Home > C/C++, GNU/Linux, Operating Systems, Programming, Security > Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2

Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one.
The idea is very trivial: we can find this address by a brute-force scan on the kernel reserved memory, in order to find the syscall table address. The kernel memory ranges from 0xc0000000 to 0xd0000000 (in 32-bit architecture).
We can compare the known locations with exported system calls, so finding the syscall table address. Even if the syscall table address is no longer exported, a few system calls (like sys_close) are still exported and available in the kernel modules.
I don’t like very much this method because scanning all the memory is computationally expensive. But, it works! :)
This is the “find()” function that takes care of the task:

...

#define START_MEM	0xc0000000
#define END_MEM		0xd0000000

...

unsigned long **find() {

	unsigned long **sctable;
	unsigned long int i = START_MEM;

	while ( i < END_MEM) {

		sctable = (unsigned long **)i;

		if ( sctable[__NR_close] == (unsigned long *) sys_close) {

			return &sctable[0];

		}
		
		i += sizeof(void *);
	}

	return NULL;
}

Simply it scans the memory from START_MEM to END_MEM: when the “__NR_close”-th address of “sctable” is equals to the “sys_close()” address, we are sure that “sctable” is pointing to the syscall table. So we have only to return this address and use it as usual.
Follows the LKM source code (“bruteforce.c”):

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
 #include <asm/system.h>

MODULE_LICENSE("GPL");

#define START_MEM	0xc0000000
#define END_MEM		0xd0000000

unsigned long *syscall_table; 

unsigned long **find() {

	unsigned long **sctable;
	unsigned long int i = START_MEM;

	while ( i < END_MEM) {

		sctable = (unsigned long **)i;

		if ( sctable[__NR_close] == (unsigned long *) sys_close) {

			return &sctable[0];

		}
		
		i += sizeof(void *);
	}

	return NULL;
}

static int init(void) {

	printk("\nModule starting...\n");

	syscall_table = (unsigned long *) find();

	if ( syscall_table != NULL ) {
	
		printk("Syscall table found at %x\n", (unsigned ) syscall_table);
	
	} else {
	
		printk("Syscall table not found!\n");
		
	}	

	return 0;
}

static void exit(void) {

    printk("Module ending\n");

    return;
}

module_init(init);
module_exit(exit);

Here is the Makefile:

obj-m	:= bruteforce.o

KDIR    := /lib/modules/$(shell uname -r)/build
PWD    := $(shell pwd)

default:
	$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules

We can compile it:

spaccio@spaccio:~/Hijack/bruteforce$ make
make -C /lib/modules/2.6.35-22-generic/build SUBDIRS=/home/spaccio/Hijack/bruteforce modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.35-22-generic'
  CC [M]  /home/spaccio/Hijack/bruteforce/bruteforce.o
/home/spaccio/Hijack/bruteforce/bruteforce.c:19: warning: function declaration isn’t a prototype
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/spaccio/Hijack/bruteforce/bruteforce.mod.o
  LD [M]  /home/spaccio/Hijack/bruteforce/bruteforce.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.35-22-generic'
spaccio@spaccio:~/Hijack/bruteforce$

Finally we can run it:

spaccio@spaccio:~/Hijack/bruteforce$ sudo insmod bruteforce.ko
spaccio@spaccio:~/Hijack/bruteforce$

Now we check if the address found is correct or not:

spaccio@spaccio:~/Hijack/bruteforce$ dmesg | tail
...
[  725.653763] Module starting...
[  725.988959] Syscall table found at c05d2180
spaccio@spaccio:~/Hijack/bruteforce$
spaccio@spaccio:~/Hijack/bruteforce$ cat /boot/System.map-2.6.35-22-generic | grep sys_call_table
c05d2180 R sys_call_table
spaccio@spaccio:~/Hijack/bruteforce$

As expected, the syscall address is correct.
You can include the “find()” function in your LKM, so finding dinamically the syscall table address.
Bye.

About these ads
  1. Ololo
    March 18, 2011 at 19:10

    Very interesting, thanks, but would be desirable to learn your sight at technology of passing the parameters to the LKM, and not through insmod, but from config file, dynamic update of the list of hidden files, for example

    Thanks a lot for your articles, very helpful

  2. Aloras
    July 12, 2011 at 15:52

    great post .

    now I want to use the adress to hook in a call

    I copied your code and wrote 2 extra Functions

    asmlinkage int (*original_call) (const char *, int, int);
    asmlinkage int our_sys_open(const char *filename, int flags, int mode)
    {
    printk(“Opened file HOOKED”);
    return original_call(filename, flags, mode);
    }

    and in case of a match i do the folowing

    original_call = syscall_table[__NR_open]; // save the old addresse
    syscall_table[__NR_open] = our_sys_open; // redirect to our address

    now insmod get killed when I insert the Modul and i dont know why

    • August 18, 2011 at 23:24

      You have to read the other posts on syscall hijacking in order to do it.
      Bye.

  3. Bhaumik
    August 18, 2011 at 07:24

    Great example..!! thanks.
    This example works perfect on my 32 bit Ubuntu. But now I would like to try it on 64 bit Ubuntu. do I have to change the range for memory scan and what will be that?
    Becz with the given range , the module is getting killed on 64 bit OS.

