Linux鍔ㄦ€佷负鍐呮牳娣诲姞鏂扮殑绯荤粺璋冪敤
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux鍔ㄦ€佷负鍐呮牳娣诲姞鏂扮殑绯荤粺璋冪敤相关的知识,希望对你有一定的参考价值。
鏍囩锛?a href='http://www.mamicode.com/so/1/csdn' title='csdn'>csdn
probe lin 璋冭瘯 鏂偣 memcpy ref def 妯″潡 鍘熷垱 dog250 Linux闃呯爜鍦?4鏈?9鏃?/p>鍏堟潵涓弧婊$殑鍥炲繂锛?a href="https://blog.csdn.net/dog250/article/details/64461922011骞村啓杩欑瘒鏂囩珷鐨勬椂鍊欙紝鎴戠殑濂冲効灏忓皬杩樻病鏈夊嚭鐢? rel="nofollow">https://blog.csdn.net/dog250/article/details/64461922011骞村啓杩欑瘒鏂囩珷鐨勬椂鍊欙紝鎴戠殑濂冲効灏忓皬杩樻病鏈夊嚭鐢?/a>銆?/p>
璇勪环涓€涓嬭繖绡囨枃绔狅紝鎬讳綋鍐欏緱杩樹笉閿欙紝浣嗘帓鐗堜笉琛屻€傛椂闂村鐧介┕杩囬殭锛屽揩鍗佸勾杩囧幓浜嗭紝浠婂ぉ鎴戞潵鏃т簨閲嶆彁銆?/p>
娣诲姞鏂扮殑绯荤粺璋冪敤 锛岃繖鏄竴涓€佹帀鐗欑殑璇濋銆傚墠娈垫椂闂存姌鑵綬ootkit鐨勬椂鍊欙紝鎴戞湁鎰忛伩寮€娑夊強HOOK鍔寔绯荤粺璋冪敤鐨勮瘽棰橈紝鎴戜富瑕佹槸鎯虫潵鐐规柊椴滅殑涓滆タ锛屾瘯绔熷叧浜庡姭鎸佺郴缁熻皟鐢ㄨ繖绉嶈瘽棰橈紝缃戜笂鐨勮祫鏂欏彲璋撴睏鐗涘厖鏍嬨€?/p>
鏈枃鐨勪富棰樹緷鐒朵笉鏄姭鎸佺郴缁熻皟鐢紝鑰屾槸娣诲姞绯荤粺璋冪敤锛屽苟涓旀槸鍔ㄦ€佹坊鍔犵郴缁熻皟鐢紝鍗冲湪涓嶉噸鏂扮紪璇戝唴鏍哥殑鍓嶆彁涓嬫坊鍔犵郴缁熻皟鐢紝姣曠珶濡傛灉鍙互閲嶆柊缂栬瘧鍐呮牳鐨勮瘽锛岄偅瀹炲湪鏄病鏈夋剰鎬濄€?/p>
浣嗘枃涓墍杩板姩鎬佹柊澧炵郴缁熻皟鐢ㄧ殑鏂瑰紡渚濈劧鏄€佹帀鐗欑殑鏂瑰紡锛岀敋鑷冲拰2011骞寸殑鏂囩珷鏈夋墍闆峰悓锛屼絾鏄?杩欑瘒鏂囩珷浠嬬粛鐨勬柟寮忚冻澶熸竻鐖斤紒
鎴戜滑浠庝竴涓棶棰樺紑濮嬨€傛垜鐨勯棶棰樻槸锛?/p>
- Linux绯荤粺涓浣曡幏鍙栦互鍙婁慨鏀瑰綋鍓嶈繘绋嬬殑鍚嶅瓧锛燂紵
