1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
title:X11 prototype GUI
keywords:x11,gui
Hooking interrupt descriptor table
Hook interrupt descriptor table
Hooking interrupt table is very interesting thing
with it you can dissallow some operations to be made or watch what
happening in system. This article is more like review and more tehnical
description is in link 1
First thing that we should know that it will done trought kernel module
there is 2 commands for loading and unloading modules
```
insmod
```
and
```
rmmod
```
there is way how we can check system call addresses and position of syscall
table
```
grep sys_call_table /proc/kallsyms
grep system_call /proc/kallsyms
```
also we can use it for detecting our module functions and syscall addreses
```
grep sys_write /proc/kallsyms
```
or if we whant check out module functions
```
grep hook_idt /proc/kallsyms
```
We will now try to hook sys_mkdir. I usualy using some minimalistic
windowmanagers but some browsers or other GUIsh programs like such directories
"Download" or "Desktop" all my directories in ~/ is lowercase and I realy hate
anoying "Download" and "Desktop" directories that are made without my permission
and for my lowercase /home directory style is agly. With this hook they will
be denied to make such thing.
Out kernel module consist of such functions:
```c
static int __init hook_init(void) //stufff on module init,idt hooking
static void __exit hook_exit(void) //stuff on module exit, restore idt table
asmlinkage long hooked_mkdir(const char *filename, mode_t mode) //our hook function
//how works this functions you can find in link number 1
void *get_writable_sct(void *sct_addr)
void *get_syscall_table(void)
```
Basic hooked function is:
```c
asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
{
return mkdir(filename, mode);
}
```
but now we need to add check for ("Desktop","Download"). First we need some error
that will returned when some one whant to make bad directory
we will use EACCES error.
here is modified functions for out task:
```c
//hook mkfile command
asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
{
//it will disallow all files that starts with Desktop&&Download
if (((strncmp(filename,"Desktop",7) == 0) && (strlen(filename) == 7)) ||
((strncmp(filename,"Download",8) == 0) && (strlen(filename) == 8)))
{
printk(KERN_INFO "Mkdir hook\n");
return EACCES;
}
return real_mkdir(filename, mode);
}
```
For module compiling:
```
make
```
This is tested with kernel version 2.6.38
## Links
http://codenull.net/articles/kmh_en.html
http://www.gadgetweb.de/linux/40-how-to-hijacking-the-syscall-table-on-latest-26x-kernel-systems.html
## Downloads
hook_idt.zip -
5KiB - http://archive.main.lv/files/writeup/hooking_interrupt_descriptor_table/hook_idt.zip
|
