Hook syscall on read, write and openat

[akrogames]

Hi,

I am trying to hook openat syscall and others syscall like read or write but I have some issues. I don't understand why the hook doesn't work.

This is because some syscall are protected in kernel now ? I am using : 5.3.0-46-generic #38~18.04.1-Ubuntu

Source code :

KHOOK_EXT(long, __x64_sys_openat, int fds, const char *filename, int flags, umode_t mode);
static long khook___x64_sys_openat(int fds, const char *filename, int flags, umode_t mode) {
        printk("sys_openat -- %s\n", filename);
        return KHOOK_ORIGIN(__x64_sys_openat, fds, filename, flags, mode);
}

Log from dmesg :

[Tue Apr 28 10:21:51 2020] sys_openat -- [Tue Apr 28 10:21:51 2020] BUG: unable to handle page fault for address: 0000000080e23fb8 [Tue Apr 28 10:21:51 2020] #PF: supervisor read access in kernel mode [Tue Apr 28 10:21:51 2020] #PF: error_code(0x0000) - not-present page [Tue Apr 28 10:21:51 2020] PGD 0 P4D 0 [Tue Apr 28 10:21:51 2020] Oops: 0000 [#2] SMP PTI [Tue Apr 28 10:21:51 2020] CPU: 2 PID: 4732 Comm: sudo Tainted: G D OE 5.3.0-46-generic #38~18.04.1-Ubuntu [Tue Apr 28 10:21:51 2020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [Tue Apr 28 10:21:51 2020] RIP: 0010:__x64_sys_openat+0x6/0x30 [Tue Apr 28 10:21:51 2020] Code: 60 8b 77 28 bf 9c ff ff ff 48 89 e5 80 ce 80 e8 d0 fc ff ff 5d c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 e9 3b 79 34 0b 55 <8b> 57 60 0f b7 4f 38 48 8b 77 68 48 8b 7f 70 48 89 e5 80 ce 80 e8 [Tue Apr 28 10:21:51 2020] RSP: 0018:ffff974880e23eb8 EFLAGS: 00010282 [Tue Apr 28 10:21:51 2020] RAX: ffffffffc0a130d0 RBX: 0000000000000000 RCX: 0000000000000000 [Tue Apr 28 10:21:51 2020] RDX: 0000000000000000 RSI: ffff974880e23f58 RDI: 0000000080e23f58 [Tue Apr 28 10:21:51 2020] RBP: ffff974880e23f58 R08: 00000000000102c0 R09: 0000000000cdcdcd [Tue Apr 28 10:21:51 2020] R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000080e23f58 [Tue Apr 28 10:21:51 2020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [Tue Apr 28 10:21:51 2020] FS: 00007fe7fee3cc80(0000) GS:ffff89e27bb00000(0000) knlGS:0000000000000000 [Tue Apr 28 10:21:51 2020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Tue Apr 28 10:21:51 2020] CR2: 0000000080e23fb8 CR3: 0000000139a40004 CR4: 00000000003606e0 [Tue Apr 28 10:21:51 2020] Call Trace: [Tue Apr 28 10:21:51 2020] ? khook___x64_sys_openat+0x35/0x40 [khook_demo] [Tue Apr 28 10:21:51 2020] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [Tue Apr 28 10:21:51 2020] ? do_syscall_64+0x5a/0x130 [Tue Apr 28 10:21:51 2020] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [Tue Apr 28 10:21:51 2020] Modules linked in: khook_demo(OE) nopenat(OE+) intel_rapl_msr snd_hda_codec_generic ledtrig_audio intel_rapl_common snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core joydev input_leds serio_raw snd_hwdep snd_pcm snd_timer snd mac_hid soundcore qemu_fw_cfg sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic usbhid hid qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops aesni_intel drm floppy aes_x86_64 crypto_simd pata_acpi cryptd glue_helper psmouse virtio_blk virtio_net net_failover failover i2c_piix4 [last unloaded: khook_demo]

[milabs]

Hey, on modern kernels syscall prototypes are changed. Each of __x64_<syscall>() function has proto like __x64_xxx(struct pt_regs *regs). So you have to deal with struct pr_regs and extract syscall arguments manually using syscall calling convention (regs->di, regs->si, regs->dx, regs->cx and so on).

Update: have a look at https://github.com/milabs/khook#hooking-of-system-calls-handler-functions

[akrogames]

Oh thanks ! I didn't found documentation on kernel.org ... Thanks so much ;) that's work ! I have to learn how to manage arguments.