    • August 18, 2011 at 23:38

      I don’t know which is the high memory range on 64 bit OS.
      But you can try to find the starting address in a tricky way: you have to ‘cat’ the /boot/System.map file and search for the starting memory address.
      i.e.:
      # cat /boot/System.map-2.6.38-8-generic

      c1000000 T _text

      You can try also to search for the 64 bit kernel space range on google :-).
      Let me know.
      Bye.

  4. August 18, 2011 at 12:28

    Good tutorial. I want to use this on 64 bit file open system call hijacking. Please give the suggestion

  5. nobody
    November 25, 2011 at 09:32

    decades behind

    • Fefa
      February 22, 2012 at 22:02

      Maybe, but more useful, this post, than your empty and useless comment.
      If you want to help, if you want to teach, just write something. ;)

  6. April 29, 2013 at 14:10

    Useful info. Fortunate me I discovered your web site
    by accident, and I am shocked why this coincidence did not
    took place earlier! I bookmarked it.

  7. May 6, 2013 at 03:38

    If some one wishes expert view about blogging and site-building then i propose him/her to pay a quick
    visit this blog, Keep up the pleasant job.

  8. May 7, 2013 at 17:49

    I am truly thankful to the holder of this website who has shared this great piece of writing at at this place.

  9. May 22, 2013 at 15:40

    Attractive component to content. I just stumbled upon your website and in accession capital to claim
    that I get in fact enjoyed account your weblog posts. Any way I’ll be subscribing in your feeds or even I achievement you get right of entry to consistently fast.

  10. May 23, 2013 at 22:53

    Hi, everything is going well here and ofcourse every one is
    sharing data, that’s genuinely excellent, keep up writing.

  11. May 25, 2013 at 08:45

    Howdy! I realize this is somewhat off-topic but I had to ask.
    Does building a well-established blog such as yours require a lot of work?
    I am completely new to running a blog but I do write in my
    diary on a daily basis. I’d like to start a blog so I can easily share my personal experience and thoughts online. Please let me know if you have any kind of recommendations or tips for new aspiring blog owners. Appreciate it!

  12. June 3, 2013 at 22:01

    A person necessarily lend a hand to make significantly posts I would state.
    That is the first time I frequented your web page and up to now?

    I amazed with the research you made to create this actual put up
    amazing. Excellent process!

  13. June 15, 2013 at 22:02

    These are actually enormous ideas in regarding blogging.

    You have touched some good things here. Any way keep up wrinting.

  14. July 1, 2013 at 00:14

    What i don’t understood is if truth be told how you’re now
    not actually much more neatly-favored than
    you may be now. You are so intelligent. You recognize therefore considerably in
    the case of this subject, made me for my part consider it from so many numerous angles.
    Its like women and men don’t seem to be fascinated until it is one thing to do with Lady gaga! Your personal stuffs outstanding. Always handle it up!

  15. July 1, 2013 at 04:26

    Valuable info. Fortunate me I found your site by chance, and I’m shocked why this coincidence didn’t happened
    earlier! I bookmarked it.

  16. July 2, 2013 at 20:26

    Oh my goodness! Impressive article dude! Thank you so much, However I am
    having issues with your RSS. I don’t know why I can’t join
    it. Is there anybody having the same RSS issues?
    Anybody who knows the answer will you kindly respond?
    Thanx!!

  17. July 5, 2013 at 14:12

    Do you mind if I quote a few of your posts as long
    as I provide credit and sources back to your weblog? My website is in the exact same niche as
    yours and my users would truly benefit from some of the information you provide here.
    Please let me know if this alright with you. Thank you!

  18. July 22, 2013 at 02:55

    I was wondering if you ever considered changing the page
    layout of your site? Its very well written; I love what
    youve got to say. But maybe you could a little more in the
    way of content so people could connect with it better.
    Youve got an awful lot of text for only having 1 or two
    images. Maybe you could space it out better?

  19. July 27, 2013 at 15:08

    Hmm it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog writer but I’m still new to the whole thing. Do you have any recommendations for beginner blog writers? I’d
    really appreciate it.

  20. July 30, 2013 at 15:33

    Admiring the hard work you put into your site and in depth information you provide.
    It’s great to come across a blog every once in a while that isn’t
    the same old rehashed information. Fantastic read! I’ve saved your site and I’m including your RSS feeds to my Google
    account.

  21. August 7, 2013 at 15:27

    Hello, the whole thing is going fine here and ofcourse every one
    is sharing information, that’s genuinely excellent, keep up writing.

  22. August 8, 2013 at 06:45

    We stumbled over here different web page and thought I might as
    well check things out. I like what I see so now i’m following you. Look forward to exploring your web page repeatedly.

  23. November 25, 2013 at 04:48

    I quite like reading an article that will make people think.
    Also, thanks for allowing me to comment!

  24. September 25, 2014 at 02:09

    Fastidious answers in return of this question with solid
    arguments and explaining everything regarding that.

  25. September 26, 2014 at 10:33

    I’m not sure why but this blog is loading very slow for me.
    Is anyone else having this issue or is it a problem on my end?
    I’ll check back later on and see if the problem still exists.

  26. September 30, 2014 at 09:52

    Hello, constantly i used to check weblog posts here in the early hours in the
    morning, since i enjoy to gain knowledge of more and more.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: