CodeAndData
commented
9 years ago Thx for your feedback. It's on our todo list.
Edit: We tested Kerokid with Vanilla-Kernels only.
Open new-gen23 opened 9 years ago
CodeAndData
commented
9 years ago Thx for your feedback. It's on our todo list.
Edit: We tested Kerokid with Vanilla-Kernels only.
Running on Kali Linux VM in OSX parallels. Linux kali 3.14-kali1-amd64 #1 SMP Debian 3.14.5-1kali1 (2014-06-07) x86_64 GNU/Linux
git clone completed. make runs on kali without any issues. insmod kerokid.ko
[39654.130877] KEROKID: Started [39654.132271] KEROKID: Check for syscall table hooks... [39654.132274] KEROKID: Check for inline hooks... [39654.132501] general protection fault: 0000 [#1] SMP [39654.132504] Modules linked in: inkerokid(O+) xt_multiport iptable_filter ip_tables x_tables nfnetlink_log nfnetlink prl_fs_freeze(PO) prl_fs(PO) binfmt_misc loop dm_crypt sbs sbshc evdev coretemp psmouse parport_pc parport snd_intel8x0 snd_ac97_codec serio_raw snd_pcm snd_timer snd soundcore ac97_bus lpc_ich virtio_balloon mfd_core shpchp prl_tg(PO) battery processor thermal_sys ac button ext4 crc16 mbcache jbd2 dm_mod sg sd_mod crc_t10dif sr_mod cdrom ata_generic crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel prl_eth(PO) aesni_intel ata_piix aes_x86_64 ahci lrw gf128mul libahci glue_helper ablk_helper cryptd virtio_pci virtio_ring virtio 8390 libata scsi_mod [39654.132534] CPU: 1 PID: 6804 Comm: insmod Tainted: P O 3.14-kali1-amd64 #1 Debian 3.14.5-1kali1 [39654.132535] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platform, BIOS 10.1.1 (28614) rev 1072077 10 [39654.132536] task: ffff8800ab152960 ti: ffff880143904000 task.ti: ffff880143904000 [39654.132537] RIP: 0010:[] [] memcpy+0xb5/0x110
[39654.132554] RSP: 0018:ffff880143905c90 EFLAGS: 00010202
[39654.132555] RAX: ffffc90001b7e000 RBX: ffffc90001b7e000 RCX: ffffc90001b7f000
[39654.132556] RDX: 000000000000000c RSI: 6461625f6e726177 RDI: ffffc90001b7e000
[39654.132557] RBP: 000000000000000c R08: 8000000000000163 R09: 0000000000000000
[39654.132558] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002
[39654.132559] R13: 000000000000000c R14: 6461625f6e726177 R15: ffff8800a9512880
[39654.132560] FS: 00007f66281ee700(0000) GS:ffff880149220000(0000) knlGS:0000000000000000
[39654.132561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[39654.132562] CR2: 00007f66281ec000 CR3: 00000001390e3000 CR4: 00000000001406e0
[39654.132568] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[39654.132570] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[39654.132571] Stack:
[39654.132572] ffffffffa03295c0 0000000000000000 6461625f6e726177 ffffffffa032b038
[39654.132574] ffffffffa032b020 0000000000000001 ffffffffa032968b 000000020000000c
[39654.132575] 000000000000b848 ffffffffe0ff0000 000000000000b848 ffffffffe0ff0000
[39654.132577] Call Trace:
[39654.132581] [] ? check_hook+0x30/0xb0 [inkerokid]
[39654.132584] [] ? check_for_hooks+0x4b/0x70 [inkerokid]
[39654.132586] [] ? check_inline_hooks+0x1e/0x30 [inkerokid]
[39654.132588] [] ? check_syscall_table+0x30/0x30 [inkerokid]
[39654.132590] [] ? init_module+0x49/0x70 [inkerokid]
[39654.132599] [] ? do_one_initcall+0x10a/0x160
[39654.132604] [] ? set_memory_nx+0x44/0x50
[39654.132611] [] ? load_module+0x1ac3/0x22f0
[39654.132613] [] ? show_initstate+0x50/0x50
[39654.132623] [] ? page_fault+0x28/0x30
[39654.132625] [] ? SyS_init_module+0xb1/0xe0
[39654.132628] [] ? system_call_fastpath+0x16/0x1b
[39654.132628] Code: 72 24 4c 8b 06 4c 8b 4e 08 4c 8b 54 16 f0 4c 8b 5c 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 66 2e 0f 1f
[39654.132645] RIP [] memcpy+0xb5/0x110
[39654.132647] RSP
[39654.132650] ---[ end trace c7c3af910803220f ]---
Is it possible it does not like Parallels?
lsmod zeigt, dass das Modul geladen ist. Module Size Used by inkerokid 17420 1
rmmod inkerokid Error: Module inkerokid is in use
Any idea?