如何用LKM挂断中断门

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何用LKM挂断中断门相关的知识,希望对你有一定的参考价值。

我正在研究做rootkit。

我正在尝试使用LKM挂接门中断4,处理VirtualBox。

但是当我触发门时,VM会冻结。挂钩和脱钩似乎有效,但我不知道为什么它会变得冻结。

它可能是与VirtualBox相关的问题吗?或者我错过了什么/做错了什么?挂钩门的方式是per-cpu IDT。我在每个CPU中创建一个内核线程,然后我安装新的门。在VirtualBox中,每个CPU使用相同的IDTR,因此我必须添加一些检查才能兼容。

任何帮助,将不胜感激。

我粘贴下面的代码。

Makefile文件

obj-m += so.o

so-objs := main.o core-asm.o asmcore.o

EXTRA_CFLAGS := -O0

KERNEL_HEADERS = /lib/modules/$(shell uname -r)/build

all:
    make V=1 -C $(KERNEL_HEADERS) M=$(PWD) core.s
    gcc -c core.s -o core-asm.o
    gcc -c asmcore.s -o asmcore.o
    make V=1 -C $(KERNEL_HEADERS) M=$(PWD) modules

clean:
    make V=1 -C $(KERNEL_HEADERS) M=$(PWD) clean

main.c中

#include <linux/module.h>

extern int hook_int(void);
extern void unhook_int(void);

int init_module(void) {
        return hook_int();
}

void cleanup_module(void) {
        unhook_int();
}

MODULE_LICENSE("GPL");

core.c

#include <asm/desc.h>
#include <linux/uaccess.h>
#include <linux/kthread.h>
#include <linux/mman.h>

#define VECTOR 4

extern void my_int_handler(void);
void for_each_idt(void (*cb)(gate_desc *idt));
void install_hook(gate_desc *idt);
void uninstall_hook(gate_desc *idt);
int kthread_fn(void *arg);
gate_desc *last_idt = NULL;
gate_desc gate_backup;
void *real_int_handler = NULL;
extern int my_memcpy(void *dst, void *src, size_t len);

int kthread_fn(void *arg) {
        void (*cb)(gate_desc *idt) = arg;
        struct desc_ptr idtr;
        gate_desc *idt = NULL;

        store_idt(&idtr);
        idt = (gate_desc *) idtr.address;
        if (last_idt != idt) {
                cb(idt);
                last_idt = idt;
        }

        return 0;
}

void for_each_idt(void (*cb)(gate_desc *idt)) {
        size_t cpus = 0, i = 0;
        struct task_struct *thread = NULL;

        last_idt = NULL;
        cpus = num_present_cpus();
        while (i != cpus) {
                thread = kthread_create(kthread_fn, cb, "kworker/%d:%d", (int) i, (int) cpus);
                kthread_bind(thread, i);
                wake_up_process(thread);
                i++;
        }
}

void install_hook(gate_desc *idt) {
        gate_desc gate;

        my_memcpy(&gate, &idt[VECTOR], sizeof(gate));
        my_memcpy(&gate_backup, &idt[VECTOR], sizeof(gate));
        printk("segment = %x
", gate.segment);
        printk("bits.ist = %x
", gate.bits.ist);
        printk("bits.zero = %x
", gate.bits.zero);
        printk("bits.type = %x
", gate.bits.type);
        printk("bits.dpl = %x
", gate.bits.dpl);
        printk("bits.p = %x
", gate.bits.p);
        printk("reserved = %x
", gate.reserved);
        printk("offset_low = %x
", gate.offset_low);
        printk("offset_middle = %x
", gate.offset_middle);
        printk("offset_high = %x
", gate.offset_high);
        gate.offset_low    = (u16) my_int_handler;
        gate.offset_middle = (u16) ((long) my_int_handler >> 16);
        gate.offset_high   = (u32) ((long) my_int_handler >> 32);
        real_int_handler = idt[VECTOR].offset_low | ((int) idt[VECTOR].offset_middle << 16) | ((long) idt[VECTOR].offset_high << 32);
        printk("after
");
        printk("offset_low = %x
", gate.offset_low);
        printk("offset_middle = %x
", gate.offset_middle);
        printk("offset_high = %x
", gate.offset_high);
        printk("my_int_handler = %lx
", (long)my_int_handler);
        printk("real_int_handler = %lx
", (long)real_int_handler);
        asm("cli
	mov	%%cr0, %%rax
	and	$0xfffffffffffeffff, %%rax
	mov	%%rax, %%cr0" ::: "rax");
        my_memcpy(&idt[VECTOR], &gate, sizeof(gate));
        asm("mov	%%cr0, %%rax
	or	$0x10000, %%rax
	mov	%%rax, %%cr0
	sti" ::: "rax");
}

void uninstall_hook(gate_desc *idt) {
        asm("cli
	mov	%%cr0, %%rax
	and	$0xfffffffffffeffff, %%rax
	mov	%%rax, %%cr0" ::: "rax");
        my_memcpy(&idt[VECTOR], &gate_backup, sizeof(gate_backup));
        asm("mov	%%cr0, %%rax
	or	$0x10000, %%rax
	mov	%%rax, %%cr0
	sti" ::: "rax");
}

int hook_int(void) {
        for_each_idt(install_hook);
        return 0;
}

void unhook_int(void) {
        for_each_idt(uninstall_hook);
}

asmcore.s

        .extern real_int_handler
        .text
        .globl my_memcpy
        .type my_memcpy, @function
my_memcpy:
        mov %rdx, %rcx
        rep movsb
        mov %rcx, %rax
        ret
        .size my_memcpy, .-my_memcpy

        .globl my_int_handler
        .type my_int_handler, @function
my_int_handler:
        jmp *real_int_handler(%rip)
        .size my_int_handler, .-my_int_handler

trigger.s

        .globl main
        .type main, @function
main:
        int $4
        ret

        .size main, .-main

加载后dmesg

[ 1000.001717] segment = 10
[ 1000.001718] bits.ist = 0
[ 1000.001718] bits.zero = 0
[ 1000.001719] bits.type = e
[ 1000.001719] bits.dpl = 3
[ 1000.001720] bits.p = 1
[ 1000.001720] reserved = 0
[ 1000.001721] offset_low = 1030
[ 1000.001721] offset_middle = 9480
[ 1000.001722] offset_high = ffffffff
[ 1000.001722] after
[ 1000.001723] offset_low = 1513
[ 1000.001723] offset_middle = c052
[ 1000.001724] offset_high = ffffffff
[ 1000.001724] my_int_handler = ffffffffc0521513
[ 1000.001725] real_int_handler = ffffffff94801030

执行./trigger而不挂钩

diwou@diwou-VirtualBox:~/arpso2$ ./trigger
Violación de segmento (`core' generado)
答案

源代码是正确的。问题出在VirtualBox上。修改IDT,GDT和MSR可能是它被冻结的原因。

我能够添加一个新的IDT条目,但似乎问题是在更改已写入的值时。例如,更改MSR_LSTAR寄存器,向GDT添加调用门,或修改IDT上的中断处理程序。

以上是关于如何用LKM挂断中断门的主要内容,如果未能解决你的问题,请参考以下文章

如何用 ViewPager 中的另一个片段替换 Android 片段?

如何用html代码控制在切换不同网页的时候播放的是一首歌曲,切歌曲不会因切换网页而中断

中断测试

Android NavController:如何用相同的动作打开相同的片段

如何用 Android 数据绑定替换 androidx.fragment.app.FragmentContainerView 中的片段

如何用freertos接收串口数据