milabs / khook Goto Github PK

I am trying to integrate khook into https://github.com/k1gen/diamorphine, and I can't compile the module with khook:

$ make
make -C /lib/modules/6.6.9-1-clear/build M=/home/olk/temp/Diamorphine modules
make[1]: Entering directory '/usr/lib/modules/6.6.9-1-clear/build'
  CC [M]  /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/engine.o
In file included from ./arch/x86/include/asm/linkage.h:6,
                 from ./include/linux/linkage.h:8,
                 from ./include/linux/printk.h:8,
                 from ./include/asm-generic/bug.h:22,
                 from ./arch/x86/include/asm/bug.h:87,
                 from ./include/linux/bug.h:5,
                 from ./include/linux/mmdebug.h:5,
                 from ./include/linux/mm.h:6,
                 from /home/olk/temp/Diamorphine/./khook/internal.h:3,
                 from /home/olk/temp/Diamorphine/./khook/engine.c:1:
./arch/x86/include/asm/ibt.h:77:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   77 | extern __noendbr u64 ibt_save(bool disable);
      | ^~~~~~
./arch/x86/include/asm/ibt.h:78:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   78 | extern __noendbr void ibt_restore(u64 save);
      | ^~~~~~
  CC [M]  /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/hook.o
In file included from ./arch/x86/include/asm/linkage.h:6,
                 from ./include/linux/linkage.h:8,
                 from ./include/linux/printk.h:8,
                 from ./include/asm-generic/bug.h:22,
                 from ./arch/x86/include/asm/bug.h:87,
                 from ./include/linux/bug.h:5,
                 from ./include/linux/mmdebug.h:5,
                 from ./include/linux/mm.h:6,
                 from /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/../internal.h:3,
                 from /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/hook.c:1:
./arch/x86/include/asm/ibt.h:77:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   77 | extern __noendbr u64 ibt_save(bool disable);
      | ^~~~~~
./arch/x86/include/asm/ibt.h:78:1: warning: ‘nocf_check’ attribute ignored. Use ‘-fcf-protection’ option to enable it [-Wattributes]
   78 | extern __noendbr void ibt_restore(u64 save);
      | ^~~~~~
  AS [M]  /home/olk/temp/Diamorphine/../../../../../home/olk/temp/Diamorphine/khook/x86/stub.o
  LD [M]  /home/olk/temp/Diamorphine/diamorphine.o
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xace: indirect call found in RETPOLINE build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadb: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadc: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb3d: indirect call found in RETPOLINE build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb43: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb44: 'naked' return found in RETHUNK build
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_lookup_name+0xb0: relocation to !ENDBR: callback.0+0x0
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_init+0x1: relocation to !ENDBR: .text+0xadc
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_cleanup+0x5: relocation to !ENDBR: khook_sm_cleanup_hooks+0x0
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: khook_arch_create_stub+0x16: relocation to !ENDBR: .text+0xadc
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadb: missing int3 after ret
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xadc: missing int3 after ret
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb43: missing int3 after ret
/home/olk/temp/Diamorphine/diamorphine.o: warning: objtool: .text+0xb44: missing int3 after ret
  MODPOST /home/olk/temp/Diamorphine/Module.symvers
ERROR: modpost: missing MODULE_LICENSE() in /home/olk/temp/Diamorphine/diamorphine.o
make[3]: *** [scripts/Makefile.modpost:145: /home/olk/temp/Diamorphine/Module.symvers] Error 1
make[2]: *** [/usr/lib/modules/6.6.9-1-clear/build/Makefile:1865: modpost] Error 2
make[1]: *** [Makefile:234: __sub-make] Error 2
make[1]: Leaving directory '/usr/lib/modules/6.6.9-1-clear/build'
make: *** [Makefile:11: all] Error 2

После перехвата scsi_execute вставляю флешку. На первом вызове scsi_execute ядро рушится.
Ubuntu 18.04
kernel 4.15.3
x64
В то же время тестовый пример (до внесения изменений) работает.

