Forcing Access to sys_call_table
is no longer exported in the
2.6 kernels, we can access it only by brute force. LKMs have access
to kernel memory, so it is possible to gain access to
sys_call_table by comparing known locations with
exported system calls. Although
itself is not exported, a few system calls such as
sys_write( ) are still exported
and available to LKMs. To demonstrate how to get access to
sys_call_table in the 2.6 kernels, we will write a
simple LKM that intercepts
and prevents anyone
from opening the /tmp/test file.
Although we intercept
sys_open( ) in this section
to prevent someone from opening a file, it is not completely
foolproof. This is because the root user still has access to the raw
disk device, which determined users can manipulate directly.
We’ll walk through the critical bits here, but
you’ll find the full source code for
intercept_open.c in the next section. Notice
my_init( ) function is called during
initialization. This function attempts to gain access to
sys_call_table by starting at the address of
system_utsname structure contains a list of system
information and is known to exist before the system call table.
Therefore, the function starts at the location of
system_utsname and iterates 1,024
MAX_TRY) times. It advances a byte every time and
compares the current location with that of
sys_read(), whose address is assumed to be available to the LKM. ...