hooker.c 1.54 KB
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/syscalls.h>
#include <linux/string.h>
#define SYSCALL_TABLE_BASE_ADDR (0x8000fc28)
#define MANAGER_PERMISSION (0xff)

unsigned int ** g_puSysTableAddr = (unsigned int**) SYSCALL_TABLE_BASE_ADDR;
unsigned int g_uPrevAP = 0x00;
unsigned int g_uNewAP = MANAGER_PERMISSION;
unsigned int (* sys_write_orig)(int fd, char *byf, size_t count);

//sys_write_orig() 호출 전 pBuF의 내용 수정
unsigned int sys_write_hooked(int nFD, char *pBuf, size_t nCnt){
	if(nFD == 1 && current->comm != "dmesg"){
		printk("current process: %s\n",current->comm);
		if(current->comm == "hello_world"){
			printk("hello world 호출\n");
			memset(pBuf, 0, nCnt);
			strcpy(pBuf, "Hacked!!!\n");
		}
		return sys_write_orig(nFD,pBuf, nCnt);
	}
	else{
		return sys_write_orig(nFD,pBuf, nCnt);
	}

}

int __init Hook_Init(void){
	
	sys_write_orig = (void *)g_puSysTableAddr[__NR_write];

	__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : "=r"(g_uPrevAP));
	__asm__ __volatile__("mrc p15, 0, %0, c3, c0" : : "r"(g_uNewAP));
	
	g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_hooked;
	
	__asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
	return 0;
}

void __exit Hook_Exit(void){
	__asm__ __volatile__("mrc p15,0, %0, c3,c0" : "=r"(g_uPrevAP));
	__asm__ __volatile__("mcr p15, 0, %0, c3, c0" : :"r"(g_uNewAP));

	g_puSysTableAddr[__NR_write] = (unsigned int *) sys_write_orig;
 
        __asm__ __volatile__("mcr p15,0, %0, c3, c0" : :"r"(g_uPrevAP));
}

module_init(Hook_Init);
module_exit(Hook_Exit);