milabs / khook Goto Github PK

View Code? Open in Web Editor NEW

305.0 16.0 49.0 59 KB

Linux Kernel hooking engine (x86)

License: GNU General Public License v2.0

Makefile 2.16% C 86.11% Assembly 9.67% Nix 2.06%

linux-kernel linux-kernel-module hooking x86

khook's People

Contributors

Stargazers

Watchers

khook's Issues

перехват scsi_execute рушит ядро

После перехвата scsi_execute вставляю флешку. На первом вызове scsi_execute ядро рушится.
Ubuntu 18.04
kernel 4.15.3
x64
В то же время тестовый пример (до внесения изменений) работает.

#include <scsi/scsi_device.h>

KHOOK(scsi_execute);
static int khook_scsi_execute(
struct scsi_device *sdev,
const unsigned char *cmd,
int data_direction,
void *buffer,
unsigned bufflen,
unsigned char *sense,
struct scsi_sense_hdr *sshdr,
int timeout,
int retries,
u64 flags,
req_flags_t rq_flags,
int *resid
)
{
int ret = 0;

    ret = KHOOK_ORIGIN(scsi_execute, sdev, cmd, data_direction, buffer, bufflen, sense, sshdr, timeout, retries, flags, rq_flags, resid);
    printk("khook (%s): opcode=%d; ret=%d\n", __func__, cmd[0], ret);

    return ret;

}

Question on x86_put_jmp()

Hi, I'm reading the code and was a bit confused by the function. From what I can see it just places a jmp instruction there. I searched on the Internet and found jmp takes single instruction with relative address and full instruction takes 5 bytes so I guess that's why you (f + 5) there, but why is this *f necessary? Isn't it the same as *a all the time? Any implication here? Thanks.

doesn't compile

I am trying to integrate khook into https://github.com/k1gen/diamorphine, and I can't compile the module with khook:

$ make
make -C /lib/modules/6.6.9-1-clear/build M=/home/olk/temp/Diamorphine modules
make[1]: Entering directory '/usr/lib/modules/6.6.9-1-clear/build'
  CC [M]  /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/engine.o
In file included from ./arch/x86/include/asm/linkage.h:6,
                 from ./include/linux/linkage.h:8,
                 from ./include/linux/printk.h:8,
                 from ./include/asm-generic/bug.h:22,
                 from ./arch/x86/include/asm/bug.h:87,
                 from ./include/linux/bug.h:5,
                 from ./include/linux/mmdebug.h:5,
                 from ./include/linux/mm.h:6,
                 from /home/olk/temp/Diamorphine/./khook/internal.h:3,
                 from /home/olk/temp/Diamorphine/./khook/engine.c:1:
./arch/x86/include/asm/ibt.h:77:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   77 | extern __noendbr u64 ibt_save(bool disable);
      | ^~~~~~
./arch/x86/include/asm/ibt.h:78:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   78 | extern __noendbr void ibt_restore(u64 save);
      | ^~~~~~
  CC [M]  /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/hook.o
In file included from ./arch/x86/include/asm/linkage.h:6,
                 from ./include/linux/linkage.h:8,
                 from ./include/linux/printk.h:8,
                 from ./include/asm-generic/bug.h:22,
                 from ./arch/x86/include/asm/bug.h:87,
                 from ./include/linux/bug.h:5,
                 from ./include/linux/mmdebug.h:5,
                 from ./include/linux/mm.h:6,
                 from /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/../internal.h:3,
                 from /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/hook.c:1:
./arch/x86/include/asm/ibt.h:77:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   77 | extern __noendbr u64 ibt_save(bool disable);
      | ^~~~~~
./arch/x86/include/asm/ibt.h:78:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   78 | extern __noendbr void ibt_restore(u64 save);
      | ^~~~~~
  AS [M]  /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/stub.o
  LD [M]  /home/olk/temp/Diamorphine/diamorphine.o
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xace: indirect call found in RETPOLINE build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadb: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadc: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb3d: indirect call found in RETPOLINE build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb43: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb44: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_lookup_name+0xb0: relocation to !ENDBR: callback.0+0x0
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_init+0x1: relocation to !ENDBR: .text+0xadc
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_cleanup+0x5: relocation to !ENDBR: khook_sm_cleanup_hooks+0x0
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_arch_create_stub+0x16: relocation to !ENDBR: .text+0xadc
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadb: missing int3 after ret
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadc: missing int3 after ret
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb43: missing int3 after ret
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb44: missing int3 after ret
  MODPOST /home/olk/temp/Diamorphine/Module.symvers
ERROR: modpost: missing MODULE_LICENSE() in /home/olk/temp/Diamorphine/diamorphine.o
make[3]: *** [scripts/Makefile.modpost:145: /home/olk/temp/Diamorphine/Module.symvers] Error 1
make[2]: *** [/usr/lib/modules/6.6.9-1-clear/build/Makefile:1865: modpost] Error 2
make[1]: *** [Makefile:234: __sub-make] Error 2
make[1]: Leaving directory '/usr/lib/modules/6.6.9-1-clear/build'
make: *** [Makefile:11: all] Error 2

Possible to hook sys_kill(pid, signal)?