浣犲幓鎼滀竴涓嬭繖涓猼opic锛屼竴鍫嗗啑浣欑箒鏉傜殑鏂规锛屽ぇ澶氭暟閮芥槸鍊熷姪procfs鏉ュ畬鎴愯繖涓渶姹傦紝浣嗘病鏈夌洿鎺ョ殑璁╀汉鎰熷埌娓呯埥鐨勬柟娉曪紝姣斿璋冪敤涓€涓猤etname鎺ュ彛鍗冲彲鑾峰彇褰撳墠杩涚▼鐨勫悕瀛楋紝璋冪敤涓€涓猰odname鎺ュ彛灏辫兘淇敼鑷繁鐨勫悕瀛楋紝娌℃湁杩欐牱鐨勬柟娉曘€?/p>
鎵€浠ワ紝骞插槢涓嶅鍔犱袱涓郴缁熻皟鐢ㄥ憿锛?/p>
-
sys_getname: 鑾峰彇褰撳墠杩涚▼鍚嶃€?/p>
- sys_setname: 淇敼褰撳墠杩涚▼鍚嶃€?/li>
鎬讳綋涓婏紝杩欐槸涓€涓?澧炲姞涓や釜绯荤粺璋冪敤鐨勯棶棰樸€?/p>
涓嬮潰鍏堟紨绀哄姩鎬佸鍔犱竴涓郴缁熻皟鐢ㄧ殑鍘熺悊銆傝繕鏄娇鐢?011骞寸殑鑰佷緥瀛愶紝杩欐鎴戠畝鍗曠偣锛岀敤systemtap鑴氭湰鏉ュ疄鐜般€?/p>
鍗冧竾涓嶈璐ㄧ枒systemtap鐨勫▉鍔涳紝瀹冪殑guru妯″紡鍏跺疄灏辨槸涓€涓櫘閫氱殑鍐呮牳妯″潡锛屽彧鏄缂栫▼鍙樺緱鏇寸畝鍗曪紝鎵€浠ワ紝 鎶妔ystemtap褰撲竴绉嶆柟瑷€鏉ョ湅寰咃紝鑰屼笉浠呬粎浣滀负璋冭瘯鎺㈡祴宸ュ叿銆?鐢氳嚦绾痝uru妯″紡鐨剆tap鑴氭湰鏍规湰娌℃湁鐢ㄥ埌int 3鏂偣锛屽畠绠€鐩村彲浠ョ敤浜庣嚎涓婄敓浜х幆澧冿紒
婕旂ず澧炲姞绯荤粺璋冪敤鐨剆tap鑴氭湰濡備笅锛?/p>
1.
#!/usr/bin/stap -g
2.
// newsyscall.stap
3.
%{
4.
unsigned char *old_tbl;
5.
// 杩欓噷鍊熺敤鏈琺odule鐨勫湴鍧€锛屽垎閰嶉潤鎬佹暟缁刵ew_tbl浣滀负鏂扮殑绯荤粺璋冪敤琛ㄣ€?6.
// 娉ㄦ剰锛氫笉鑳借皟鐢╧malloc锛寁malloc鍒嗛厤锛屽洜涓哄湪x86_64骞冲彴瀹冧滑鐨勫湴鍧€鏃犳硶琚唴鏍竢el32璺宠浆杩囨潵锛?7.
unsigned char new_tbl[8*500] = {0};
8.
unsigned long call_addr = 0;
9.
unsigned long nr_addr = 0;
10.
unsigned int off_old;
11.
unsigned short nr_old;
12.
13.
// 浣跨敤鍐呮牳鐜版垚鐨刾oke text鎺ュ彛锛岃€屼笉鏄嚜宸卞幓淇敼椤佃〃鏉冮檺銆?14.
// 褰撶劧锛屼篃鍙互淇敼CR0锛屼笉杩囪繖鏄剧劧娌℃湁鐩存帴鐢╰ext_poke娓呯埥銆?15.
