diff options
Diffstat (limited to 'md/writeup/hooking_interrupt_descriptor_table.md')
| -rw-r--r-- | md/writeup/hooking_interrupt_descriptor_table.md | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/md/writeup/hooking_interrupt_descriptor_table.md b/md/writeup/hooking_interrupt_descriptor_table.md new file mode 100644 index 0000000..a1c8349 --- /dev/null +++ b/md/writeup/hooking_interrupt_descriptor_table.md @@ -0,0 +1,112 @@ +title:X11 prototype GUI +keywords:x11,gui + +Hooking interrupt descriptor table +Hook interrupt descriptor table + +Hooking interrupt table is very interesting thing +with it you can dissallow some operations to be made or watch what +happening in system. This article is more like review and more tehnical +description is in link 1 + +First thing that we should know that it will done trought kernel module +there is 2 commands for loading and unloading modules + +``` +insmod +``` + +and + +``` +rmmod +``` + +there is way how we can check system call addresses and position of syscall +table + +``` +grep sys_call_table /proc/kallsyms + +grep system_call /proc/kallsyms +``` + + +also we can use it for detecting our module functions and syscall addreses + +``` +grep sys_write /proc/kallsyms +``` + +or if we whant check out module functions + +``` +grep hook_idt /proc/kallsyms +``` + +We will now try to hook sys_mkdir. I usualy using some minimalistic +windowmanagers but some browsers or other GUIsh programs like such directories +"Download" or "Desktop" all my directories in ~/ is lowercase and I realy hate +anoying "Download" and "Desktop" directories that are made without my permission +and for my lowercase /home directory style is agly. With this hook they will +be denied to make such thing. + +Out kernel module consist of such functions: + +```c +static int __init hook_init(void) //stufff on module init,idt hooking +static void __exit hook_exit(void) //stuff on module exit, restore idt table + +asmlinkage long hooked_mkdir(const char *filename, mode_t mode) //our hook function + +//how works this functions you can find in link number 1 +void *get_writable_sct(void *sct_addr) +void *get_syscall_table(void) +``` + +Basic hooked function is: + +```c +asmlinkage long hooked_mkdir(const char *filename, mode_t mode) +{ + return mkdir(filename, mode); +} +``` + +but now we need to add check for ("Desktop","Download"). First we need some error +that will returned when some one whant to make bad directory +we will use EACCES error. + +here is modified functions for out task: + +```c +//hook mkfile command +asmlinkage long hooked_mkdir(const char *filename, mode_t mode) +{ + //it will disallow all files that starts with Desktop&&Download + if (((strncmp(filename,"Desktop",7) == 0) && (strlen(filename) == 7)) || + ((strncmp(filename,"Download",8) == 0) && (strlen(filename) == 8))) + { + printk(KERN_INFO "Mkdir hook\n"); + return EACCES; + } + return real_mkdir(filename, mode); +} +``` + +For module compiling: + +``` +make +``` + +This is tested with kernel version 2.6.38 + + +## Links +http://codenull.net/articles/kmh_en.html +http://www.gadgetweb.de/linux/40-how-to-hijacking-the-syscall-table-on-latest-26x-kernel-systems.html + +## Downloads +hook_idt.zip - +5KiB - http://archive.main.lv/files/writeup/hooking_interrupt_descriptor_table/hook_idt.zip |