as you may know list of kprobes has mapping on /sys in file /sys/kernel/debug/kprobes/list. And now when I have working filesystem notifications it would be extremely tempting try to make hiding content of this file. Let`s see what this inode contains:
sudo ./lkmem -s -c ~/krnl/curr ~/krnl/System.map-5.11.0-34- generic /sys/kernel/debug/kprobes/list
res /sys/kernel/debug/kprobes/list: (nil)
inode: 0xffff8a0448d1ae40
s_op: 0xffffffffa5067f80 - kernel!debugfs_super_operations
inode->i_fop: 0xffffffffa506b000 - kernel!debugfs_full_proxy_file_operations
debugfs_real_fops: 0xffffffffa5028ce0 - kernel!kprobes_fops
private_data: 0xffffffffa5028e00 - kernel!kprobes_sops
kprobes_sops is just struct seq_operations and the function we need is show. So idea is simple
- set notification for file /sys/kernel/debug/kprobes/list
- in fsnotify_handle_event callback check inode and mask
- if this is first opening of this file - patch kprobes_sops->show to our own function (be cautious with WP in cr0)
- if this is last closing of this file - return original handler to kprobes_sops->show
- also return original handler when driver is unloading
You may ask - why is it so difficult? It`s much easier just to patch kprobes_sops->show, right? The answer is that you minimize the risk of being discovered when patching only for some short period
Комментариев нет:
Отправить комментарий