// 杩欐槸鍙鐨勶紝涓嶇劧鍛紵鍐呮牳鑷繁鐨刦trace鎴栬€卨ive kpatch鎬庝箞鍔烇紵锛?16.
void *(*_text_poke_smp)(void *addr, const void *opcode, size_t len);
17.
%}
18.
19.
%{
20.
// 2011骞存枃绔犻噷鐨勪緥瀛愶紝鎵撳嵃涓€鍙ヨ瘽鑰屽凡锛屾垜淇敼浜嗗嚱鏁板悕瀛楋紝绉颁綔鈥滅毊闉嬧€?21.
asmlinkage long sys_skinshoe(int i)
22.
{
23.
printk("new call----:%d
", i);
24.
return 0;
25.
}
26.
%}
27.
28.
function syscall_table_poke()
29.
%{
30.
unsigned short nr_new = 0;
31.
unsigned int off_new = 0;
32.
unsigned char *syscall;
33.
unsigned long new_addr;
34.
int i;
35.
36.
new_addr = (unsigned long)sys_skinshoe;
37.
syscall = (void *)kallsyms_lookup_name("system_call");
38.
old_tbl = (void*)kallsyms_lookup_name("sys_call_table");
39.
_text_poke_smp = (void *)kallsyms_lookup_name("text_poke_smp");
40.
41.
// 鎷疯礉鍘熷鐨勭郴缁熻皟鐢ㄨ〃,3200涓瓧鑺傛湁鐐瑰浜嗭紝浣嗙粷瀵逛笉浼氬皯銆?42.
memcpy(&new_tbl[0], old_tbl, 3200);
43.
// 鑾峰彇鏂扮郴缁熻皟鐢ㄨ〃鐨刣isp32鍋忕Щ(x86_64甯︾鍙锋墿灞?銆?44.
off_new = (unsigned int)((unsigned long)&new_tbl[0]);
45.
46.
// 鍦╯ystem_call鍑芥暟鐨勬寚浠ょ爜閲岃繘琛岀壒寰佸尮閰嶏紝鍖归厤cmp $0x143 %rax
47.
for (i = 0; i < 0xff; i++) {
48.
if (syscall[i] == 0x48 && syscall[i+1] == 0x3d) {
49.
nr_addr = (unsigned long)&syscall[i+2];
50.
break;
51.
}
52.
}
53.
// 鍦╯ystem_call鍑芥暟鐨勬寚浠ょ爜閲岃繘琛岀壒寰佸尮閰嶏紝鍖归厤callq *xxxxx(,%rax,8)
54.
for (i = 0; i < 0xff; i++) {
55.
if (syscall[i] == 0xff && syscall[i+1] == 0x14 && syscall[i+2] == 0xc5) {
56.
call_addr = (unsigned long)&syscall[i+3];
57.
break;
58.
}
59.
}
60.
// 1. 澧炲姞涓€涓郴缁熻皟鐢ㄦ暟閲?61.
// 2. 浣胯兘鏂扮殑绯荤粺璋冪敤琛?62.
off_old = *(unsigned int *)call_addr;
63.
nr_old = *(unsigned short *)nr_addr;
64.
// 璁剧疆鏂扮殑绯荤粺璋冪敤鍏ュ彛鍑芥暟
65.
*(unsigned long *)&new_tbl[nr_old*8 + 8] = new_addr;
66.
nr_new = nr_old + 1;
67.
memcpy(&new_tbl[nr_new*8 + 8], &old_tbl[nr_old*8 + 8], 16);
68.
// poke 浠g爜
69.
_text_poke_smp((void *)nr_addr, &nr_new, 2);
70.
_text_poke_smp((void *)call_addr, &off_new, 4);
71.
%}
72.
73.
function syscall_table_clean()
74.
%{
75.
_text_poke_smp((void *)nr_addr, &nr_old, 2);
76.
_text_poke_smp((void *)call_addr, &off_old, 4);
77.
%}
78.
79.
probe begin
80.
