How to hook the system call?

How to hook the system call?

[Geraint Yang]

Hello everyone,

I am going to hook a system call like 'read' or 'send' by modifying the
sys_call_table, but it seems that the sys_call_table is in read only page,
how can I set modify the sys_call_table ? Or if there any method that I can
use to hook a system call in module without modify the kernel source?

Thanks!

-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111123/c6c2c072/attachment.html 

How to hook the system call?

[Alexandru Juncu]

On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> wrote:
> Hello everyone,
>
> I am going to hook a system call like 'read' or 'send' by modifying the
> sys_call_table, but it seems that the sys_call_table is in read only page,
> how can I set modify the sys_call_table ? Or if there any method that I can
> use to hook a system call in module without modify the kernel source?
>
> Thanks!

On a 2.6.35 kernel, it worked for me just by changing an entry in the
sys_call_table, within a kernel module.  Something like this:

spin_lock(&sys_call_table_lock);
old_sys_calls[sys_call] = sys_call_table[sys_call];
sys_call_table[sys_call] = interceptor;
is_intercepted[sys_call] = 1;
spin_unlock(&sys_call_table_lock);

asmlinkage long interceptor(struct syscall_params sp)
{
        long sys_call=sp.eax, r=0;
        r = old_sys_calls[sys_call](sp);
        do_stuff();
        return r;
}

--
Alexandru Juncu

How to hook the system call?

[Daniel Baluta]

On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@rosedu.org> wrote:
> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> wrote:
>> Hello everyone,
>>
>> I am going to hook a system call like 'read' or 'send' by modifying the
>> sys_call_table, but it seems that the sys_call_table is in read only page,
>> how can I set modify the sys_call_table ? Or if there any method that I can
>> use to hook a system call in module without modify the kernel source?
>>
>> Thanks!
>
> On a 2.6.35 kernel, it worked for me just by changing an entry in the
> sys_call_table, within a kernel module. ?Something like this:

Alex,
I am pretty sure that you are using a hacked version of 2.6.35.

Geraint,
In order to be able to hook a syscall you must do the following:

1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c

extern void* sys_call_table[];
EXPORT_SYMBOL(sys_call_table);

2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
you must have:

.section .data,"a"
#include "syscall_table_32.S"

thanks,
Daniel.

How to hook the system call?

[Alexandru Juncu]

On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com> wrote:
> On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@rosedu.org> wrote:
>> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> wrote:
>>> Hello everyone,
>>>
>>> I am going to hook a system call like 'read' or 'send' by modifying the
>>> sys_call_table, but it seems that the sys_call_table is in read only page,
>>> how can I set modify the sys_call_table ? Or if there any method that I can
>>> use to hook a system call in module without modify the kernel source?
>>>
>>> Thanks!
>>
>> On a 2.6.35 kernel, it worked for me just by changing an entry in the
>> sys_call_table, within a kernel module. ?Something like this:
>
> Alex,
> I am pretty sure that you are using a hacked version of 2.6.35.
>
> Geraint,
> In order to be able to hook a syscall you must do the following:
>
> 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
>
> extern void* sys_call_table[];
> EXPORT_SYMBOL(sys_call_table);
>
> 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
> you must have:
>
> .section .data,"a"
> #include "syscall_table_32.S"
>
> thanks,
> Daniel.
>

Ah, Daniel is right... I forgot about that part...

How to hook the system call?

[rohan puri]

On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu@rosedu.org>wrote:

> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com>
> wrote:
> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@rosedu.org>
> wrote:
> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com>
> wrote:
> >>> Hello everyone,
> >>>
> >>> I am going to hook a system call like 'read' or 'send' by modifying the
> >>> sys_call_table, but it seems that the sys_call_table is in read only
> page,
> >>> how can I set modify the sys_call_table ? Or if there any method that
> I can
> >>> use to hook a system call in module without modify the kernel source?
> >>>
> >>> Thanks!
> >>
> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the
> >> sys_call_table, within a kernel module.  Something like this:
> >
> > Alex,
> > I am pretty sure that you are using a hacked version of 2.6.35.
> >
> > Geraint,
> > In order to be able to hook a syscall you must do the following:
> >
> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
> >
> > extern void* sys_call_table[];
> > EXPORT_SYMBOL(sys_call_table);
> >
> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
> > you must have:
> >
> > .section .data,"a"
> > #include "syscall_table_32.S"
> >
> > thanks,
> > Daniel.
> >
>
> Ah, Daniel is right... I forgot about that part...
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>

You can get the address of the sys_call_table from the /proc/kallsyms and
regarding the read-only section of the this symbol you can re-map the
addresses by making use of vmap api in kernel. This will avoid the need for
the compilation of the kernel. But I would not recommend you to do this.
Their is LSM framework specifically available for this try to see if you
can make use of that.

