Trying to add hook on __NR_openat

[akrogames]

Hi @jha Just for fun, I am trying to add hook on __NR_openat. Unfortunately, there are a memory issue. Can you check with me ?

I'm testing on 5.3.0-46-generic kernel

Thanks for your work.

In module.c : sys_hook_add64(lkh_sys_hook, __NR_openat, (void *)openat_hook);

In hook.h :

typedef asmlinkage long (*original_sys_openat)(int, const char *, int, umode_t);
asmlinkage long openat_hook(int, const char *, int, umode_t);

In hook.c :

asmlinkage long openat_hook(int fds, const char *filename, int flags, umode_t mode) {
    original_sys_openat sys_openat;

    printk(KERN_INFO "tde : In my SYS_OPEN !!!\n");
    printk(KERN_INFO "tde : NR OPEN %d\n", __NR_openat);
    sys_openat = (original_sys_openat)sys_hook_get_orig64(lkh_sys_hook, __NR_openat);

    return sys_openat(fds, filename, flags, mode);
}

Logs from dmesg :

[Mon Apr 27 11:08:23 2020] lkh: loading out-of-tree module taints kernel. [Mon Apr 27 11:08:23 2020] lkh: module verification failed: signature and/or required key missing - tainting kernel [Mon Apr 27 11:08:23 2020] lkh initializing... [Mon Apr 27 11:08:23 2020] lkh loaded [Mon Apr 27 11:08:23 2020] tde : In my SYS_OPEN !!! [Mon Apr 27 11:08:23 2020] tde : NR OPEN 257 [Mon Apr 27 11:08:23 2020] BUG: unable to handle page fault for address: 00000000402f3fb8 [Mon Apr 27 11:08:23 2020] #PF: supervisor read access in kernel mode [Mon Apr 27 11:08:23 2020] #PF: error_code(0x0000) - not-present page [Mon Apr 27 11:08:23 2020] PGD 0 P4D 0 [Mon Apr 27 11:08:23 2020] Oops: 0000 [#1] SMP PTI [Mon Apr 27 11:08:23 2020] CPU: 1 PID: 504 Comm: systemd-udevd Tainted: G OE 5.3.0-46-generic #38~18.04.1-Ubuntu [Mon Apr 27 11:08:23 2020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [Mon Apr 27 11:08:23 2020] RIP: 0010:__x64_sys_openat+0x6/0x30 [Mon Apr 27 11:08:23 2020] Code: 60 8b 77 28 bf 9c ff ff ff 48 89 e5 80 ce 80 e8 d0 fc ff ff 5d c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 <8b> 57 60 0f b7 4f 38 48 8b 77 68 48 8b 7f 70 48 89 e5 80 ce 80 e8 [Mon Apr 27 11:08:23 2020] RSP: 0018:ffffa7d4402f3ef8 EFLAGS: 00010246 [Mon Apr 27 11:08:23 2020] RAX: ffffffff8a2cb7b0 RBX: 00000000002a0000 RCX: 0000000000000000 [Mon Apr 27 11:08:23 2020] RDX: 00000000e258c63a RSI: 0000000000000000 RDI: 00000000402f3f58 [Mon Apr 27 11:08:23 2020] RBP: ffffa7d4402f3f28 R08: 0000000000000285 R09: 0000000000000004 [Mon Apr 27 11:08:23 2020] R10: 0000000000000000 R11: 0000000000000001 R12: 00000000402f3f58 [Mon Apr 27 11:08:23 2020] R13: 0000000000000000 R14: 00000000e258c63a R15: 0000000000000000 [Mon Apr 27 11:08:23 2020] FS: 00007fca0ba55680(0000) GS:ffff96713ba80000(0000) knlGS:0000000000000000 [Mon Apr 27 11:08:23 2020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Mon Apr 27 11:08:23 2020] CR2: 00000000402f3fb8 CR3: 0000000133484002 CR4: 00000000003606e0 [Mon Apr 27 11:08:23 2020] Call Trace: [Mon Apr 27 11:08:23 2020] ? openat_hook+0x5a/0x63 [lkh] [Mon Apr 27 11:08:23 2020] do_syscall_64+0x5a/0x130 [Mon Apr 27 11:08:23 2020] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [Mon Apr 27 11:08:23 2020] RIP: 0033:0x7fca0b558c8e [Mon Apr 27 11:08:23 2020] Code: 25 00 00 41 00 3d 00 00 41 00 74 48 48 8d 05 81 0c 2e 00 8b 00 85 c0 75 69 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a6 00 00 00 48 8b 4c 24 28 64 48 33 0c 25 [Mon Apr 27 11:08:23 2020] RSP: 002b:00007ffc47b4d290 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [Mon Apr 27 11:08:23 2020] RAX: ffffffffffffffda RBX: 00005647e341f390 RCX: 00007fca0b558c8e [Mon Apr 27 11:08:23 2020] RDX: 00000000002a0000 RSI: 00005647e258c63a RDI: 00000000ffffff9c [Mon Apr 27 11:08:23 2020] RBP: 00005647e340fcd0 R08: 00000000fec08000 R09: 5f48544150564544 [Mon Apr 27 11:08:23 2020] R10: 0000000000000000 R11: 0000000000000246 R12: 00005647e258c63a [Mon Apr 27 11:08:23 2020] R13: 00000000ffffffff R14: 0000000000000000 R15: 0000000000000001 [Mon Apr 27 11:08:23 2020] Modules linked in: lkh(OE) intel_rapl_msr snd_hda_codec_generic ledtrig_audio snd_hda_intel intel_rapl_common snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_pcm joydev input_leds serio_raw snd_timer qemu_fw_cfg snd soundcore mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic qxl ttm drm_kms_helper syscopyarea aesni_intel usbhid sysfillrect sysimgblt virtio_net fb_sys_fops net_failover aes_x86_64 crypto_simd cryptd drm pata_acpi psmouse failover glue_helper hid i2c_piix4 virtio_blk floppy

[PeterBishop0]

@akrogames sorry to bother you, can u please tell me how to use this project ?I'm a beginner .THANKS

[PeterBishop0]

@akrogames I have solved your problem

[akrogames]

Hello @PeterBishop0 thanks for your answer and so sorry for the delay in my reply. I have found a solution too. Do you have the same ?

The issue was the syscall prototype was wrong on modern kernel. The new prototype is : asmlinkage long openat_hook(const struct pt_regs *regs)

And that's work :)

[PeterBishop0]

Yes,same solution,Thanks for replying!

akrogames notifications@github.com 于2020年5月27日周三 上午3:17写道：

Hello @PeterBishop0 https://github.com/PeterBishop0 thanks for your answer and so sorry for the delay in my reply. I have found a solution too. Do you have the same ?

The issue was the syscall prototype was wrong on modern kernel. The new prototype is : asmlinkage long openat_hook(const struct pt_regs *regs)

And that's work :)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jha/linux-kernel-hook/issues/2#issuecomment-634224209, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH3PRQDNKQYBOFBLQV5HOITRTQITXANCNFSM4MSDP4LQ .