linux内核hook系统调用execve函数

#include <linux/init.h> #include <linux/module.h> #include <linux/syscalls.h> #include <linux/string.h> #include <linux/skbuff.h> #include <linux/init.h> MODULE_DESCRIPTION("hook execve"); MODULE_LICENSE("GPL"); #define DPKG_CMD "/usr/bin/dpkg" typedef asmlinkage long (*m_sys_call_ptr_t)(const struct pt_regs *); static m_sys_call_ptr_t *psys_call_table; m_sys_call_ptr_t old_execve ; //关闭内存写保护 void disable_write_protect(void) { write_cr0(read_cr0() & (~0x10000)); } // 开启内存写保护 void enable_write_protect(void) { write_cr0(read_cr0() | 0x10000); } static bool get_user_cmdline(const char __user *const __user *argv, char* cmdline, int cmd_len) { if(unlikely(argv==NULL||cmdline==NULL||cmd_len<=0)) return false; memset(cmdline, 0, cmd_len); int i=0, offset=0; if(argv != NULL) { for(;i<0x7fffffff;) { const char __user *p; int ret = get_user(p, argv+i); if(ret || !p || IS_ERR(p)) { break; } char tmp[NAME_MAX]={0}; ret = copy_from_user(tmp,p,NAME_MAX); if(ret<256) { int tmp_len = strlen(tmp); if(offset+1+tmp_len > cmd_len) { printk("[err] %s. too much args",__FUNCTION__); break; } strncpy(cmdline+offset, tmp, tmp_len); offset += tmp_len; cmdline[offset]=' '; offset++; } else { printk("[err] %s. copy_from_user failed. ret:%d.\n",__FUNCTION__, ret); } ++i; } } if(cmdline[offset-1]==' ') cmdline[offset-1]=0; return true; } asmlinkage long HookGetExecves(const struct pt_regs * regs) { char __user *filename = (char *)regs->di; char user_filename[NAME_MAX] = {0}; long copied = strncpy_from_user(user_filename,filename,NAME_MAX); //printk("%s %s %d %d\n",__func__,user_filename,copied, NAME_MAX); if((strcasecmp(user_filename,DPKG_CMD)==0)) { const char * const *argv = (const char *const *)regs->si; get_user_cmdline(argv, user_filename, NAME_MAX); // 解析出命令行 printk("====%s=====\n",user_filename); return -1; } return old_execve(regs); } static int __init knStSoftPloyInit(void) { // Gets Syscall Table ** psys_call_table = (m_sys_call_ptr_t *)kallsyms_lookup_name("sys_call_table"); disable_write_protect(); old_execve = psys_call_table[__NR_execve]; psys_call_table[__NR_execve] = HookGetExecves; enable_write_protect(); printk("hook execv success"); return 0; } static void __exit knStSoftPloyExit(void) { disable_write_protect(); psys_call_table[__NR_execve] = old_execve; enable_write_protect(); printk("clear the execve hooks and exit"); } module_init(knStSoftPloyInit); module_exit(knStSoftPloyExit);