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111123/b0024005/attachment.html 

How to hook the system call?

[Geraint Yang]

Hi,
Thank all of you for helping me with problem!
I don't want to modify my kernel source so I am trying to learn to use LSM
security hook even though it seems that it couldn't hook all the system
calls, I think it should be enough for me.
Thanks again!



On Wed, Nov 23, 2011 at 8:02 PM, rohan puri <rohan.puri15@gmail.com> wrote:

>
>
> On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu@rosedu.org>wrote:
>
>> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com>
>> wrote:
>> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <
>> alex.juncu at rosedu.org> wrote:
>> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com>
>> wrote:
>> >>> Hello everyone,
>> >>>
>> >>> I am going to hook a system call like 'read' or 'send' by modifying
>> the
>> >>> sys_call_table, but it seems that the sys_call_table is in read only
>> page,
>> >>> how can I set modify the sys_call_table ? Or if there any method that
>> I can
>> >>> use to hook a system call in module without modify the kernel source?
>> >>>
>> >>> Thanks!
>> >>
>> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the
>> >> sys_call_table, within a kernel module.  Something like this:
>> >
>> > Alex,
>> > I am pretty sure that you are using a hacked version of 2.6.35.
>> >
>> > Geraint,
>> > In order to be able to hook a syscall you must do the following:
>> >
>> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
>> >
>> > extern void* sys_call_table[];
>> > EXPORT_SYMBOL(sys_call_table);
>> >
>> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
>> > you must have:
>> >
>> > .section .data,"a"
>> > #include "syscall_table_32.S"
>> >
>> > thanks,
>> > Daniel.
>> >
>>
>> Ah, Daniel is right... I forgot about that part...
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>
> You can get the address of the sys_call_table from the /proc/kallsyms and
> regarding the read-only section of the this symbol you can re-map the
> addresses by making use of vmap api in kernel. This will avoid the need for
> the compilation of the kernel. But I would not recommend you to do this.
> Their is LSM framework specifically available for this try to see if you
> can make use of that.
>
> Regards,
> Rohan Puri
>



-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/da051d01/attachment-0001.html 

How to hook the system call?

[Alexandru Juncu]

On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com> wrote:
> Hi,
> Thank all of you for helping me with problem!
> I don't want to modify my kernel source so I am trying to learn to use LSM
> security hook even though it seems that it couldn't hook all the system
> calls, I think it should be enough for me.
> Thanks again!

I know that AppArmor can hock syscalls like read, write and memory
mapping and can deny or accept them. I am not sure if you can make it
do something else when hocked, but I know it has a script-like
configuration, so maybe you can take some other actions.

How to hook the system call?

[Geraint Yang]

Hi,
I have tried the LSM framework,but when I make my module , I got
"waining:'register_security' undefined", then I check security/security.c
and found out that register_security is not exported ! So if I want to use
this function ,I must hack kernel by exporting and recompiling kernel which
is allowed for me.
So ...well, it seems that LSM doesn't work for module without modifying the
kernel source.



On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@rosedu.org>wrote:

> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com>
> wrote:
> > Hi,
> > Thank all of you for helping me with problem!
> > I don't want to modify my kernel source so I am trying to learn to use
> LSM
> > security hook even though it seems that it couldn't hook all the system
> > calls, I think it should be enough for me.
> > Thanks again!
>
> I know that AppArmor can hock syscalls like read, write and memory
> mapping and can deny or accept them. I am not sure if you can make it
> do something else when hocked, but I know it has a script-like
> configuration, so maybe you can take some other actions.
>



-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/90d7aa65/attachment.html 

How to hook the system call?

[Nuno Martins]

On Wed, Nov 23, 2011 at 6:05 PM, Geraint Yang <geraint0923@gmail.com> wrote:
> Hi,
> I have tried the LSM framework,but when I make my module , I got
> "waining:'register_security' undefined", then I check security/security.c
> and found out that register_security is not exported ! So if I want to use
> this function ,I must hack kernel by exporting and recompiling kernel which
> is allowed for me.
> So ...well, it seems that LSM doesn't work for module without modifying the
> kernel source.
>
>
>
> On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@rosedu.org>
> wrote:
>>
>> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com>
>> wrote:
>> > Hi,
>> > Thank all of you for helping me with problem!
>> > I don't want to modify my kernel source so I am trying to learn to use
>> > LSM
>> > security hook even though it seems that it couldn't hook all the system
>> > calls, I think it should be enough for me.
>> > Thanks again!
>>
>> I know that AppArmor can hock syscalls like read, write and memory
>> mapping and can deny or accept them. I am not sure if you can make it
>> do something else when hocked, but I know it has a script-like
>> configuration, so maybe you can take some other actions.
>
>

If you can hook the system calls, you could try KProbes, is a dynamic
instrumentation, that is used in Linux Kernel.
You could use a JProbe to "capture" the function parameters of the
instrumented function.

If you have KProbes in your kernel, you can create a module to
instrument the syscall  that you want.
Maybe it can be a starting point for you ...

Other projects that use KProbes are DProbes and SystemTap, you can
also give it a look.

>
> --
> Geraint Yang
> Tsinghua University Department of Computer Science and Technology
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>

-- 
Nuno Martins

How to hook the system call?

[rohan puri]

On Wed, Nov 23, 2011 at 11:35 PM, Geraint Yang <geraint0923@gmail.com>wrote:

> Hi,
> I have tried the LSM framework,but when I make my module , I got
> "waining:'register_security' undefined", then I check security/security.c
> and found out that register_security is not exported ! So if I want to use
> this function ,I must hack kernel by exporting and recompiling kernel which
> is allowed for me.
> So ...well, it seems that LSM doesn't work for module without modifying
> the kernel source.
>
>
>
> This function is declared as extern in header linux/security.h, you can
include this header in your code and call this function.

>
> On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@rosedu.org>wrote:
>
>> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com>
>> wrote:
>> > Hi,
>> > Thank all of you for helping me with problem!
>> > I don't want to modify my kernel source so I am trying to learn to use
>> LSM
>> > security hook even though it seems that it couldn't hook all the system
>> > calls, I think it should be enough for me.
>> > Thanks again!
>>
>> I know that AppArmor can hock syscalls like read, write and memory
>> mapping and can deny or accept them. I am not sure if you can make it
>> do something else when hocked, but I know it has a script-like
>> configuration, so maybe you can take some other actions.
>>
>
>
>
> --
> Geraint Yang
> Tsinghua University Department of Computer Science and Technology
>
>
> Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/091d5b86/attachment.html 

How to hook the system call?

[Jonathan Neuschäfer]

On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
> Hello everyone,
> 
> I am going to hook a system call like 'read' or 'send' by modifying the
> sys_call_table, but it seems that the sys_call_table is in read only page,
> how can I set modify the sys_call_table ? Or if there any method that I can
> use to hook a system call in module without modify the kernel source?

There's a kernel module for "advanced rickrolling" that overwrites the
open entry in the syscall table: https://github.com/fpletz/kernelroll

It does some trickery to make the page writable first.

HTH,
	Jonathan Neusch?fer

How to hook the system call?

[richard -rw- weinberger]

On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neusch?fer
<j.neuschaefer@gmx.net> wrote:
> On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
>> Hello everyone,
>>
>> I am going to hook a system call like 'read' or 'send' by modifying the
>> sys_call_table, but it seems that the sys_call_table is in read only page,
>> how can I set modify the sys_call_table ? Or if there any method that I can
>> use to hook a system call in module without modify the kernel source?

Please keep in mind that hooking a system call is very bad and error prone.

-- 
Thanks,
//richard

How to hook the system call?

[Geraint Yang]

Thanks for advice !
I am using the LSM framework even though it need recompiling the kernel.
But I will also give a try to the kernelroll module.
Modifying sys_call_table is easier to get error but it can get more freedom
than LSM framework which could only hook on limit hooking points.



On Mon, Nov 28, 2011 at 9:12 AM, richard -rw- weinberger <
richard.weinberger@gmail.com> wrote:

> On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neusch?fer
> <j.neuschaefer@gmx.net> wrote:
> > On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
> >> Hello everyone,
> >>
> >> I am going to hook a system call like 'read' or 'send' by modifying the
> >> sys_call_table, but it seems that the sys_call_table is in read only
> page,
> >> how can I set modify the sys_call_table ? Or if there any method that I
> can
> >> use to hook a system call in module without modify the kernel source?
>
> Please keep in mind that hooking a system call is very bad and error prone.
>
> --
> Thanks,
> //richard
>



-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111128/65e8ac05/attachment.html 

How to hook the system call?

[Jonathan Neuschäfer]

On Mon, Nov 28, 2011 at 02:12:37AM +0100, richard -rw- weinberger wrote:

> Please keep in mind that hooking a system call is very bad and error prone.

Sure.

-- Jonathan Neusch?fer