{
81.
syscall_table_poke();
82.
}
83.
84.
probe end
85.
{
86.
syscall_table_clean();
87.
}鍞竴闇€瑕佽В閲婄殑灏辨槸涓ゅpoke锛?/p>
-
淇敼绯荤粺璋冪敤鏁伴噺鐨勯檺鍒躲€?/p>
- 淇敼绯荤粺璋冪敤琛ㄧ殑浣嶇疆銆?/li>
鎴戜滑浠巗ystem_call鎸囦护鐮佷腑涓€鐪嬩究鐭ワ細
1.
crash> dis system_call
2.
0xffffffff81645110 <system_call>: swapgs
3.
...
4.
# 0x143闇€瑕佷慨鏀逛负0x144
5.
0xffffffff81645173 <system_call_fastpath>: cmp $0x143,%rax
6.
0xffffffff81645179 <system_call_fastpath+6>: ja 0xffffffff81645241 <badsys>
7.
0xffffffff8164517f <system_call_fastpath+12>: mov %r10,%rcx
8.
# -0x7e9b2c40闇€瑕佽淇涓烘柊绯荤粺璋冪敤琛ㄧ殑disp32鍋忕Щ
9.
0xffffffff81645182 <system_call_fastpath+15>: callq *-0x7e9b2c40(,%rax,8)
10.
0xffffffff81645189 <system_call_fastpath+22>: mov %rax,0x20(%rsp)濡傛灉浠g爜姝e父锛岄偅涔堢洿鎺ユ墽琛屼笂闈㈢殑stap鑴氭湰鐨勮瘽锛屾柊鐨勭郴缁熻皟鐢ㄥ簲璇ュ凡缁忕敓鎴愶紝瀹冪殑绯荤粺璋冪敤鍙蜂负324锛屼篃灏辨槸0x143+1銆傝嚦浜庤涓轰粈涔堢郴缁熻皟鐢ㄥ彿蹇呴』鏄€愭笎閫掑鐨勶紝璇风湅锛?/p>
1.
callq *-0x7e9b2c40(,%rax,8)涓婅堪浠g爜鐨勫惈涔夋槸锛?/p>
1.
call index * 8 + disp32_offset 杩欐剰鍛崇潃鍐呮牳鏄寜鐓ф暟缁勪笅鏍囩殑鏂瑰紡绱㈠紩绯荤粺璋冪敤鐨勶紝杩欒姹傚畠浠繀椤昏繛缁瓨鏀俱€?/p>
濂戒簡锛屽洖鍒扮幇瀹烇紝鎴戜滑涓婇潰鐨勮鍔ㄦ槸鍚︽垚鍔熶簡鍛紵浜嬫儏鍒板簳鏄笉鏄垜浠兂璞$殑閭f牱鐨勫憿锛熸垜浠啓涓祴璇昪ase楠岃瘉涓€涓嬶細
1.
// newcall.c
2.
int main(int argc, char *argv[])
3.
{
4.
syscall(324, 1234);
5.
perror("new system call");
6.
}鎵ц涔嬶紝鐪嬬粨鏋滐細
1.
[root@localhost test]# gcc newcall.c
2.
[root@localhost test]# ./a.out
3.
new system call: Success
4.
[root@localhost test]# dmesg
5.
[ 1547.387847] stap_6874ae02ddb22b6650aee5cd2e080b49_2209: systemtap: 3.3/0.176, base: ffffffffa03b6000, memory: 106data/24text/0ctx/2063net/9alloc kb, probes: 2
6.
[ 1549.119316] new call----:1234
OK锛屾垚鍔燂紒姝ゆ椂鎴戜滑Ctrl-C鎺夋垜浠殑stap鑴氭湰锛屽啀娆℃墽琛宎.out锛?/p>
1.
[root@localhost test]# ./a.out
2.
new system call: Function not implemented瀹屽叏绗﹀悎棰勬湡銆?/p>
OK锛岄偅涔堢幇鍦ㄥ紑濮嬫浜嬶紝鍗虫柊澧炰袱涓郴缁熻皟鐢紝sysgetname鍜宻yssetname锛屽垎鍒负鑾峰彇鍜岃缃綋鍓嶈繘绋嬬殑鍚嶅瓧銆?/p>
鏉ュ惂锛岃鎴戜滑寮€濮嬨€?/p>
鍏跺疄 newsyscall.stap 宸茬粡瓒冲浜嗭紝绋嶅井鏀逛竴涓嬪嵆鍙紝浣嗘槸杩欓噷鐨?绋嶅井鏀?浣撶幇浜嗗搧璐ㄥ拰浼橀泤锛?/p>
- 鏀逛负oneshot妯″紡锛屾瘯绔熸垜涓嶅笇鏈涙湁涓ā鍧楀湪绯荤粺閲屻€?/li>
oneshot妯″紡闇€瑕佸姩鎬佸垎閰嶅唴瀛橈紝淇濊瘉鍦╯tap妯″潡閫€鍑哄悗杩欏潡鍐呭瓨涓嶄細闅忕潃妯″潡鐨勫嵏杞借€岃嚜鍔ㄩ噴鏀俱€傝€岃繖涓紝鎴戝凡缁忕帺鑵讳簡銆?/p>
鐩存帴涓婁唬鐮侊細
1.
#!/usr/bin/stap -g
2.
// poke.stp
3.
%{
4.
// 涓轰簡rel32鍋忕Щ鐨勫彲杈炬€э紝鍊熺敤妯″潡鏄犲皠绌洪棿鐨勮寖鍥存潵鍒嗛厤鍐呭瓨銆?5.
#define START _AC(0xffffffffa0000000, UL)
6.
#define END _AC(0xffffffffff000000, UL)
7.
8.
// 淇濆瓨鍘熷鐨勭郴缁熻皟鐢ㄨ〃銆?9.
unsigned char *old_tbl;
10.
// 淇濆瓨鏂扮殑绯荤粺璋冪敤琛ㄣ€?11.
unsigned char *new_tbl;
12.
// call绯荤粺璋冪敤琛ㄧ殑浣嶇疆銆?13.
unsigned long call_addr = 0;
14.
// 绯荤粺璋冪敤鏁伴噺闄愬埗妫€鏌ョ殑浣嶇疆銆?15.
unsigned long nr_addr = 0;
16.
// 鍘熷鐨勭郴缁熻皟鐢ㄨ〃disp32鍋忕Щ銆?17.
unsigned int off_old;
18.
// 鍘熷鐨勭郴缁熻皟鐢ㄦ暟閲忋€?19.
unsigned short nr_old;
20.
void * *(*___vmalloc_node_range)(unsigned long, unsigned long,
21.
unsigned long, unsigned long, gfp_t,
22.
pgprot_t, int, const void *);
23.
void *(*_text_poke_smp)(void *addr, const void *opcode, size_t len);
24.
%}
25.
26.
%{
27.
// 鏂扮郴缁熻皟鐢ㄧ殑text琚玞opy鍒颁簡鏂扮殑椤甸潰锛屽洜姝ゆ渶濂戒笉瑕佽皟鐢ㄥ唴鏍稿嚱鏁般€?28.
// 杩欐槸鍥犱负鍐呮牳鍑芥暟涔嬮棿鐨勪簰璋冧娇鐢ㄧ殑鏄痳el32璋冪敤锛岃繖灏遍渶瑕佹牎鍑嗗亸绉伙紝澶夯鐑︺€?29.
// 璁颁綇锛氫綔涓轰緥瀛愶紝涓嶈皟鐢╬rintk锛屼篃涓嶈皟鐢╩emcpy/memset...濡傛灉鎯崇鑺辨椿鍎匡紝鑷繁鍘绘牎鍑嗗惂銆?30.