#include <scsi/scsi_device.h>

KHOOK(scsi_execute);
static int khook_scsi_execute(
struct scsi_device *sdev,
const unsigned char *cmd,
int data_direction,
void *buffer,
unsigned bufflen,
unsigned char *sense,
struct scsi_sense_hdr *sshdr,
int timeout,
int retries,
u64 flags,
req_flags_t rq_flags,
int *resid
)
{
int ret = 0;

    ret = KHOOK_ORIGIN(scsi_execute, sdev, cmd, data_direction, buffer, bufflen, sense, sshdr, timeout, retries, flags, rq_flags, resid);
    printk("khook (%s): opcode=%d; ret=%d\n", __func__, cmd[0], ret);

    return ret;

}

Add support for 32-bit x86 kernels

copied from here:

Oct 25 03:46:04 dev kernel: [236064.560845] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
Oct 25 03:46:04 dev kernel: [236064.560848] BUG: unable to handle kernel paging request at ffffffffc00301b0
Oct 25 03:46:04 dev kernel: [236064.560849] PGD 3280e067 P4D 3280e067 PUD 32810067 PMD 359c6067 PTE 8000000079f05063
Oct 25 03:46:04 dev kernel: [236064.560852] Oops: 0011 [#1] SMP PTI
Oct 25 03:46:04 dev kernel: [236064.560854] CPU: 0 PID: 10398 Comm: kworker/u2:2 Tainted: G           OE     4.19.0-6-amd64 #1 Debian 4.19.67-2+deb10u1
Oct 25 03:46:04 dev kernel: [236064.560854] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Oct 25 03:46:04 dev kernel: [236064.560857] Workqueue: events_unbound call_usermodehelper_exec_work

Host info:

Linux debian 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 GNU/Linux

Given that current KHOOK is x86-only it would be nice to have an ARM (Android) support as well. Current implementation already splits generic and CPU architecture specific code.

Just wanted to start out by saying this is an awesome project! Nice work!

I'm having a problem hooking sys_kill, and I was hoping you'd be able to help me out.

sys_kill is defined here in linux/syscalls.h.

I have been trying to hook this function for a while and can not get anything to compile. I was able to hook kill_pid, however, that did not hook the kill syscall.

// BUG: COMPILES BUT DOESN'T HOOK KILL.
KHOOK(kill_pid);
static int khook_kill_pid(struct pid *pid, int sig, int priv) {
	if (pid->numbers->nr == MAGIC_NUM) {
		return do_the_thing();
	} else {
		return KHOOK_ORIGIN(kill_pid, pid, sig, priv);
	}
}

Is there a way to hook the actual kill syscall? Or can it not be done since the syscall table is no longer exported, post-Kernel 2.6?

I test Intel cpu insmod ok,but amd cpu crash.

Hi,

I am trying to hook openat syscall and others syscall like read or write but I have some issues. I don't understand why the hook doesn't work.

This is because some syscall are protected in kernel now ?
I am using : 5.3.0-46-generic #38~18.04.1-Ubuntu

Source code :

KHOOK_EXT(long, __x64_sys_openat, int fds, const char *filename, int flags, umode_t mode);
static long khook___x64_sys_openat(int fds, const char *filename, int flags, umode_t mode) {
        printk("sys_openat -- %s\n", filename);
        return KHOOK_ORIGIN(__x64_sys_openat, fds, filename, flags, mode);
}

Log from dmesg :

