接系统调用日志收集系统 (1)
---------------------------------------------------------------
3.8重新编译内核。
如何编译内核就不再说了。
----------------------------------------------------------------
3.9插入模块。
- #include <linux/module.h>
- #include <linux/init.h>
- #include <linux/kernel.h>
- #include <linux/types.h>
- #include <asm/current.h>
- #include <linux/sched.h>
- #include <asm/uaccess.h>
- #define COMM_SIZE 16
- struct syscall_buf {
- u32 serial;
- u32 ts_sec;
- u32 syscall;
- u32 status;
- pid_t pid;
- uid_t uid;
- u8 comm[COMM_SIZE];
- };
- //初始化一个队列buffer_wait
- DECLARE_WAIT_QUEUE_HEAD(buffer_wait);
- #define AUDIT_BUF_SIZE 100
- //长度为100的缓冲区。
- static struct syscall_buf audit_buf[AUDIT_BUF_SIZE];
- static int current_pos = 0;//缓冲区中的位置.
- static u32 serial = 0;//序列号
- void write_buf_audit(int syscall,int return_value)
- {
- struct syscall_buf *ppb_tmp;
- printk("write_buf_audit is execing!\n");
- if (current_pos < AUDIT_BUF_SIZE) {
- ppb_tmp = &audit_buf[current_pos];
- ppb_tmp->serial = serial++;
- ppb_tmp->ts_sec = 1;
- ppb_tmp->syscall = syscall;
- ppb_tmp->status = return_value;
- ppb_tmp->pid = current->pid;
- ppb_tmp->uid = current->tgid;
- memcpy(ppb_tmp->comm,current->comm,COMM_SIZE);
- if (++current_pos == AUDIT_BUF_SIZE *1/10) {
- printk("in syscall_audit,it near full!\n");
- wake_up_interruptible(&buffer_wait);
- }
- }
- return ;
- }
- int read_buf_audit(u8 type,u8 *us_buf,u16 us_buf_size,u8 reset)
- {
- int ret = 0;
- printk("read_buf_audit is execving!\n");
- if (!type) {
- if (clear_user((void *)us_buf, (unsigned long)us_buf_size)) {
- printk("error:clear_user!\n");
- return 0;
- }
- ret= wait_event_interruptible(buffer_wait,current_pos >= AUDIT_BUF_SIZE*1/10);
- if (copy_to_user((void *)us_buf,audit_buf,(current_pos)*sizeof(struct syscall_buf))) {
- printk("error:copy error!\n");
- return 0;
- }
- ret = current_pos;
- current_pos = 0;
- }
- return ret;
- }
- static int __init audit_init(void)
- {
- my_audit = write_buf_audit;
- my_sysaudit = read_buf_audit;
- printk("starting syscall audit!\n");
- return 0;
- }
- static void __exit audit_exit(void)
- {
- my_audit = NULL;
- my_sysaudit = NULL;
- printk("exiting syscall audit!\n");
- return ;
- }
- module_init(audit_init);
- module_exit(audit_exit);
- MODULE_LICENSE("GPL");
------------------------------------------------------------------------------------------------------
3.10,启动用户测试程序。
- #include <stdio.h>
- #include <stdlib.h>
- #include <errno.h>
- #include <signal.h>
- #include <unistd.h>
- #include <sys/syscall.h>
- #include <sys/types.h>
- typedef unsigned char u8;
- typedef unsigned int u32;
- #define COMM_SIZE 16
- struct syscall_buf {
- u32 serial;
- u32 ts_sec;
- u32 syscall;
- u32 status;
- pid_t pid;
- uid_t uid;
- u8 comm[COMM_SIZE];
- };
- #define AUDIT_BUF_SIZE 100*sizeof(struct syscall_buf)
- int main(int argc, char *argv[])
- {
- u8 col_buf[AUDIT_BUF_SIZE];
- unsigned char reset = 1;
- int num = 0;
- struct syscall_buf *p = NULL;
- u8 j = 0;
- int i;
- while (1) {
- num = syscall(346, 0, col_buf, AUDIT_BUF_SIZE, reset);
- printf("num is: %d\n", num);
- p = (struct syscall_buf *)col_buf;
- for (i = 0; i < num; i++) {
- printf("serial: %d ", p[i].serial);
- printf("syscall: %d ", p[i].syscall);
- printf("ts_sec: %d ", ((struct syscall_buf *)col_buf)[i].ts_sec);
- printf("status: %d ", p[i].status);
- printf("pid: %d ", ((struct syscall_buf *)col_buf)[i].pid);
- printf("uid: %d ", ((struct syscall_buf *)col_buf)[i].uid);
- printf("comm: %s\n", ((struct syscall_buf *)col_buf)[i].comm);
- }
- putchar('\n');
- }
- return 0;
- }
--------------------------------------------------------------------------------------------------------
3.11,其中用户触发程序。(向内核不断地申请系统调用)
- #include <stdio.h>
- #include <unistd.h>
- #include <sys/sysinfo.h>
- int main(void)
- {
- struct sysinfo info;
- unsigned long value = 0;
- int i = 0;
- while (1) {
- sysinfo(&info);
- printf("sysinfo is execving!\n");
- value = (unsigned long)getpid();
- printf("pid = %lu\n",value);
- sleep(1);
- }
- return 0;
- }
----------------------------------------------------------------------------------------------------------------
感想:
经过几天的时间调试这个程序,最终还是调试通过了,收获还是蛮大的,这个程序中
既要内核编程,还有编写内核模块,还要编写用户态程序。内核态和用户态协调合作。当然
在其中也出现了不少问题,开始我们就没有考虑到sysenter,结果导致使用库函数,对内核
就没有触发,只能使用int 0x80,直接在用户态使用汇编或嵌入汇编才能对其触发。后来把
sysenter这条路“堵死”就好了。
------------------------------------------------------------------------------------------------------------------
阅读(2495) | 评论(0) | 转发(0) |