// 璇︾粏鐨勭娉曪紝鍙傝鎴戝墠闈㈠叧浜巖ootkit鐨勬枃绔犮€?31.
long sys_setskinshoe(char *newname, unsigned int len)
32.
{
33.
int i;
34.
35.
if (len > 16 - 1)
36.
return -1;
37.
38.
for (i = 0; i < len; i++) {
39.
current->comm[i] = newname[i];
40.
}
41.
current->comm[i] = 0;
42.
return 0;
43.
}
44.
45.
long sys_getskinshoe(char *name, unsigned int len)
46.
{
47.
int i;
48.
49.
if (len > 16 - 1)
50.
return -1;
51.
52.
for (i = 0; i < len; i++) {
53.
name[i] = current->comm[i];
54.
}
55.
return 0;
56.
}
57.
58.
unsigned char *stub_sys_skinshoe;
59.
%}
60.
61.
function syscall_table_poke()
62.
%{
63.
unsigned short nr_new = 0;
64.
unsigned int off_new = 0;
65.
unsigned char *syscall;
66.
unsigned long new_addr;
67.
int i;
68.
69.
syscall = (void *)kallsyms_lookup_name("system_call");
70.
old_tbl = (void *)kallsyms_lookup_name("sys_call_table");
71.
___vmalloc_node_range = (void *)kallsyms_lookup_name("__vmalloc_node_range");
72.
_text_poke_smp = (void *)kallsyms_lookup_name("text_poke_smp");
73.
74.
new_tbl = (void *)___vmalloc_node_range(8*500, 1, START, END,
75.
GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
76.
-1, NULL/*__builtin_return_address(0)*/);
77.
stub_sys_skinshoe = (void *)___vmalloc_node_range(0xff, 1, START, END,
78.
GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
79.
-1, NULL);
80.
// 鎷疯礉浠g爜鎸囦护
81.
memcpy(&stub_sys_skinshoe[0], sys_setskinshoe, 90);
82.
memcpy(&stub_sys_skinshoe[96], sys_getskinshoe, 64);
83.
// 鎷疯礉绯荤粺璋冪敤琛?84.
memcpy(&new_tbl[0], old_tbl, 3200);
85.
new_addr = (unsigned long)&stub_sys_skinshoe[0];
86.
87.
off_new = (unsigned int)((unsigned long)&new_tbl[0]);
88.
// cmp鎸囦护鍖归厤
89.
for (i = 0; i < 0xff; i++) {
90.
if (syscall[i] == 0x48 && syscall[i+1] == 0x3d) {
91.
nr_addr = (unsigned long)&syscall[i+2];
92.
break;
93.
}
94.
}
95.
// call鎸囦护鍖归厤
96.
for (i = 0; i < 0xff; i++) {
97.
if (syscall[i] == 0xff && syscall[i+1] == 0x14 && syscall[i+2] == 0xc5) {
98.
call_addr = (unsigned long)&syscall[i+3];
99.
break;
100.
}
101.
}
102.
103.
off_old = *(unsigned int *)call_addr;
104.
nr_old = *(unsigned short *)nr_addr;
105.
// 璁剧疆setskinshoe
106.
*(unsigned long *)&new_tbl[nr_old*8 + 8] = new_addr;
107.
new_addr = (unsigned long)&stub_sys_skinshoe[96];
108.
// 璁剧疆getskinshoe
109.
*(unsigned long *)&new_tbl[nr_old*8 + 8 + 8] = new_addr;
110.
// 绯荤粺璋冪敤鏁伴噺澧炲姞2涓?111.
nr_new = nr_old + 2;
112.
// 鍚庣Щtail stub
113.
memcpy(&new_tbl[nr_new*8 + 8], &old_tbl[nr_old*8 + 8], 16);
114.
_text_poke_smp((void *)nr_addr, &nr_new, 2);
115.
