linux kernel hook

最新推荐文章于 2024-08-18 10:40:12 发布
最新推荐文章于 2024-08-18 10:40:12 发布
阅读量440 收藏 2
点赞数
CC 4.0 BY-SA版权
文章标签: 网络
原文链接:http://blog.51cto.com/haidragon/2363215
本文探讨了Linux内核的热修补技术,介绍了一种利用内核API进行函数替换的方法,通过修改函数入口跳转至新函数实现动态更新,避免系统重启。文中详细展示了使用stop_machine API和inline hook技术的具体实现过程。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

其时是用的linux一个热修补技术。调用内核api 把旧函数前修改成跳转,跳转到新的函数里去执行。这个api就是stop_machine 但是传的不是函数而是一个包好的结构体
stop_machine
https://www.ibm.com/developerworks/cn/aix/library/au-spunix_ksplice/
源码地址:
https://github.com/haidragon/inl_hook

/*
 * inline hook usage example.
 */

#define KMSG_COMPONENT "HELLO"
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/version.h>
#include <linux/kallsyms.h>
#include <linux/stop_machine.h>
#include <linux/stacktrace.h>
#include <asm/stacktrace.h>
#include <net/tcp.h>

#include "util.h"

/* variable */
static void (*tcp_set_state_fn)(struct sock *sk, int state);

/* hook function */
static void my_tcp_set_state(struct sock *sk, int state);

static struct symbol_ops hello_ops[] = {
    DECLARE_SYMBOL(&tcp_set_state_fn, "tcp_set_state"),
};

static struct hook_ops hello_hooks[] = {
    DECLARE_HOOK(&tcp_set_state_fn, my_tcp_set_state),
};

/* hook function */
static void
my_tcp_set_state(struct sock *sk, int state)
{
    /////////////////////////////////////////////////////////
    // add patch code.
    static const char *my_state_name[]={
        "Unused","Established","Syn Sent","Syn Recv",
        "Fin Wait 1","Fin Wait 2","Time Wait", "Close",
        "Close Wait","Last ACK","Listen","Closing"
    };
    struct inet_sock *inet = inet_sk(sk);
    /////////////////////////////////////////////////////////

    int oldstate = sk->sk_state;

    switch (state) {
    case TCP_ESTABLISHED:
        if (oldstate != TCP_ESTABLISHED)
            TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
        break;

    case TCP_CLOSE:
        if (oldstate == TCP_CLOSE_WAIT || oldstate == TCP_ESTABLISHED)
            TCP_INC_STATS(sock_net(sk), TCP_MIB_ESTABRESETS);

        sk->sk_prot->unhash(sk);
        if (inet_csk(sk)->icsk_bind_hash &&
            !(sk->sk_userlocks & SOCK_BINDPORT_LOCK))
            inet_put_port(sk);
        /* fall through */
    default:
        if (oldstate == TCP_ESTABLISHED)
            TCP_DEC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
    }

    /* Change state AFTER socket is unhashed to avoid closed
     * socket sitting in hash tables.
     */
    sk->sk_state = state;

    /////////////////////////////////////////////////////////
    // add patch code.
    pr_info("TCP %pI4:%d -> %pI4:%d, State %s -> %s\n",
            &inet->inet_saddr, ntohs(inet->inet_sport),
            &inet->inet_daddr, ntohs(inet->inet_dport),
            my_state_name[oldstate], my_state_name[state]);
    /////////////////////////////////////////////////////////

#ifdef STATE_TRACE
    SOCK_DEBUG(sk, "TCP sk=%p, State %s -> %s\n", sk, statename[oldstate], statename[state]);
#endif
}

static int __init hello_init(void)
{
    if (!find_ksymbol(hello_ops, ARRAY_SIZE(hello_ops))) {
        pr_err("hello symbol table not find.\n");
        return -1;
    }

    if (!inl_sethook_ops(hello_hooks, ARRAY_SIZE(hello_hooks))) {
        pr_err("hijack hello functions fail.\n");
        return -1;
    }

    pr_info("hello loaded.\n");
    return 0;
}

static void __exit hello_cleanup(void)
{
    inl_unhook_ops(hello_hooks, ARRAY_SIZE(hello_hooks));
    pr_info("hello unloaded.\n");
}

module_init(hello_init);
module_exit(hello_cleanup);
MODULE_LICENSE("GPL");

/*
 * kernel function inline hook.
 */
#define KMSG_COMPONENT "KINL_HOOK"
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt

#include <linux/kernel.h>
#include <linux/kprobes.h>
#include <linux/memory.h>
#include <linux/vmalloc.h>

#include "udis86.h"
#include "inl_hook.h"

#define JMP_CODE_BYTES          5
#define HOOK_MAX_CODE_BYTES     32 
#define MAX_DISASSEMBLE_BYTES   1024

struct hook_item {
    void *orig_func;
    void *hook_func;
    int stolen;
    u8 *orig_inst[HOOK_MAX_CODE_BYTES];

    // can execute page.
    u8 *trampoline;
    struct list_head list;
};

LIST_HEAD(hook_list);

inline unsigned long disable_wp(void)
{
    unsigned long cr0;

    preempt_disable();
    barrier();

    cr0 = read_cr0();
    write_cr0(cr0 & ~X86_CR0_WP);
    return cr0;
}

inline void restore_wp(unsigned long cr0)
{
    write_cr0(cr0);

    barrier();
    preempt_enable();
}

static u8 *skip_jumps(u8 *pcode)
{
    u8 *orig_code = pcode;

#if defined(CONFIG_X86_32) || defined(CONFIG_X86_64)
#if defined(CONFIG_X86_32)
    //mov edi,edi: hot patch point
    if (pcode[0] == 0x8b && pcode[1] == 0xff) {
        pcode += 2;
    }

    // push rbp; mov rsp, rbp;
    // 55 48 89 e5
    if (pcode[0] == 0x55 && pcode[1] == 0x48 && pcode[2] == 0x89 && pcode[3] == 0xe5) {
        pcode += 4;
    }
#endif

    if (pcode[0] == 0xff && pcode[1] == 0x25) {
#if defined(CONFIG_X86_32)
        // on x86 we have an absolute pointer...
        u8 *target = *(u8 **)&pcode[2];
        // ... that shows us an absolute pointer.
        return skip_jumps(*(u8 **)target);
#elif defined(CONFIG_X86_64)
        // on x64 we have a 32-bit offset...
        s32 offset = *(s32 *)&pcode[2];
        // ... that shows us an absolute pointer
        return skip_jumps(*(u8 **)(pcode + 6 + offset));
    } else if (pcode[0] == 0x48 && pcode[1] == 0xff && pcode[2] == 0x25) {
        // or we can have the same with a REX prefix
        s32 offset = *(s32 *)&pcode[3];
        // ... that shows us an absolute pointer
        return skip_jumps(*(u8 **)(pcode + 7 + offset));
#endif
    } else if (pcode[0] == 0xe9) {
        // here the behavior is identical, we have...
        // ...a 32-bit offset to the destination.
        return skip_jumps(pcode + 5 + *(s32 *)&pcode[1]);
    } else if (pcode[0] == 0xeb) {
        // and finally an 8-bit offset to the destination
        return skip_jumps(pcode + 2 + *(u8 *)&pcode[1]);
    }
#else
#error unsupported platform
#endif

    return orig_code;
}

static u8 *emit_jump(u8 *pcode, u8 *jumpto)
{
#if defined(CONFIG_X86_32) || defined(CONFIG_X86_64)
    u8 *jumpfrom = pcode + 5;
    size_t diff = jumpfrom > jumpto ? jumpfrom - jumpto : jumpto - jumpfrom;

    pr_debug("emit_jumps from %p to %p, diff is %ld", jumpfrom, jumpto, diff);

    if (diff <= 0x7fff0000) {
        pcode[0] = 0xe9;
        pcode += 1;
        *((u32 *)pcode) = (u32)(jumpto - jumpfrom);
        pcode += sizeof(u32);
    } else {
        pcode[0] = 0xff;
        pcode[1] = 0x25;
        pcode += 2;
#if defined(CONFIG_X86_32)
        // on x86 we write an absolute address (just behind the instruction)
        *((u32 *)pcode) = (u32)(pcode + sizeof(u32));
        pcode += sizeof(u32);
        *((u32 *)pcode) = (u32)jumpto;
        pcode += sizeof(u32);
#elif defined(CONFIG_X86_64)
        // on x64 we write the relative address of the same location
        *((u32 *)pcode) = (u32)0;
        pcode += sizeof(u32);
        *((u64 *)pcode) = (u64)jumpto;
        pcode += sizeof(u64);
#endif
    }
#else
#error unsupported platform
#endif

    return pcode;
}

static u32 disassemble_skip(u8 *target, u32 min_len)
{
    ud_t u;
    u32 ret = 0;