Just wanted to start out by saying this is an awesome project! Nice work!

I'm having a problem hooking sys_kill, and I was hoping you'd be able to help me out.

sys_kill is defined here in linux/syscalls.h.

I have been trying to hook this function for a while and can not get anything to compile. I was able to hook kill_pid, however, that did not hook the kill syscall.

// BUG: COMPILES BUT DOESN'T HOOK KILL.
KHOOK(kill_pid);
static int khook_kill_pid(struct pid *pid, int sig, int priv) {
	if (pid->numbers->nr == MAGIC_NUM) {
		return do_the_thing();
	} else {
		return KHOOK_ORIGIN(kill_pid, pid, sig, priv);
	}
}

Is there a way to hook the actual kill syscall? Or can it not be done since the syscall table is no longer exported, post-Kernel 2.6?

LICENSE

Sorry to bother, but... what are the conditions?

Hook syscall on read, write and openat

Hi,

I am trying to hook openat syscall and others syscall like read or write but I have some issues. I don't understand why the hook doesn't work.

This is because some syscall are protected in kernel now ?
I am using : 5.3.0-46-generic #38~18.04.1-Ubuntu

Source code :

KHOOK_EXT(long, __x64_sys_openat, int fds, const char *filename, int flags, umode_t mode);
static long khook___x64_sys_openat(int fds, const char *filename, int flags, umode_t mode) {
        printk("sys_openat -- %s\n", filename);
        return KHOOK_ORIGIN(__x64_sys_openat, fds, filename, flags, mode);
}

Log from dmesg :

[Tue Apr 28 10:21:51 2020] sys_openat --
[Tue Apr 28 10:21:51 2020] BUG: unable to handle page fault for address: 0000000080e23fb8
[Tue Apr 28 10:21:51 2020] #PF: supervisor read access in kernel mode
[Tue Apr 28 10:21:51 2020] #PF: error_code(0x0000) - not-present page
[Tue Apr 28 10:21:51 2020] PGD 0 P4D 0
[Tue Apr 28 10:21:51 2020] Oops: 0000 [#2] SMP PTI
[Tue Apr 28 10:21:51 2020] CPU: 2 PID: 4732 Comm: sudo Tainted: G D OE 5.3.0-46-generic #38~18.04.1-Ubuntu
[Tue Apr 28 10:21:51 2020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[Tue Apr 28 10:21:51 2020] RIP: 0010:__x64_sys_openat+0x6/0x30
[Tue Apr 28 10:21:51 2020] Code: 60 8b 77 28 bf 9c ff ff ff 48 89 e5 80 ce 80 e8 d0 fc ff ff 5d c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 e9 3b 79 34 0b 55 <8b> 57 60 0f b7 4f 38 48 8b 77 68 48 8b 7f 70 48 89 e5 80 ce 80 e8
[Tue Apr 28 10:21:51 2020] RSP: 0018:ffff974880e23eb8 EFLAGS: 00010282
[Tue Apr 28 10:21:51 2020] RAX: ffffffffc0a130d0 RBX: 0000000000000000 RCX: 0000000000000000
[Tue Apr 28 10:21:51 2020] RDX: 0000000000000000 RSI: ffff974880e23f58 RDI: 0000000080e23f58
[Tue Apr 28 10:21:51 2020] RBP: ffff974880e23f58 R08: 00000000000102c0 R09: 0000000000cdcdcd
[Tue Apr 28 10:21:51 2020] R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000080e23f58
[Tue Apr 28 10:21:51 2020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[Tue Apr 28 10:21:51 2020] FS: 00007fe7fee3cc80(0000) GS:ffff89e27bb00000(0000) knlGS:0000000000000000
[Tue Apr 28 10:21:51 2020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Tue Apr 28 10:21:51 2020] CR2: 0000000080e23fb8 CR3: 0000000139a40004 CR4: 00000000003606e0
[Tue Apr 28 10:21:51 2020] Call Trace:
[Tue Apr 28 10:21:51 2020] ? khook___x64_sys_openat+0x35/0x40 [khook_demo]
[Tue Apr 28 10:21:51 2020] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[Tue Apr 28 10:21:51 2020] ? do_syscall_64+0x5a/0x130
[Tue Apr 28 10:21:51 2020] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[Tue Apr 28 10:21:51 2020] Modules linked in: khook_demo(OE) nopenat(OE+) intel_rapl_msr snd_hda_codec_generic ledtrig_audio intel_rapl_common snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core joydev input_leds serio_raw snd_hwdep snd_pcm snd_timer snd mac_hid soundcore qemu_fw_cfg sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic usbhid hid qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops aesni_intel drm floppy aes_x86_64 crypto_simd pata_acpi cryptd glue_helper psmouse virtio_blk virtio_net net_failover failover i2c_piix4 [last unloaded: khook_demo]

