Syscall Hijacking: Dynamically obtain syscall table address (kernel 2.6.x) #2
Hi. In this brief post I’ll show you another way to get the syscall table address dinamically.
This post is only an expansion of this one.
The idea is very trivial: we can find this address by a brute-force scan on the kernel reserved memory, in order to find the syscall table address. The kernel memory ranges from 0xc0000000 to 0xd0000000 (in 32-bit architecture).
We can compare the known locations with exported system calls, so finding the syscall table address. Even if the syscall table address is no longer exported, a few system calls (like sys_close) are still exported and available in the kernel modules.
I don’t like very much this method because scanning all the memory is computationally expensive. But, it works! :)
This is the “find()” function that takes care of the task:
...
#define START_MEM 0xc0000000
#define END_MEM 0xd0000000
...
unsigned long **find() {
unsigned long **sctable;
unsigned long int i = START_MEM;
while ( i < END_MEM) {
sctable = (unsigned long **)i;
if ( sctable[__NR_close] == (unsigned long *) sys_close) {
return &sctable[0];
}
i += sizeof(void *);
}
return NULL;
}
Simply it scans the memory from START_MEM to END_MEM: when the “__NR_close”-th address of “sctable” is equals to the “sys_close()” address, we are sure that “sctable” is pointing to the syscall table. So we have only to return this address and use it as usual.
Follows the LKM source code (“bruteforce.c”):
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/unistd.h>
#include <asm/current.h>
#include <linux/sched.h>
#include <linux/syscalls.h>
#include <asm/system.h>
MODULE_LICENSE("GPL");
#define START_MEM 0xc0000000
#define END_MEM 0xd0000000
unsigned long *syscall_table;
unsigned long **find() {
unsigned long **sctable;
unsigned long int i = START_MEM;
while ( i < END_MEM) {
sctable = (unsigned long **)i;
if ( sctable[__NR_close] == (unsigned long *) sys_close) {
return &sctable[0];
}
i += sizeof(void *);
}
return NULL;
}
static int init(void) {
printk("\nModule starting...\n");
syscall_table = (unsigned long *) find();
if ( syscall_table != NULL ) {
printk("Syscall table found at %x\n", (unsigned ) syscall_table);
} else {
printk("Syscall table not found!\n");
}
return 0;
}
static void exit(void) {
printk("Module ending\n");
return;
}
module_init(init);
module_exit(exit);
Here is the Makefile:
obj-m := bruteforce.o KDIR := /lib/modules/$(shell uname -r)/build PWD := $(shell pwd) default: $(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
We can compile it:
spaccio@spaccio:~/Hijack/bruteforce$ make make -C /lib/modules/2.6.35-22-generic/build SUBDIRS=/home/spaccio/Hijack/bruteforce modules make[1]: Entering directory `/usr/src/linux-headers-2.6.35-22-generic' CC [M] /home/spaccio/Hijack/bruteforce/bruteforce.o /home/spaccio/Hijack/bruteforce/bruteforce.c:19: warning: function declaration isn’t a prototype Building modules, stage 2. MODPOST 1 modules CC /home/spaccio/Hijack/bruteforce/bruteforce.mod.o LD [M] /home/spaccio/Hijack/bruteforce/bruteforce.ko make[1]: Leaving directory `/usr/src/linux-headers-2.6.35-22-generic' spaccio@spaccio:~/Hijack/bruteforce$
Finally we can run it:
spaccio@spaccio:~/Hijack/bruteforce$ sudo insmod bruteforce.ko spaccio@spaccio:~/Hijack/bruteforce$
Now we check if the address found is correct or not:
spaccio@spaccio:~/Hijack/bruteforce$ dmesg | tail ... [ 725.653763] Module starting... [ 725.988959] Syscall table found at c05d2180 spaccio@spaccio:~/Hijack/bruteforce$ spaccio@spaccio:~/Hijack/bruteforce$ cat /boot/System.map-2.6.35-22-generic | grep sys_call_table c05d2180 R sys_call_table spaccio@spaccio:~/Hijack/bruteforce$
As expected, the syscall address is correct.
You can include the “find()” function in your LKM, so finding dinamically the syscall table address.
Bye.
Leave a reply to car insurance under 21 years old Cancel reply
Recent Posts
Categories
Archives
- April 2012 (1)
- November 2011 (1)
- May 2011 (1)
- April 2011 (1)
- March 2011 (1)
- February 2011 (1)
- January 2011 (1)
- December 2010 (2)
- November 2010 (1)
- October 2010 (14)
- 178,505 hits
memset's blog 
Very interesting, thanks, but would be desirable to learn your sight at technology of passing the parameters to the LKM, and not through insmod, but from config file, dynamic update of the list of hidden files, for example
Thanks a lot for your articles, very helpful
great post .
now I want to use the adress to hook in a call
I copied your code and wrote 2 extra Functions
asmlinkage int (*original_call) (const char *, int, int);
asmlinkage int our_sys_open(const char *filename, int flags, int mode)
{
printk(“Opened file HOOKED”);
return original_call(filename, flags, mode);
}
and in case of a match i do the folowing
original_call = syscall_table[__NR_open]; // save the old addresse
syscall_table[__NR_open] = our_sys_open; // redirect to our address
now insmod get killed when I insert the Modul and i dont know why
You have to read the other posts on syscall hijacking in order to do it.