    ud_init(&u);
    ud_set_input_buffer(&u, target, MAX_DISASSEMBLE_BYTES);
    ud_set_mode(&u, 64);
    ud_set_syntax(&u, UD_SYN_INTEL);

    while (ret < min_len && ud_disassemble(&u)) {
        ret += ud_insn_len(&u);
    }

    return ret;
}

static struct hook_item *trampoline_alloc(void *target, u32 stolen)
{
    struct hook_item *item;
    u32 bytes = stolen + HOOK_MAX_CODE_BYTES;

    item = vzalloc(sizeof(struct hook_item));
    if (!item) {
        return NULL;
    }

    item->trampoline = __vmalloc(bytes, GFP_KERNEL, PAGE_KERNEL_EXEC);

    if (item->trampoline == NULL) {
        vfree(item);
        return NULL;
    }

    memset(item->trampoline, 0, bytes);

    return item;
}

static struct hook_item *trampoline_find(u8 *hook)
{
    struct hook_item *item;

    list_for_each_entry(item, &hook_list, list) {
        if (hook == item->hook_func) {
            return item;
        }
    }

    return NULL;
}

static u8 *post_hook(struct hook_item *item, void *target,
        void *hook, u32 stolen)
{
    unsigned long o_cr0;

    item->orig_func = target;
    item->hook_func = hook;
    item->stolen = stolen;

    memmove(item->orig_inst, target, stolen);
    memmove(item->trampoline, target, stolen);

    emit_jump(item->trampoline + stolen, target + stolen);

    o_cr0 = disable_wp();
    emit_jump(target, hook);
    restore_wp(o_cr0);

    list_add(&item->list, &hook_list);

    return item->trampoline;
}

static void hook_restore(struct hook_item *item)
{
    unsigned long o_cr0;

    o_cr0 = disable_wp();
    memmove(item->orig_func, item->orig_inst, item->stolen);
    restore_wp(o_cr0);

    list_del(&item->list);

    vfree(item->trampoline);
    vfree(item);
}

int inl_within_trampoline(unsigned long address)
{
    long bytes;
    struct hook_item *item;
    unsigned long start, end;

    list_for_each_entry(item, &hook_list, list) {
        bytes = item->stolen + HOOK_MAX_CODE_BYTES;
        start = (unsigned long)item->trampoline;
        end = (unsigned long)item->trampoline + bytes;

        if (address >= start && address < end) {
            return -EBUSY;
        }
    }

    return 0;
}

int inl_sethook(void **orig, void *hook)
{
    u32 instr_len;
    struct hook_item *item;
    void *target = *orig;

    target = skip_jumps(target);

    pr_debug("Started on the job: %p / %p\n", target, hook);

    instr_len = disassemble_skip(target, JMP_CODE_BYTES);
    if (instr_len < JMP_CODE_BYTES) {
        pr_err("disassemble_skip invalid instruction length: %u\n",
                instr_len);
        return -1;
    }

    pr_debug("disassembly signals %d bytes.\n", instr_len);

    item = trampoline_alloc(target, instr_len);
    if (item == NULL) {
        pr_err("alloc trampoline fail, no memory.\n");
        return -ENOMEM;
    }

    *orig = post_hook(item, target, hook, instr_len);

    return 0;
}

int inl_unhook(void *hook)
{
    struct hook_item *item;

    item = trampoline_find(hook);
    if (item == NULL) {
        pr_info("no find hook function: %p\n", hook);
        return -1;
    }

    hook_restore(item);

    return 0;
}

/*
 * inl_hook util.
 */
#define KMSG_COMPONENT "KINL_HOOK"
#define pr_fmt(fmt) KMSG_COMPONENT ": " fmt

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/types.h>
#include <linux/kallsyms.h>
#include <linux/swap.h>
#include <linux/stop_machine.h>
#include <linux/stacktrace.h>
#include <asm/stacktrace.h>

#include "util.h"
#include "inl_hook.h"

struct instr_range {
    unsigned long start;
    unsigned long end;
};

struct hook_cbdata {
    struct hook_ops *ops;
    int count;
    struct instr_range ir;
};

#define MAX_HOOK_CODE_BYTES     32
#define MAX_STACK_TRACE_DEPTH   64
static unsigned long stack_entries[MAX_STACK_TRACE_DEPTH];
struct stack_trace trace = {
    .max_entries    = ARRAY_SIZE(stack_entries),
    .entries    = &stack_entries[0],
};

static bool inline
within_address(unsigned long address, struct instr_range *ir)
{
    return address >= ir->start && address < ir->end;
}

bool find_ksymbol(struct symbol_ops *ops, int n)
{
    int i;
    void **addr;
    const char *name;

    for (i = 0; i < n; i++) {
        addr = ops[i].addr;
        name = ops[i].symbol;

