所以我一直试图通过暴力破解获取系统调用表,模块不断在某个地址“ffffffff81000018”处报错。以下是我使用过的代码:

#include<linux/kernel.h> 
#include<linux/module.h> 
#include<linux/dirent.h> 
#include<linux/syscalls.h> 
#include<linux/sysfs.h> 
#include<linux/list.h> 
#include<linux/proc_fs.h> 
#include<linux/string.h> 
#include<linux/uaccess.h> 
#include<linux/fs.h> 
#include<linux/unistd.h> 
#include<linux/cred.h> 
 
 
#if defined __x86_64__ 
    #define START_ADDRESS 0xffffffff81000000 
    #define END_ADDRESS 0xffffffffa2000000 
#endif 
 
MODULE_LICENSE("GPL"); 
 
void **syscall_table; 
 
void **find_syscall_table(void) 
{ 
 
    void **sctable; 
    void *i = (void *) START_ADDRESS; 
 
    while ( i < (void *) END_ADDRESS ) 
    { 
        sctable = (void *)i; 
 
        if (sctable[__NR_close] == (void *)sys_close) 
        { 
            return sctable; 
        } 
 
        i += sizeof(void *); 
    } 
 
    return NULL; 
 
} 
 
int init_module(void) 
{ 
    syscall_table = (void *)find_syscall_table(); 
 
    if (syscall_table != NULL) 
        pr_info("Found sys_call_table at %p\n", syscall_table); 
    return 0; 
} 
 
void cleanup_module(void) 
{ 
    pr_info("Good bye kernel!!!!"); 
    return; 
} 

问题如下

[ 1376.153652] BUG: unable to handle kernel paging request at ffffffff81000018 
[ 1376.153660] IP: init_module+0x1b/0x50 [hide_file] 
[ 1376.153662] PGD 1bc0e067 P4D 1bc0e067 PUD 1bc0f063 PMD 0  
[ 1376.153666] Oops: 0000 [#1] SMP PTI 
[ 1376.153668] Modules linked in: hide_file(O+) fuse bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) binfmt_misc nls_ascii nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core snd_soc_skl videodev snd_hda_codec_hdmi media intel_rapl snd_soc_skl_ipc snd_hda_ext_core x86_pkg_temp_thermal btusb intel_powerclamp snd_soc_sst_dsp coretemp snd_soc_sst_ipc btrtl btbcm snd_soc_acpi btintel snd_hda_codec_realtek snd_hda_codec_generic snd_soc_core bluetooth snd_compress kvm drbg ansi_cprng snd_hda_intel ecdh_generic i915 irqbypass snd_hda_codec snd_hda_core arc4 wmi_bmof rtsx_pci_ms intel_cstate snd_hwdep iwlmvm snd_pcm mac80211 iwlwifi intel_uncore thinkpad_acpi drm_kms_helper mei_me snd_timer memstick nvram cfg80211 efi_pstore intel_rapl_perf snd evdev 
[ 1376.153706]  efivars sg drm soundcore mei joydev pcspkr serio_raw rfkill wmi shpchp intel_pch_thermal iTCO_wdt iTCO_vendor_support battery ac video i2c_algo_bit button tpm_crb efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb hid_generic usbhid hid sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc rtsx_pci_sdmmc mmc_core aesni_intel aes_x86_64 crypto_simd glue_helper cryptd rtsx_pci ahci mfd_core e1000e libahci xhci_pci ptp psmouse pps_core libata xhci_hcd i2c_i801 scsi_mod usbcore usb_common thermal 
[ 1376.153737] CPU: 0 PID: 2244 Comm: insmod Tainted: G           O     4.15.0-kali2-amd64 #1 Debian 4.15.11-1kali1 
[ 1376.153742] RIP: 0010:init_module+0x1b/0x50 [hide_file] 
[ 1376.153743] RSP: 0018:ffffc0adc85cfcc8 EFLAGS: 00010246 
[ 1376.153745] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 
[ 1376.153747] RDX: 000000000004e55a RSI: ffffffff81000000 RDI: ffffffffc0eea030 
[ 1376.153749] RBP: ffffffffc0eea030 R08: ffff9965a2424b60 R09: ffffffffbcb0b288 
[ 1376.153750] R10: ffffea3746bc08c0 R11: 0000000000000000 R12: ffff9965521f7a60 
[ 1376.153752] R13: ffffffffc0eec018 R14: 0000000000000001 R15: ffff9964ff2474e0 
[ 1376.153754] FS:  00007f2e082e8b80(0000) GS:ffff9965a2400000(0000) knlGS:0000000000000000 
[ 1376.153755] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033 
[ 1376.153757] CR2: ffffffff81000018 CR3: 0000000154c84002 CR4: 00000000003606f0 
[ 1376.153758] Call Trace: 
[ 1376.153763]  do_one_initcall+0x4e/0x18d 
[ 1376.153768]  ? free_unref_page_commit+0x95/0x110 
[ 1376.153770]  ? _cond_resched+0x15/0x40 
[ 1376.153773]  ? kmem_cache_alloc_trace+0x14b/0x1a0 
[ 1376.153777]  ? do_init_module+0x22/0x201 
[ 1376.153779]  do_init_module+0x5b/0x201 
[ 1376.153783]  load_module.constprop.54+0x2725/0x2c70 
[ 1376.153786]  ? vfs_read+0x113/0x130 
[ 1376.153789]  ? SYSC_finit_module+0xe9/0x110 
[ 1376.153792]  SYSC_finit_module+0xe9/0x110 
[ 1376.153795]  do_syscall_64+0x6e/0x130 
[ 1376.153798]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2 
[ 1376.153801] RIP: 0033:0x7f2e07c178f9 
[ 1376.153802] RSP: 002b:00007ffd4e622498 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 
[ 1376.153804] RAX: ffffffffffffffda RBX: 00005629814157b0 RCX: 00007f2e07c178f9 
[ 1376.153806] RDX: 0000000000000000 RSI: 000056297fbc9a78 RDI: 0000000000000003 
[ 1376.153807] RBP: 000056297fbc9a78 R08: 0000000000000000 R09: 00007f2e07edd000 
[ 1376.153809] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 
[ 1376.153810] R13: 0000562981415760 R14: 0000000000000000 R15: 0000000000000000 
[ 1376.153812] Code: c2 bc 75 ea f3 c3 31 c0 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 48 c7 c6 00 00 00 81 eb 0d 48 83 c6 08 48 81 fe 00 00 00 a2 74 19 <48> 81 7e 18 d0 c5 c2 bc 75 e9 48 85 f6 48 89 35 e1 22 00 00 75  
[ 1376.153844] RIP: init_module+0x1b/0x50 [hide_file] RSP: ffffc0adc85cfcc8 
[ 1376.153845] CR2: ffffffff81000018 
[ 1376.153847] ---[ end trace ec4600bb069abdd2 ]--- 

谁能指导我如何解决这个问题,以便能够劫持系统调用。 谢谢。

请您参考如下方法:

只需使用 "linux/kallsyms.h" 中的内核函数 kallsyms_lookup_name("sys_call_table")。这将返回在 /proc/kallsyms 文件中找到的系统调用表的地址。如果在

中找到地址,请不要担心
/boot/System.map-`uname -r` 

是不同的;您仍然找到了 sys_call_table


评论关闭
IT序号网

微信公众号号:IT虾米 (左侧二维码扫一扫)欢迎添加!