search

kovdan01 / proc-integrity

Simple process integrity checker Linux kernel module
GNU General Public License v2.0
14 stars 2 forks source link

Intercept process creation #5

Open kovdan01 opened 3 years ago

kovdan01 commented 3 years ago

Currently the module runs on a timer and saves digests for process virtual memory areas when it discovers the monitored process at the first time. The process might already have changed before this moment and we will not be able to detect this change.

kovdan01 commented 3 years ago

UPD: process creation is now intercepted when _do_fork returns. The problem is that initially a process has the same mm_struct that its parent, but it quickly changes (if executables of the processes are not the same, obviously). Currently msleep(10) is used to wait for it:

https://github.com/kovdan01/proc-integrity/blob/9e0927603f2579339955cee5af2df23ede54ff61/proc-integrity/proc_integrity.c#L210

It is necessary to find a correct way to wait for this.

Possible solution: find a name of executable corresponding to the process and compare it with the parent's one. If the executable names are identical, there is no need to wait; if not, we just need to find a way to wait until mm_struct is changed first time and assume that it will not change later.

kovdan01 commented 3 years ago

UPD: a significantly more correct way to intercept process creation is using kprobe for finalize_exec instead of kretprobe for _do_fork. But experiments have shown that despite the fact that newly created process's VMAs are different from the parent's ones, some other VMAs might be created just after finalize_exec. Using kprobe with do_mmap, vm_mmap or do_shmat does not intercept the creation of these VMAs, so a further investigation is needed.