        *addr = (void *) kallsyms_lookup_name(name);
        if (*addr == NULL) {
            pr_err("not find %s.\n", name);
            return false;
        }
    }

    return true;
}

static int
inl_sethook_safe_verify(struct hook_ops *ops, int count)
{
    struct instr_range ir;
    struct task_struct *g, *t;
    int i, j;
    void *orig;
    int ret = 0;

    /* Check the stacks of all tasks. */
    do_each_thread(g, t) {

        trace.nr_entries = 0;
        save_stack_trace_tsk(t, &trace);
        if (trace.nr_entries >= trace.max_entries) {
            ret = -EBUSY;
            pr_err("more than %u trace entries!\n",
                   trace.max_entries);
            goto out;
        }

        for (i = 0; i < trace.nr_entries; i++) {
            if (trace.entries[i] == ULONG_MAX)
                break;

            for (j = 0; j < count; j++) {
                orig = *(ops[j].orig);

                ir.start = (unsigned long)orig;
                ir.end = (unsigned long)orig + MAX_HOOK_CODE_BYTES;

                if (within_address(trace.entries[i], &ir)) {
                    ret = -EBUSY;
                    goto out;
                }
            }
        }

    } while_each_thread(g, t);

out:
    return ret;
}

/* Called from stop_machine */
static int
inl_sethook_callback(void *data)
{
    int i;
    int ret;
    struct hook_cbdata *cbdata = (struct hook_cbdata *)data;

    ret = inl_sethook_safe_verify(cbdata->ops, cbdata->count);
    if (ret != 0) {
        return ret;
    }

    for (i = 0; i < cbdata->count; i++) {
        if (inl_sethook((void **)cbdata->ops[i].orig, cbdata->ops[i].hook) < 0) {
            pr_err("sethook_ops hook %s fail.\n", cbdata->ops[i].name);
            return -EFAULT;
        }
    }

    return 0;
}

bool inl_sethook_ops(struct hook_ops *ops, int n)
{
    int ret;
    struct hook_cbdata cbdata = {
        .ops = ops,
        .count = n,
    };

try_again_sethook:

    ret = stop_machine(inl_sethook_callback, &cbdata, NULL);

    if (ret == -EBUSY) {
        yield();
        pr_info("kernel busy, retry again inl_sethook_ops.\n");
        goto try_again_sethook;
    }

    return ret == 0;
}

static int
inl_unhook_safe_verify(struct instr_range *ir)
{
    unsigned long address;
    struct task_struct *g, *t;
    int i;
    int ret = 0;
    struct instr_range self_ir = {
        .start = (unsigned long)inl_unhook_safe_verify,
        .end = (unsigned long)&&label_unhook_verify_end,
    };

    /* Check the stacks of all tasks. */
    do_each_thread(g, t) {

        trace.nr_entries = 0;
        save_stack_trace_tsk(t, &trace);
        if (trace.nr_entries >= trace.max_entries) {
            ret = -EBUSY;
            pr_err("more than %u trace entries!\n",
                   trace.max_entries);
            goto out;
        }

        for (i = 0; i < trace.nr_entries; i++) {
            if (trace.entries[i] == ULONG_MAX)
                break;

            address = trace.entries[i];
            // within cleanup method.
            if (within_address(address, ir)
                || within_address(address, &self_ir)) {
                break;
            }

            if (inl_within_trampoline(address)
                || within_module_core(address, THIS_MODULE)) {
                ret = -EBUSY;
                goto out;
            }
        }

    } while_each_thread(g, t);

out:
    if (ret) {
        pr_err("PID: %d Comm: %.20s\n", t->pid, t->comm);
        for (i = 0; i < trace.nr_entries; i++) {
            if (trace.entries[i] == ULONG_MAX)
                break;
            pr_err("  [<%pK>] %pB\n",
                   (void *)trace.entries[i],
                   (void *)trace.entries[i]);
        }
    }

    return ret;

label_unhook_verify_end: ;
}

/* Called from stop_machine */
static int
inl_unhook_callback(void *data)
{
    int i;
    int ret;
    struct hook_cbdata *cbdata = (struct hook_cbdata *)data;

    ret = inl_unhook_safe_verify(&cbdata->ir);
    if (ret != 0) {
        return ret;
    }

