2008 May 16th Friday (五月 十六日 金曜日）

To hack system call.   #include <linux/module.h> #include <linux/moduleparam.h> #include <linux/kernel.h> #include <linux/unistd.h> #include <linux/sched.h> #include <asm/uaccess.h> /* * The system call table (a table of functions). We * just define this as external, and the kernel will * fill it up for us when we are insmod'ed * * sys_call_table is no longer exported in 2.6.x kernels. * If you really want to try this DANGEROUS module you will * have to apply the supplied patch against your current kernel * and recompile it. */ extern void *sys_call_table[]; /* * UID we want to spy on - wil lbe filled from the * command line */ static int uid; module_param(uid,int,0644); /* * A pointer to the original system call. The reason * we keep this, rather than call the original function * (sys_open), is because somebody else might have * replaced the system call before us. Note that this * is not 100% safe, because if another module * replaced sys_open before us, then when we're inserted * we'll call the function in that module - andit * might be removed before we are. * * Another reason for this is that we can't get sys_open. * It's a static variable, so it is not exported. */ asmlinkage int(*original_call)(const char*,int,int); /* * The function we'll replace sys_open (thefunction * called when you call the open system call) with. To * find the exact prototype, with the number and type * of arguments, we find the original function first * (it's at fs/open.c). * * In theory, this means that we'retiedtothe * current version of the kernel. In practice, the * system calls almost never change (it would wreck havoc * and require programs to be recompiled, since the system * calls are the interface between the kernel and the * processes). */ asmlinkage int our_sys_open(const char *filename, int flags, int mode) {     int i=0;     char ch;         /*     * Check if this is the user we're spying on     */     if(uid==current->uid){         /*         * Reportthefile,ifrelevant         */         printk("Opened file by%d:",uid);         do{             get_user(ch,filename+i);             i++;             printk("%c",ch);         } while (ch != 0);         printk("/n");     }     /*     * Call the original sys_open - otherwise,welose     * the ability to open files     */     return original_call(filename,flags,mode); } int init_module() {     /*     * Warning - toolateforitnow,butmaybefor     * next time...     */     printk("I'm dangerous. I hope you did a");     printk("sync before you insmod'ed me./n");     printk("My counterpart, cleanup_module(),is even");     printk("more dangerous. If/n");     printk("you value your file system,it will");     printk("be /"sync; rmmod/" /n");     printk("when you remove this module./n");     /*     * Keep a pointer to the original function in     * original_call, and then replace the system call     * in the system call table with our_sys_open     */     original_call=sys_call_table[__NR_open];     sys_call_table[__NR_open]=our_sys_open;     /*     * To get the address of the function for system     * call foo, go to sys_call_table[__NR_foo].     */     printk("Spying on UID:%d/n",uid);     return 0; } /* * Cleanup - unregistertheappropriatefilefrom/proc */ void cleanup_module() {     /*     * Return the system call back to normal     */     if(sys_call_table[__NR_open]!=our_sys_open){         printk("Somebody else also played with the");         printk("open system call/n");         printk("The system may be left in");         printk("an unstable state./n");     }     sys_call_table[__NR_open]=original_call; }