Is it possible to find hidden kernel modules by reading kernel memory directly?
By hiding I mean a LKM that removes itself from the kernel module list.
If so, what structure should I expect, or what document should I read?
following #Eugene, I find a way to read kernel memory directly to find the so called not-so-clever hidden module: just compare the module from both procfs perspective and sysfs perspective:
static int detect_hidden_mod_init(void)
{
char *procfs_modules[MAX_MODULE_SIZE];
char *sysfs_modules[MAX_MODULE_SIZE];
int proc_module_index = 0, sys_module_index = 0;
struct module *mod;
struct list_head *p;
// get modules from procfs perspective
list_for_each(p, &__this_module.list){
mod = list_entry(p, struct module, list);
procfs_modules[proc_module_index++] = mod->name;
}
// get modules from sysfs perspective
struct kobject *kobj;
struct kset *kset = __this_module.mkobj.kobj.kset;
list_for_each(p, &kset->list) {
kobj = container_of(p, struct kobject, entry);
sysfs_modules[sys_module_index++] = kobj->k_name;
}
//compare the procfs_modules and sysfs_modules
...
}
Actually it can detect most of current module-hidden rootkit, however as Eugene said, "A clever rootkit could try to hide that data as well". So it is not a perfect way.
Related
Here is my 'translate()' in proc.c
I want to get the physical address given the virtual address of a pointer, but I don't know how to get the pointers pgdir(page directory)...
int translate(void* vaddr)
{
cprintf("vaddr = %p\n",vaddr);
int paddr;
pde_t *pgdir;
pte_t *pgtab;
pde_t *pde;
pte_t *pte;
pgdir = (pde_t*)cpu->ts.cr3;
cprintf("page directory base is: %p\n",cpu->ts.cr3);
pde = &pgdir[PDX(vaddr)];
if(*pde & PTE_P){
pgtab = (pte_t*)P2V(PTE_ADDR(*pde));
}else{
cprintf("pde = %d\n",*pde);
cprintf("PTE_P = %d\n",PTE_P);
cprintf("pte not present\n");
return -1;
}
pte = &pgtab[PTX(vaddr)];
paddr = PTE_ADDR(*pte);
cprintf("the virtual address is %p\n",vaddr);
cprintf("the physical address is %d\n",paddr);
return 0;
}
You need to use argint() or argptr() to read the argument.
There's a global variable proc that lives in proc.h.
proc.h, lines 34 to 43
// Per-CPU variables, holding pointers to the
// current cpu and to the current process.
// The asm suffix tells gcc to use "%gs:0" to refer to cpu
// and "%gs:4" to refer to proc. seginit sets up the
// %gs segment register so that %gs refers to the memory
// holding those two variables in the local cpu's struct cpu.
// This is similar to how thread-local variables are implemented
// in thread libraries such as Linux pthreads.
extern struct cpu *cpu asm("%gs:0"); // &cpus[cpunum()]
extern struct proc *proc asm("%gs:4"); // cpus[cpunum()].proc
You can reference proc->pgdir in proc.c or anywhere else that proc.h is included.
For what it's worth your translate function looks good to me.
I need to get page-cache statistics of an open file. There is a address_space pointer(f_mapping) in file struct which in turn has the root of the radix tree called page_tree. I need to traverse that tree to get information about all the cached pages for that open file.
There are some functions like radix_tree_for_each_chunk(to iterate over chunks), radix_tree_for_each_chunk_slot (to iterate over slots in one chunk) etc, using these the functionality can be achieved. I am unsure about the proper use (arguments) of the same. It would be helpful if any example is posted.
I figured it out from Linux kernel source code.
struct file *file = filp_open("filename",O_RDONLY,0);
struct address_space *file_addr_space = file->f_mapping;
if(file_addr_space==NULL){
printk("error")
}
struct radix_tree_root file_page_tree_root = file_addr_space->page_tree; //contains all pages in page cache
struct radix_tree_iter iter;
void **slot;
int num_dirty = 0;
radix_tree_for_each_slot(slot,&file_page_tree_root,&iter,0){
struct page *page = radix_tree_deref_slot(slot);
if(page!=NULL){
//printk("information about page");
}
}
I have some code which looks like:
static int devname_read(struct cdev *dev, struct uio *uio, int ioflag)
{
int error = modify_state();
return (error);
}
The issue here is that modify_state() operates on global state when it really should be operating on is per open(2). In other words no reader should conflict with each other, and nothing persist when the device is close(2)ed.
How can I associate state with the file-descriptor or related identifier?
You probably want to use cdevpriv; see http://www.freebsd.org/cgi/man.cgi?devfs_set_cdevpriv.
I need to read certain statistics from iw_statistics structure, here's the code:
struct net_device *dev;
struct iw_statistics *wi_stats;
dev = first_net_device(&init_net);
while (dev)
{
if (strncmp(dev->name , "wlan",4)==0 )
{
if (dev->wireless_handlers->get_wireless_stats(dev) !=NULL ) // <--- here's where the code crashes.
{
wi_stats = dev-wireless_handlers->get_wireless_stats(dev);
printk(KERN_INFO "wi_stats = dev-wireless_handlers->get_wireless_stats(dev); worked!!! :D\n");
}
}
}
I'm working on linux kernel 2.6.35 and I'm writing a kernel module. What am I doing wrong here?
Looks like wireless_handlers struct is Null ... Just because a net device has it's name field filled doesn't mean it's configured.
This is where wireless_handlers gets set:
#ifdef CONFIG_WIRELESS_EXT
/* List of functions to handle Wireless Extensions (instead of ioctl).
* See <net/iw_handler.h> for details. Jean II */
const struct iw_handler_def * wireless_handlers;
/* Instance data managed by the core of Wireless Extensions. */
struct iw_public_data * wireless_data;
#endif
You should check the value called CONFIG_WIRELESS_EXT if it's not set , the wireless_handler struct is not set and thus you''ll be pointing to a Null and your module will get stuck
You should check that dev->wireless_handlers is not null. Can you paste the actual code snippet? What is the error you get?
I have written a kernel module which reads and writes /proc files, and it is working fine. Now I want to use permissions with it, but when I write the function for permissions shown below it gives me an error. The goal is for everyone to be able to read the file but only root can write to it.
int my_permission(struct inode *inode, int op)
{
if(op == 4||(op == 2 && current->euid = 0)) //euid is not a member of task_struct
return 0;
return -EACCES;
}
const struct inode_operations my_iops = {
.permission = my_permission,
};
The error I'm getting is:
/home/karan/practice/procf/testproc1.c: In function ‘my_permission’:
/home/karan/practice/procf/testproc1.c:50:32: error: ‘struct task_struct’ has no member named ‘euid'
I know that current is #defined to get_current(). Why is this happening? Is there a list of members of the struct returned from get_current()?
The struct task_struct is defined in include/linux/sched.h in the kernel source tree, you can view the members there. The current credentials would be in get_current()->cred , and the effective user id is get_current()->cred->euid
It's not safe to access those members directly, you must rather call current_euid() from include/linux/cred.h
http://www.kernel.org/doc/Documentation/security/credentials.txt might be of interest to you as well