_text_poke_smp((void *)call_addr, &off_new, 4);
116.
// 鑷虫锛屾柊鐨勭郴缁熻皟鐢ㄨ〃宸茬粡鐢熸晥锛屽敖鎯呬慨鏀瑰惂锛?117.
%}
118.
119.
probe begin
120.
{
121.
syscall_table_poke();
122.
exit();
123.
}椤轰究锛屾垜鎶婃仮澶嶅師濮嬬郴缁熻皟鐢ㄨ〃鐨勬搷浣滆剼鏈篃闄勫甫涓婏細
1.
#!/usr/bin/stap -g
2.
// revert.stp
3.
%{
4.
void *(*_text_poke_smp)(void *addr, const void *opcode, size_t len);
5.
%}
6.
7.
function syscall_table_revert()
8.
%{
9.
unsigned int off_new, off_old;
10.
unsigned char *syscall;
11.
unsigned long nr_addr = 0, call_addr = 0, orig_addr, *new_tbl;
12.
// 0x143杩欎釜杩樻槸璁板湪鑴戝瓙閲屽惂.
13.
unsigned short nr_calls = 0x0143, curr_calls;
14.
int i;
15.
16.
syscall = (void *)kallsyms_lookup_name("system_call");
17.
orig_addr = (unsigned long)kallsyms_lookup_name("sys_call_table");
18.
_text_poke_smp = (void *)kallsyms_lookup_name("text_poke_smp");
19.
20.
for (i = 0; i < 0xff; i++) {
21.
if (syscall[i] == 0x48 && syscall[i+1] == 0x3d) {
22.
nr_addr = (unsigned long)&syscall[i+2];
23.
break;
24.
}
25.
}
26.
for (i = 0; i < 0xff; i++) {
27.
if (syscall[i] == 0xff && syscall[i+1] == 0x14 && syscall[i+2] == 0xc5) {
28.
call_addr = (unsigned long)&syscall[i+3];
29.
break;
30.
}
31.
}
32.
curr_calls = *(unsigned short *)nr_addr;
33.
off_new = *(unsigned int *)call_addr;
34.
off_old = (unsigned int)orig_addr;
35.
// decode鍑鸿嚜宸辩殑绯荤粺璋冪敤琛ㄧ殑鍦板潃銆?36.
new_tbl = (unsigned long *)(0xffffffff00000000 | off_new);
37.
_text_poke_smp((void *)nr_addr, &nr_calls, 2);
38.
_text_poke_smp((void *)call_addr, &off_old, 4);
39.
40.
vfree((void *)new_tbl[nr_calls + 1]);
41.
/*
42.
// loop free
43.
// 濡傛灉浣犲鍔犵殑绯荤粺璋冪敤姣旇緝澶氾紝涓斿垎甯冨湪涓嶅悓鐨刴alloc椤甸潰锛岄偅涔堝氨闇€瑕佸惊鐜痜ree
44.
for (i = 0; i < curr_calls - nr_calls; i ++) {
45.
vfree((void *)new_tbl[nr_calls + 1 + i]);
46.
}
47.
*/
48.
// 閲婃斁鑷繁鐨勭郴缁熻皟鐢ㄨ〃
49.
vfree((void *)new_tbl);
50.
%}
51.
52.
probe begin
53.
{
54.
syscall_table_revert();
55.
exit();
56.
}鏉ュ惂锛屽紑濮嬫垜浠殑瀹為獙锛?/p>
鎴戜笉鎳傜紪绋嬶紝鎵€浠ユ垜鍙兘鍐欐渶绠€鍗曠殑浠g爜灞曠ず鏁堟灉锛屼笅闈㈢殑C浠g爜鐩存帴璋冪敤鏂板鐨勪袱涓郴缁熻皟鐢紝棣栧厛瀹冭幏寰楀苟鎵撳嵃鑷繁鐨勫悕瀛楋紝鐒跺悗鎶婂悕瀛楁敼鎺夛紝鏈€鍚庡啀娆¤幏鍙栧苟鎵撳嵃鑷繁鐨勫悕瀛楋細
1.
