval;
	 printk(KERN_INFO " *******sys_call_table= %p*******\n",  sys_call_table);
	getCwd=sys_call_table[__NR_getcwd];
	 printk(KERN_INFO "*getCwd= %p,getCwd= %p\n", *getCwd,getCwd);
	getCwd(buf,1000);
	
        printk("********PATH:%s******\n",buf);

	return 0;
}
void cleanup_module(void)
{
        printk(KERN_ALERT "*******finish*********\n");
}

and result: I did't get the current directory.(dmesg)

Code:

[ 3700.990900] sy3: module license 'unspecified' taints kernel.
[ 3700.991425] Disabling lock debugging due to kernel taint
[ 3701.026666] *******start*********
[ 3701.028332]  *******sys_call_table= c0577150*******
[ 3701.028430] *getCwd= c01f80c0,getCwd= c01f80c0
[ 3701.028488] ********PATH:******

[fenerista]

Would you mind sharing your script with me?
If you dont want to paste it here we can talk over msn/icq or email?


thanks a lot

if you want to share send it to me too I am doing a homework(very important) and It will be very useful for me.