    for (i = 0; i < cbdata->count; i++) {
        inl_unhook(cbdata->ops[i].hook);
    }

    return 0;
}

void inl_unhook_ops(struct hook_ops *ops, int n)
{
    int ret;
    struct hook_cbdata cbdata = {
        .ops = ops,
        .count = n,
        .ir.start = (unsigned long)inl_unhook_ops,
        .ir.end = (unsigned long)&&label_unhook_end,
    };

try_again_unhook:

    ret = stop_machine(inl_unhook_callback, &cbdata, NULL);

    if (ret) {
        yield();
        pr_info("module busy, retry again inl_unhook_ops.\n");
        goto try_again_unhook;
    }

label_unhook_end: ;
}

转载于:https://blog.51cto.com/haidragon/2363215

linux kernel中的ingress hook简介
toyijiu的专栏
05-20 811
Linux内核中,Ingress Hook是Netfilter框架中的一个钩子(Hook),用于对进入网络接口的数据包进行处理。它位于数据包接收的早期阶段,在数据包被路由或转发之前。
linux内核hook技术之指令覆盖与注入
快乐时光
03-02 1864
前言 说到hook,传统意义上,大家都会觉得跟注入和劫持挂钩。在linux内核中,也可以通过指令覆盖和注入的方式进行hook,来完成自己的业务逻辑,实现自己的功能需求。 一部分人喜欢称这种hook技术为inline hook。 如何hook 具体hook细节在以下编写的驱动例子程序中给出了,例子中标注了详细的注释,大家可对照着代码查看。 例子程序在centos 6系统上编译并测试通过了,如果换成其他系统,部分代码可能需要进行微调,想要尝试的朋友,自己写个简单的mak...
Linux Kernel 学习笔记10:hook函数
热门推荐
stone8761的专栏
06-01 1万+
(本章基于:Linux-4.4.0-37) linux 内核中有一套hook函数机制,可在不同hook点位置监控网络数据包,并执行丢弃、修改等操作。网络防火墙就是通过此机制实现的。 注册注销hook函数: linux/netfilter.h 注册钩子函数: int nf_register_hook(struct nf_hook_ops *reg); 注销: void
Linux高级内核Inline HOOK
weixin_34378045的博客
11-12 424
高级Linux Kernel Inline Hook技术分析与实现 2010-01-01 12:40 By wzt [目录] 1. 简述 2. 更改offset实现跳转 ...
Linux x86架构内核Hook实现
qq_42931917的博客
12-27 5355
Linux x86架构内核Hook实现 一、内核函数 text_poke()函数用于在内核动态替换opcode,从而达到Inline Hook的效果。 /** * text_poke - Update instructions on a live kernel * @addr: address to modify * @opcode: source of the copy * @len: length to copy * * Only atomic text poke/set should be
linux内核中的hook函数详解,linux内核中的hook函数详解
weixin_28968285的博客
05-09 1216
在编写linux内核中的网络模块时,用到了钩子函数也就是hook函数。现在来看看linux是如何实现hook函数的。先介绍一个结构体:struct nf_hook_ops,这个结构体是实现钩子函数必须要用到的结构体,其实际的定义为:其中的成员信息为:hook :是一个函数指针,可以将自定义的函数赋值给它,来实现当有数据包到达是调用你自定义的函数。自定义函数的返回值为:owner:是模块的所有者,...
实验4 linux kernel hook实验指南1
08-08
实验四:Linux Kernel Hook 1. 实验目的 实验的主要目标是学习和实践Linux内核中的系统调用挂钩(Kernel Hook)技术。通过在Ubuntu 64位环境下编写和加载内核模块(LKM),实现对系统调用的拦截和自定义处理。这将...
Linux Kernel Hook实验:系统调用拦截与sys_call_table修改
实验4 Linux Kernel Hook实验指南详细介绍了在Linux系统中实现内核级Hook功能的方法,主要关注于通过修改sys_call_table来实现系统调用的钩子。以下是关键知识点的详细阐述: 1. 实验背景与目标: 实验目的是为了...
linux kernel 5.6 hook实例代码.zip
06-12
linux kernel 5.6 hook实例代码 1、说明 代码参考如下文章中的代码,在linux5.6内核中适配,编译运行成功 https://blog.youkuaiyun.com/qq_21792169/article/details/84583275 2、需要对ko模块加签名 scripts/sign-file...
linux内核中的hook函数详解
weixin_34004750的博客
11-29 1042
