Forcing Access to sys_call_table
Because
sys_call_table
is no longer exported in the
2.6 kernels, we can access it only by brute force. LKMs have access
to kernel memory, so it is possible to gain access to
sys_call_table by comparing known locations with
exported system calls. Although sys_call_table
itself is not exported, a few system calls such as sys_read() and sys_write( ) are still exported
and available to LKMs. To demonstrate how to get access to
sys_call_table in the 2.6 kernels, we will write a
simple LKM that intercepts sys_open( )
and prevents anyone
from opening the /tmp/test file.
Tip
Although we intercept sys_open( ) in this section
to prevent someone from opening a file, it is not completely
foolproof. This is because the root user still has access to the raw
disk device, which determined users can manipulate directly.
We’ll walk through the critical bits here, but
you’ll find the full source code for
intercept_open.c in the next section. Notice
that the my_init( ) function is called during
initialization. This function attempts to gain access to
sys_call_table by starting at the address of
system_utsname. The
system_utsname structure contains a list of system
information and is known to exist before the system call table.
Therefore, the function starts at the location of
system_utsname and iterates 1,024
(MAX_TRY) times. It advances a byte every time and
compares the current location with that of sys_read(), whose address is assumed to be available to the LKM. ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