#include <stdio.h>
2.
#include <stdlib.h>
3.
#include <string.h>
4.
5.
int main(int argc, char *argv[])
6.
{
7.
char name[16] = {0};
8.
syscall(325, name, 12);
9.
perror("-- get name before");
10.
printf("my name is %s
", name);
11.
syscall(324, argv[1], strlen(argv[1]));
12.
perror("-- Modify name");
13.
syscall(325, name, 12);
14.
perror("-- get name after");
15.
printf("my name is %s
", name);
16.
return 0;
17.
}涓嬮潰鏄疄楠岀粨鏋滐細
1.
# 鏈猵oke鏃剁殑缁撴灉
2.
[root@localhost test]# ./test_newcall skinshoe
3.
-- get name before: Function not implemented
4.
my name is
5.
-- Modify name: Function not implemented
6.
-- get name after: Function not implemented
7.
my name is
8.
[root@localhost test]#
9.
[root@localhost test]# ./poke.stp
10.
[root@localhost test]#
11.
# poke涔嬪悗鐨勭粨鏋滐紝姝ゆ椂lsmod锛屼綘灏嗙湅涓嶅埌浠讳綍鍜岃繖涓猵oke鐩稿叧鐨勫唴鏍告ā鍧楋紝杩欏氨鏄痮neshot鐨勬晥鏋溿€?12.
[root@localhost test]# ./test_newcall skinshoe
13.
-- get name before: Success
14.
my name is test_newcall
15.
-- Modify name: Success
16.
-- get name after: Success
17.
my name is skinshoe
18.
[root@localhost test]#
19.
[root@localhost test]# ./revert.stp
20
[root@localhost test]#
21.
# revert涔嬪悗鐨勭粨鏋?22.
[root@localhost test]# ./test_newcall skinshoe
23.
-- get name before: Function not implemented
24.
my name is
25.
-- Modify name: Function not implemented
26.
-- get name after: Function not implemented
27.
my name is
28.
[root@localhost test]#瓒冲绠€鍗曪紝瓒冲鐩存帴锛屽伐浜轰滑鍜岀粡鐞嗛兘鍙互涓婃墜涓€璇曘€?/p>
鎴戜滑濡傛灉璁╂柊澧炵殑绯荤粺璋冪敤骞茬偣鍧忎簨锛岄偅鍐嶇畝鍗曚笉杩囦簡锛屽緱鎵嬩箣鍚庡憿锛熷浣曢槻姝㈣缁忕悊鎶撳埌鍛紵灏佸牭妯″潡鍔犺浇鐨勬帴鍙e嵆鍙挴锛屽弽姝d笉鍔犺浇鍐呮牳妯″潡锛岃皝涔熷埆鎯崇湅鍒板綋鍓嶇郴缁熺殑鍐呮牳琚玥ack鎴愪簡浠€涔堟牱瀛愶紝鍝︼紝瀵逛簡锛屾妸/dev/mem鐨刴map涔熷牭姝诲摝...
....涓嶈繃杩欐槸涓嬮潰鏂囩珷鐨勪富棰樹簡銆?/p>
濂戒簡锛屼粖澶╁氨鍏堝啓鍒拌繖鍎垮惂銆?/p>
娴欐睙娓╁窞鐨瀷婀匡紝涓嬮洦杩涙按涓嶄細鑳栥€?br/>(END)
以上是关于Linux鍔ㄦ€佷负鍐呮牳娣诲姞鏂扮殑绯荤粺璋冪敤的主要内容,如果未能解决你的问题,请参考以下文章
UDP socket涔熷彲浠ヤ娇鐢╟onnect绯荤粺璋冪敤