在编写linux内核中的网络模块时,用到了钩子函数也就是hook函数。现在来看看linux是如何实现hook函数的。 先介绍一个结构体: struct nf_hook_ops,这个结构体是实现钩子函数必须要用到的结构体,其实际的定义为: 其中的成员信息为: hook :是一个函数指针,可以将自定义的函数赋值给它,来实现当有数据包到达是...
linux内核中的hook,Linux内核Hook系统调用
weixin_42394913的博客
04-29 582
1,截获write系统调用:#ifndef MODULE#define MODULE#endif#ifndef __KERNEL__#define __KERNEL__#endif#include #include #include #include #include #include /*#include #include #include #include #include #include ...
Linux Hook系统调用(适用基于x86_64的4.17.0以上的内核版本)
weixin_42915431的博客
04-19 2847
随着rhel8.0于去年5月初发布以来,开启了rhel8.x的时代,随后一段时间里centos、oracle linux也都发布了基于rhel的8.x系统。前段时间我就安装了个centos8.0,但是在编译运行之前写的hook内核的代码时,却发现之前的hook方法不奏效了。 一波谷歌之后,看到了这篇文章[PATCH 000/109] remove in-kernel calls to syscal...
linux内核态hook模块
faxiang1230的专栏
12-03 4260
linux内核支持动态加载module,今天不聊正常的module,只简单看一下实现Hook的module. hook通常翻译做劫持,不过这个翻译听起来让人不舒服,感觉有点恐怖,所以大家都是喊行话:hook. 上图是经典的堆栈式hook,也是splice典型的做法,在原有的流程中插入hook,更加典型的做法是栈在调用过程中从funcA->funcB变成了funcA->hook-&gt...
linux系统调用挂钩方法总结
sdulibh的专栏
12-22 1万+
相关学习资料 http://xiaonieblog.com/?post=121 http://hbprotoss.github.io/posts/li-yong-ld_preloadjin-xing-hook.html http://www.catonmat.net/blog/simple-ld-preload-tutorial/ http://os.51cto.com/art/2010
探索KHOOKLinux内核钩子引擎的强大功能
最新发布
gitblog_00518的博客
08-18 461
探索KHOOKLinux内核钩子引擎的强大功能 在Linux内核开发的世界中,钩子技术是一种强大的工具,它允许开发者在不修改内核源代码的情况下,对内核函数进行拦截和修改。今天,我们将深入探讨一个名为KHOOK的开源项目,这是一个专门为Linux内核设计的钩子引擎,它提供了一种简洁而强大的方式来实现内核函数的钩子。 项目介绍 KHOOK(خوک)是一个专门为Linux内核设计的钩子引擎,它允许开发...
linux 进程 inline hook,高级Linux Kernel Inline Hook技术分析与实现
weixin_34094525的博客
05-11 269
五、实例下面是hook sys_read的部分代码实现,读者可以根据思路来补充完整。config.h#ifndef CONFIG_H#define CONFIG_H#define SNIFF_LOG "/tmp/.sniff_log"#define KALL_SYMS_NAME "/proc/kallsyms"#define HIDE_FILE "test"#define MAGIC_PID 12...
Linux x64 Hook系统调用
zzzpany的博客
06-30 1799
Linux x64 Hook系统调用 实验环境: Linux ubuntu 4.4.0-31-generic #50~14.04.1-Ubuntu 参考文档: https://blog.youkuaiyun.com/zuihaobushi/article/details/72729850 内核访问用户空间 https://www.cnblogs.com/arnoldlu/p/8879800....
linux 进程 inline hook,高级Linux Kernel Inline Hook技术分析与实现 -电脑资料
weixin_29479863的博客
05-11 195
==Ph4nt0m Security Team==Issue 0x03, Phile #0x03 of 0x07|=---------------------------------------------------------------------------=||=--------------=[ 高级Linux Kernel Inline Hook技术分析与实现 ]=----------...
【亲测免费】 探索KernelHook:一种强大的内核钩子技术
gitblog_00060的博客
04-06 1284
探索KernelHook:一种强大的内核钩子技术 项目简介 是一个开源的项目,由开发者smallzhong创建,它提供了一种在Linux内核中实现高效、安全的钩子(hook)机制的方法。通过此项目,开发者可以轻松地插入自定义代码到内核关键函数中,以实现对系统行为的监控、调试或增强。 技术分析 KernelHook的核心在于它的钩子实现策略。项目利用了内核模块(kernel module)和动态代码...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值