Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add system call "stealing" sample using kprobe handler #260

Merged
merged 1 commit into from
Jul 4, 2024

Conversation

haodongnj
Copy link
Contributor

The syscall-steal example does't work on my x84 Laptops with kernel 6.1 on Debian and 5.15 on Ubuntu.
As mentioned in this answer on stack overflow, syscall table is no longer used to invoke system call on x86 arch after this commit, which is backed-ported to many LTS kernel versions. So maybe an extra example without using syscall table can make it easy to understand the situation for beginners like me .

Copy link
Contributor

@jserv jserv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merge the proposed changes of file syscall-steal2.c into syscall-steal.c so that the content can appear in the book.

@jserv jserv changed the title add: syscall hook by Kprobes Add system call "stealing" sample using kprobe handler Jun 20, 2024
@jserv
Copy link
Contributor

jserv commented Jun 20, 2024

Reported by CI:

examples/syscall-steal2.c:35:15: warning: symbol 'syscall_kprobe' was not declared. Should it be static?

examples/syscall-steal.c Outdated Show resolved Hide resolved
@jserv jserv requested a review from linD026 June 24, 2024 15:32
examples/syscall-steal.c Outdated Show resolved Hide resolved
examples/syscall-steal.c Outdated Show resolved Hide resolved
examples/syscall-steal.c Show resolved Hide resolved
* Alternatively, set USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL to 0 to use the old method.
*/
#define USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL 1
#endif
#include <linux/kprobes.h>
#else
#define HAVE_PARAM 1
Copy link
Collaborator

@linD026 linD026 Jun 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, we need to add the other condition, the system is v5.9+ and x86 arch without kprobe support.
Maybe we can tell the user they are unable to run this example.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe defining USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL to 0 by default is enough because users may turn on this macro if they get stuck when hacking.

Copy link
Collaborator

@linD026 linD026 Jun 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But the module will be broken if we have such a scenario.
Moreover, the user may be confused about this and start googling your question again.
I would suggest that you provide a more comprehensive explanation or relevant links (e.g., the stack overflow answer you mentioned).
Additionally, in the code, we can print out some warnings about this instead of using the wrong symbol.

@jserv jserv requested a review from linD026 June 25, 2024 15:36
* after commit 1e3ad78 since v6.9. This commit has been backported to long
* term stable kernels, like v5.15, v6.1, v6.6 and v6.8. In this case, use a
* hook on the syscall entry instead to intercept the syscall.
* For more details, see https://stackoverflow.com/questions/78599971/hooking-syscall-by-modifying-sys-call-table-does-not-work/78607015#78607015.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rationale for using Kprobe on the x86 architecture is informative. Could you move the description out of this file? Specifically, the text should appear in the LaTeX script so that readers can gain a deeper understanding before examining the kernel module source code.

@sysprog21 sysprog21 deleted a comment from Xxblimp Jun 28, 2024
@jserv jserv requested a review from 0xff07 July 1, 2024 22:51
Copy link
Contributor

@jserv jserv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Read https://cbea.ms/git-commit/ carefully and squash the git commits.

For x86 architecture, the system call table cannot be used to invoke a system call after commit 1e3ad78[1] since v6.9.
This commit has been backported to long term stable kernels, like v5.15.154+, v6.1.85+, v6.6.26+ and v6.8.5+[2].
In this case, thanks to Kprobes, a hook can be used instead on the system call entry to intercept the system call.

[1]https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1e3ad78334a69b36e107232e337f9d693dcc9df2
[2]https://stackoverflow.com/a/78607015
@jserv jserv merged commit 9504084 into sysprog21:master Jul 4, 2024
1 check passed
@jserv
Copy link
Contributor

jserv commented Jul 4, 2024

Thank @haodongnj for contributing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants