hooker.c
1.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/string.h>
#define SYSCALL_TABLE_BASE_ADDR (0x8000fc28)
#define MANAGER_PERMISSION (0xff)
unsigned int ** g_puSysTableAddr = (unsigned int**) SYSCALL_TABLE_BASE_ADDR;
unsigned int g_uPrevAP = 0x00;
unsigned int g_uNewAP = MANAGER_PERMISSION;
unsigned int (* sys_write_orig)(int fd, char *byf, size_t count);
//sys_write_orig() 호출 전 pBuF의 내용 수정
unsigned int sys_write_hooked(int nFD, char *pBuf, size_t nCnt){
if(nFD == 1 && current->comm != "dmesg"){
printk("current process: %s\n",current->comm);
if(current->comm == "hello_world"){
printk("hello world 호출\n");
memset(pBuf, 0, nCnt);
strcpy(pBuf, "Hacked!!!\n");
}
return sys_write_orig(nFD,pBuf, nCnt);
}
else{
return sys_write_orig(nFD,pBuf, nCnt);
}
}
int __init Hook_Init(void){
sys_write_orig = (void *)g_puSysTableAddr[__NR_write];
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : : "r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_hooked;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
return 0;
}
void __exit Hook_Exit(void){
__asm__ __volatile__("mrc p15,0, %0, c3,c0" : "=r"(g_uPrevAP));
__asm__ __volatile__("mcr p15, 0, %0, c3, c0" : :"r"(g_uNewAP));
g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_orig;
__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
}
module_init(Hook_Init);
module_exit(Hook_Exit);