[Tue Apr 28 10:21:51 2020] sys_openat --
[Tue Apr 28 10:21:51 2020] BUG: unable to handle page fault for address: 0000000080e23fb8
[Tue Apr 28 10:21:51 2020] #PF: supervisor read access in kernel mode
[Tue Apr 28 10:21:51 2020] #PF: error_code(0x0000) - not-present page
[Tue Apr 28 10:21:51 2020] PGD 0 P4D 0
[Tue Apr 28 10:21:51 2020] Oops: 0000 [#2] SMP PTI
[Tue Apr 28 10:21:51 2020] CPU: 2 PID: 4732 Comm: sudo Tainted: G D OE 5.3.0-46-generic #38~18.04.1-Ubuntu
[Tue Apr 28 10:21:51 2020] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[Tue Apr 28 10:21:51 2020] RIP: 0010:__x64_sys_openat+0x6/0x30
[Tue Apr 28 10:21:51 2020] Code: 60 8b 77 28 bf 9c ff ff ff 48 89 e5 80 ce 80 e8 d0 fc ff ff 5d c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 e9 3b 79 34 0b 55 <8b> 57 60 0f b7 4f 38 48 8b 77 68 48 8b 7f 70 48 89 e5 80 ce 80 e8
[Tue Apr 28 10:21:51 2020] RSP: 0018:ffff974880e23eb8 EFLAGS: 00010282
[Tue Apr 28 10:21:51 2020] RAX: ffffffffc0a130d0 RBX: 0000000000000000 RCX: 0000000000000000
[Tue Apr 28 10:21:51 2020] RDX: 0000000000000000 RSI: ffff974880e23f58 RDI: 0000000080e23f58
[Tue Apr 28 10:21:51 2020] RBP: ffff974880e23f58 R08: 00000000000102c0 R09: 0000000000cdcdcd
[Tue Apr 28 10:21:51 2020] R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000080e23f58
[Tue Apr 28 10:21:51 2020] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[Tue Apr 28 10:21:51 2020] FS: 00007fe7fee3cc80(0000) GS:ffff89e27bb00000(0000) knlGS:0000000000000000
[Tue Apr 28 10:21:51 2020] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Tue Apr 28 10:21:51 2020] CR2: 0000000080e23fb8 CR3: 0000000139a40004 CR4: 00000000003606e0
[Tue Apr 28 10:21:51 2020] Call Trace:
[Tue Apr 28 10:21:51 2020] ? khook___x64_sys_openat+0x35/0x40 [khook_demo]
[Tue Apr 28 10:21:51 2020] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[Tue Apr 28 10:21:51 2020] ? do_syscall_64+0x5a/0x130
[Tue Apr 28 10:21:51 2020] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[Tue Apr 28 10:21:51 2020] Modules linked in: khook_demo(OE) nopenat(OE+) intel_rapl_msr snd_hda_codec_generic ledtrig_audio intel_rapl_common snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core joydev input_leds serio_raw snd_hwdep snd_pcm snd_timer snd mac_hid soundcore qemu_fw_cfg sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel hid_generic usbhid hid qxl ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops aesni_intel drm floppy aes_x86_64 crypto_simd pata_acpi cryptd glue_helper psmouse virtio_blk virtio_net net_failover failover i2c_piix4 [last unloaded: khook_demo]

Sorry to bother, but... what are the conditions?

Linux localhost.localdomain 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux

This is the order of calling execve.
sys_call_table->ptregs_execve->jmp [int sys_execve(struct pt_regs *regs)]->do_execve

And 'ptregs_execve' is

ptregs_execve: 
	leal 4(%esp),%eax; 
	jmp sys_execve;

I change the target of jmp by inline hook.
In my vision,

ptregs_execve: 
	leal 4(%esp),%eax; 
	jmp sys_execve_new;

then my code is

asmlinkage int sys_execve_new(struct pt_regs* regs)
{
    return sys_execve_old(regs);
}

Unfortunately,the result is

[root@localhost src]# ls
-bash: /bin/ls: Bad address

Hi, I'm reading the code and was a bit confused by the function. From what I can see it just places a jmp instruction there. I searched on the Internet and found jmp takes single instruction with relative address and full instruction takes 5 bytes so I guess that's why you (f + 5) there, but why is this *f necessary? Isn't it the same as *a all the time? Any implication here? Thanks.

root@ubuntu-s-1vcpu-2gb-70gb-intel-sgp1-01:~/khook/khook_demo# make
make -C /lib/modules/6.8.0-31-generic/build M=$PWD modules
make[1]: Entering directory '/usr/src/linux-headers-6.8.0-31-generic'
warning: the compiler differs from the one used to build the kernel
The kernel was built by: x86_64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0
You are using: gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0
AS [M] /root/khook/khook_demo/../khook/x86/stub.o
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0x67: indirect call found in RETPOLINE build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0x74: 'naked' return found in RETHUNK build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0x75: 'naked' return found in RETHUNK build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0xd6: indirect call found in RETPOLINE build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0xdc: 'naked' return found in RETHUNK build
/root/khook/khook_demo/../khook/x86/stub.o: warning: objtool: .text+0xdd: 'naked' return found in RETHUNK build
make[3]: *** [scripts/Makefile.build:361: /root/khook/khook_demo/../khook/x86/stub.o] Error 250
make[3]: *** Deleting file '/root/khook/khook_demo/../khook/x86/stub.o'
make[2]: *** [/usr/src/linux-headers-6.8.0-31-generic/Makefile:1926: /root/khook/khook_demo] Error 2
make[1]: *** [Makefile:240: __sub-make] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-6.8.0-31-generic'
make: *** [Makefile:4: all] Error 2