Bye.
Great example..!! thanks.
This example works perfect on my 32 bit Ubuntu. But now I would like to try it on 64 bit Ubuntu. do I have to change the range for memory scan and what will be that?
Becz with the given range , the module is getting killed on 64 bit OS.
I don’t know which is the high memory range on 64 bit OS.
But you can try to find the starting address in a tricky way: you have to ‘cat’ the /boot/System.map file and search for the starting memory address.
i.e.:
# cat /boot/System.map-2.6.38-8-generic
…
c1000000 T _text
You can try also to search for the 64 bit kernel space range on google :-).
Let me know.
Bye.
Good tutorial. I want to use this on 64 bit file open system call hijacking. Please give the suggestion
decades behind
Maybe, but more useful, this post, than your empty and useless comment.
If you want to help, if you want to teach, just write something. ;)
Useful info. Fortunate me I discovered your web site
by accident, and I am shocked why this coincidence did not
took place earlier! I bookmarked it.
If some one wishes expert view about blogging and site-building then i propose him/her to pay a quick
visit this blog, Keep up the pleasant job.
I am truly thankful to the holder of this website who has shared this great piece of writing at at this place.
Attractive component to content. I just stumbled upon your website and in accession capital to claim
that I get in fact enjoyed account your weblog posts. Any way I’ll be subscribing in your feeds or even I achievement you get right of entry to consistently fast.
Hi, everything is going well here and ofcourse every one is
sharing data, that’s genuinely excellent, keep up writing.
Howdy! I realize this is somewhat off-topic but I had to ask.
Does building a well-established blog such as yours require a lot of work?
I am completely new to running a blog but I do write in my
diary on a daily basis. I’d like to start a blog so I can easily share my personal experience and thoughts online. Please let me know if you have any kind of recommendations or tips for new aspiring blog owners. Appreciate it!
A person necessarily lend a hand to make significantly posts I would state.
That is the first time I frequented your web page and up to now?
I amazed with the research you made to create this actual put up
amazing. Excellent process!
These are actually enormous ideas in regarding blogging.
You have touched some good things here. Any way keep up wrinting.
What i don’t understood is if truth be told how you’re now
not actually much more neatly-favored than
you may be now. You are so intelligent. You recognize therefore considerably in
the case of this subject, made me for my part consider it from so many numerous angles.
Its like women and men don’t seem to be fascinated until it is one thing to do with Lady gaga! Your personal stuffs outstanding. Always handle it up!
Valuable info. Fortunate me I found your site by chance, and I’m shocked why this coincidence didn’t happened
earlier! I bookmarked it.
Oh my goodness! Impressive article dude! Thank you so much, However I am
having issues with your RSS. I don’t know why I can’t join
it. Is there anybody having the same RSS issues?
Anybody who knows the answer will you kindly respond?
Thanx!!
Do you mind if I quote a few of your posts as long
as I provide credit and sources back to your weblog? My website is in the exact same niche as
yours and my users would truly benefit from some of the information you provide here.
Please let me know if this alright with you. Thank you!
I was wondering if you ever considered changing the page
layout of your site? Its very well written; I love what
youve got to say. But maybe you could a little more in the
way of content so people could connect with it better.
Youve got an awful lot of text for only having 1 or two
images. Maybe you could space it out better?
Hmm it seems like your site ate my first comment (it was extremely long) so I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
I as well am an aspiring blog writer but I’m still new to the whole thing. Do you have any recommendations for beginner blog writers? I’d
really appreciate it.
Admiring the hard work you put into your site and in depth information you provide.
It’s great to come across a blog every once in a while that isn’t
the same old rehashed information. Fantastic read! I’ve saved your site and I’m including your RSS feeds to my Google
account.
Hello, the whole thing is going fine here and ofcourse every one
is sharing information, that’s genuinely excellent, keep up writing.
We stumbled over here different web page and thought I might as
well check things out. I like what I see so now i’m following you. Look forward to exploring your web page repeatedly.
I quite like reading an article that will make people think.
Also, thanks for allowing me to comment!
Fastidious answers in return of this question with solid
arguments and explaining everything regarding that.
I’m not sure why but this blog is loading very slow for me.
Is anyone else having this issue or is it a problem on my end?
I’ll check back later on and see if the problem still exists.
Hello, constantly i used to check weblog posts here in the early hours in the
morning, since i enjoy to gain knowledge of more and more.
Magnificent website. Lots of helpful information here.
I’m sending it to some pals ans also sharing in delicious.
And obviously, thank you in your effort!
Oh my goodness! Impressive article dude! Thanks, However I am going through issues
with your RSS. I don’t understand why I am unable to subscribe to it.
Is there anybody else getting similar RSS problems? Anyone who
knows the answer can you kindly respond? Thanx!!