Kernel freezes when calling hook/unhook

alexandernst / monks

Procmon alternative for Linux

71 stars 34 forks source link

Kernel freezes when calling hook/unhook #7

Closed alexandernst closed 11 years ago

alexandernst commented 11 years ago

Repeated calls on hook and unhook cause a kernel (at all levels) freeze. Machine gets completely frozen and the only way to gain access back to it is to restart physically the machine.

codeboyme commented 11 years ago

Hi, there. My kernel version is 3.2.46. When i run it. dmesg say that "There is No detaile ATM". HaHa, Do you know sebek? Now I am modify Sebek source code now. Very glad to study with you.

alexandernst commented 11 years ago

The "There is no details ATM" is hard-coded right now, it's still a work-in-progress. Just keep watching the project, it will work eventualy ;)

codeboyme commented 11 years ago

Thanks,Would be glad to have it

codeboyme commented 11 years ago

Hi, there. when i want to send syscall_info message to user space. I use netlink but How to send the message?

alexandernst commented 11 years ago

First make sure you understand how netlink works. Then just write the sending part in the print_info function and the receiving part in your userspace app :)

alexandernst commented 11 years ago

https://github.com/alexandernst/procmon/commit/2e16e27d1f483d000b660f14ffba7c80760bde0a fixes this :)

milabs commented 11 years ago

It's not atomic operation. While doing INCR_SYSCALL_REG_INFO before counter gets incremented there is probability that thread start to executing this code and the unload operation occurs.

#define INCR_SYSCALL_REG_INFO(F)            \
struct syscall_hash *item;                  \
HASH_FIND_STR(syscall_items, #F, item);     \
if(item){                                   \
    item->n_calls++;                        \
}

So, you should minimize the code required for the hook usage counters implementation. Moreover, you must use atomic_t type and atomic_inc/atomic_dec operations. See the details

alexandernst commented 11 years ago

@milabs Hi and sorry for the dealyed reply (I wasn't in the country and I wasn't able to work on this). I do see your point but I can't find a way to recude the lines of code in INCR_SYSCALL_REG_INFO. Do you have any ideas how could I shorten it?

milabs commented 11 years ago

@alexandernst Well, you can declare a static atomic_t counter for each hooked function. That doesn't solve the problem completely but reduces the number of instructions between JMP and the atomic_inc( ).

alexandernst commented 11 years ago

@milabs I'm looking at the code in INCR_SYSCALL_REG_INFO and the majority of instructions come from HASH_FIND_STR. Replacing that will shorten the total number of instructions, but I have no idea what else could I use.