Crash on load Centos8 stream

x86-32 support

Add support for 32-bit x86 kernels

Support Ubuntu 24.04 LTS

root@ubuntu-s-1vcpu-2gb-70gb-intel-sgp1-01:~/khook/khook_demo# make
make -C /lib/modules/6.8.0-31-generic/build M=$PWD modules
make[1]: Entering directory '/usr/src/linux-headers-6.8.0-31-generic'
warning: the compiler differs from the one used to build the kernel
The kernel was built by: x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0
You are using: gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0
AS [M] /root/khook/khook_demo/../khook/x86/stub.o
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0x67: indirect call found in RETPOLINE build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0x74: 'naked' return found in RETHUNK build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0x75: 'naked' return found in RETHUNK build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0xd6: indirect call found in RETPOLINE build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0xdc: 'naked' return found in RETHUNK build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0xdd: 'naked' return found in RETHUNK build
make[3]: *** [scripts/Makefile.build:361: /root/khook/khook_demo/../khook/x86/stub.o] Error 250
make[3]: *** Deleting file '/root/khook/khook_demo/../khook/x86/stub.o'
make[2]: *** [/usr/src/linux-headers-6.8.0-31-generic/Makefile:1926: /root/khook/khook_demo] Error 2
make[1]: *** [Makefile:240: __sub-make] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.8.0-31-generic'
make: *** [Makefile:4: all] Error 2

ARM (Android) port required

Given that current KHOOK is x86-only it would be nice to have an ARM (Android) support as well. Current implementation already splits generic and CPU architecture specific code.

Ubuntu 24.04 LTS AMD cpu crash

I test Intel cpu insmod ok,but amd cpu crash.

CentOS 5 support

Crash on load Debian 10

copied from here:

Oct 25 03:46:04 dev kernel: [236064.560845] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
Oct 25 03:46:04 dev kernel: [236064.560848] BUG: unable to handle kernel paging request at ffffffffc00301b0
Oct 25 03:46:04 dev kernel: [236064.560849] PGD 3280e067 P4D 3280e067 PUD 32810067 PMD 359c6067 PTE 8000000079f05063
Oct 25 03:46:04 dev kernel: [236064.560852] Oops: 0011 [#1] SMP PTI
Oct 25 03:46:04 dev kernel: [236064.560854] CPU: 0 PID: 10398 Comm: kworker/u2:2 Tainted: G           OE     4.19.0-6-amd64 #1 Debian 4.19.67-2+deb10u1
Oct 25 03:46:04 dev kernel: [236064.560854] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Oct 25 03:46:04 dev kernel: [236064.560857] Workqueue: events_unbound call_usermodehelper_exec_work

Host info:

Linux debian 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

One idea of supporting centos6 on 32bit

Linux localhost.localdomain 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux

This is the order of calling execve.
sys_call_table->ptregs_execve->jmp [int sys_execve(struct pt_regs *regs)]->do_execve

And 'ptregs_execve' is

ptregs_execve: 
	leal 4(%esp),%eax; 
	jmp sys_execve;

I change the target of jmp by inline hook.
In my vision,

ptregs_execve: 
	leal 4(%esp),%eax; 
	jmp sys_execve_new;

then my code is

asmlinkage int sys_execve_new(struct pt_regs* regs)
{
    return sys_execve_old(regs);
}

Unfortunately,the result is

[root@localhost src]# ls
-bash: /bin/ls: Bad address

milabs / khook Goto Github PK

khook's People

Contributors

Stargazers

Watchers

Forkers

khook's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs