APatch kpm模块开发

转载至APatch kpm模块开发 | 拓森

什么是KernelPatch Module (KPM)

KPM是一个ELF文件，可以通过KernelPatch在内核空间中加载和运行

官方文档与代码案例

https://github.com/bmax121/KernelPatch

https://github.com/bmax121/KernelPatch/blob/main/doc/zh-CN/module.md

官方提供了3个案例:

1.hello world

2.inline-hook

3.syscallhook

Hello

inline hook

定义一个测试函数:__noinline add

__noinline 避免被内联优化, 方便hook

执行hook

syscall hook

初始化

如果参数是function_pointer_hook, 使用fp_hook_syscalln来hook系统函数, hook了openat

如果是inline_hook, 则使用inline_hook_syscalln来hook系统函数

通过syscall_argn来获取参数值

uint64_t open_counts <span class="token operator">=</span> <span class="token number">0</span><span class="token punctuation">;</span>

<span class="token keyword">void</span> <span class="token function">before_openat_1</span><span class="token punctuation">(</span><span class="token parameter">hook_fargs4_t <span class="token operator">*</span>args<span class="token punctuation">,</span> <span class="token keyword">void</span> <span class="token operator">*</span>udata</span><span class="token punctuation">)</span>
<span class="token punctuation">{</span>
    <span class="token comment">//获取参数复制给pcount</span>
    uint64_t <span class="token operator">*</span>pcount <span class="token operator">=</span> <span class="token punctuation">(</span>uint64_t <span class="token operator">*</span><span class="token punctuation">)</span>udata<span class="token punctuation">;</span>
    <span class="token punctuation">(</span><span class="token operator">*</span>pcount<span class="token punctuation">)</span><span class="token operator">++</span><span class="token punctuation">;</span>   <span class="token comment">//累加</span>
    <span class="token function">pr_info</span><span class="token punctuation">(</span><span class="token string">"hook_chain_1 before openat task: %llx, count: %llx\n"</span><span class="token punctuation">,</span> args<span class="token operator">-</span><span class="token operator">&gt;</span>local<span class="token punctuation">.</span><span class="token property-access">data0</span><span class="token punctuation">,</span> <span class="token operator">*</span>pcount<span class="token punctuation">)</span><span class="token punctuation">;</span>  
<span class="token punctuation">}</span>

<span class="token keyword">void</span> <span class="token function">after_openat_1</span><span class="token punctuation">(</span><span class="token parameter">hook_fargs4_t <span class="token operator">*</span>args<span class="token punctuation">,</span> <span class="token keyword">void</span> <span class="token operator">*</span>udata</span><span class="token punctuation">)</span>
<span class="token punctuation">{</span>
    <span class="token function">pr_info</span><span class="token punctuation">(</span><span class="token string">"hook_chain_1 after openat task: %llx\n"</span><span class="token punctuation">,</span> args<span class="token operator">-</span><span class="token operator">&gt;</span>local<span class="token punctuation">.</span><span class="token property-access">data0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>   <span class="token comment">//这里打印出累加后的值</span>
<span class="token punctuation">}</span>

uint64_t open_counts = 0;

void before_openat_1(hook_fargs4_t *args, void *udata)

{

//获取参数复制给pcount

uint64_t *pcount = (uint64_t *)udata;

(*pcount)++; //累加

pr_info("hook_chain_1 before openat task: %llx, count: %llx\n", args->local.data0, *pcount);

}

void after_openat_1(hook_fargs4_t *args, void *udata)

{

pr_info("hook_chain_1 after openat task: %llx\n", args->local.data0); //这里打印出累加后的值

}

实际案例分析

参考:https://github.com/lzghzr/APatch_kpm

模块作用:redirect /system/etc/hosts to /data/adb/hosts

这个模块主要是hook VFS层do_sys_open, do_sys_open是open/openat的一个实现. VFS层是比syscal 更底层的实现

具体代码分析

声明do_filp_open函数指针

inline_hook_control0函数是设置文件编号, 假设是2

char hosts_target[] = “/data/adb/hosts/0”;

变成:

char hosts_target[] = “/data/adb/hosts/2”;

<span class="token keyword">static</span> long <span class="token function">inline_hook_control0</span><span class="token punctuation">(</span><span class="token parameter"><span class="token keyword">const</span> char<span class="token operator">*</span> ctl_args<span class="token punctuation">,</span> char<span class="token operator">*</span> __user out_msg<span class="token punctuation">,</span> int outlen</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  char num <span class="token operator">=</span> ctl_args <span class="token operator">?</span> <span class="token operator">*</span>ctl_args <span class="token operator">:</span> <span class="token string">'1'</span><span class="token punctuation">;</span>
  <span class="token keyword control-flow">if</span> <span class="token punctuation">(</span><span class="token function">unlikely</span><span class="token punctuation">(</span>num <span class="token operator">&lt;</span> <span class="token string">'0'</span> <span class="token operator">||</span> num <span class="token operator">&gt;</span> <span class="token string">'9'</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token keyword control-flow">return</span> <span class="token operator">-</span><span class="token number">11</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
  hosts_target<span class="token punctuation">[</span><span class="token number">16</span><span class="token punctuation">]</span> <span class="token operator">=</span> num<span class="token punctuation">;</span>

  char msg<span class="token punctuation">[</span><span class="token number">64</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
  <span class="token function">snprintf</span><span class="token punctuation">(</span>msg<span class="token punctuation">,</span> <span class="token function">sizeof</span><span class="token punctuation">(</span>msg<span class="token punctuation">)</span><span class="token punctuation">,</span> <span class="token string">"_(._.)_"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token function">compat_copy_to_user</span><span class="token punctuation">(</span>out_msg<span class="token punctuation">,</span> msg<span class="token punctuation">,</span> <span class="token function">sizeof</span><span class="token punctuation">(</span>msg<span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token keyword control-flow">return</span> <span class="token number">0</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

static long inline_hook_control0(const char* ctl_args, char* __user out_msg, int outlen) {

char num = ctl_args ? *ctl_args : '1';

if (unlikely(num < '0' || num > '9')) {

return -11;

}

hosts_target[16] = num;

char msg[64];

snprintf(msg, sizeof(msg), "_(._.)_");

compat_copy_to_user(out_msg, msg, sizeof(msg));

return 0;

}

查找并保存几个重要的内核函数地址

hook do_filp_open

do_filp_open_before的实现

获取参数filename指针, 再获取pathname , 判断绝对路径和相对路径

绝对路径判断相等, 则执行重定向和设置selinux allow = true, hook完成后会改回去false

相对路径则获取工作目录拼接成绝对路径, 再执行相同的逻辑

do_filp_open_after的实现

<span class="token keyword">static</span> <span class="token keyword">void</span> <span class="token function">do_filp_open_after</span><span class="token punctuation">(</span><span class="token parameter">hook_fargs3_t<span class="token operator">*</span> args<span class="token punctuation">,</span> <span class="token keyword">void</span><span class="token operator">*</span> udata</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token keyword control-flow">if</span> <span class="token punctuation">(</span><span class="token function">unlikely</span><span class="token punctuation">(</span>args<span class="token operator">-</span><span class="token operator">&gt;</span>local<span class="token punctuation">.</span><span class="token property-access">data0</span><span class="token punctuation">)</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    <span class="token function">set_priv_selinx_allow</span><span class="token punctuation">(</span>current<span class="token punctuation">,</span> <span class="token boolean">false</span><span class="token punctuation">)</span><span class="token punctuation">;</span>    <span class="token comment">//seliux = false</span>
    struct filename<span class="token operator">*</span> pathname <span class="token operator">=</span> <span class="token punctuation">(</span>struct filename<span class="token operator">*</span><span class="token punctuation">)</span>args<span class="token operator">-</span><span class="token operator">&gt;</span>arg1<span class="token punctuation">;</span> 
    pathname<span class="token operator">-</span><span class="token operator">&gt;</span>name <span class="token operator">=</span> <span class="token punctuation">(</span>char<span class="token operator">*</span><span class="token punctuation">)</span>args<span class="token operator">-</span><span class="token operator">&gt;</span>local<span class="token punctuation">.</span><span class="token property-access">data0</span><span class="token punctuation">;</span>    <span class="token comment">//还原pathname</span>
  <span class="token punctuation">}</span>
<span class="token punctuation">}</span>

static void do_filp_open_after(hook_fargs3_t* args, void* udata) {

if (unlikely(args->local.data0)) {

set_priv_selinx_allow(current, false); //seliux = false

struct filename* pathname = (struct filename*)args->arg1;

pathname->name = (char*)args->local.data0; //还原pathname

}

编译(Ubuntu)

官方编译指南: https://github.com/bmax121/KernelPatch/blob/main/doc/en/build.md

先下载交叉编译

https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads

下载 AArch64 bare-metal target (aarch64-none-elf)解压

https://armkeil.blob.core.windows.net/developer/Files/downloads/gnu/13.3.rel1/binrel/arm-gnu-toolchain-13.3.rel1-x86_64-arm-none-eabi.tar.xz

设置环境变量

编译

完成!

KPM模块安装

https://apatch.dev/zh_CN/kpm-usage-guide.html

作者:拓森Leo
链接:https://www.uzilol.cn/article/12dbf20f-1d11-802a-8cad-cf296b4a0950
声明:本文采用 CC BY-NC-SA 4.0 许可协议，转载请注明出处。

什么是KernelPatch Module (KPM)

官方文档与代码案例

Hello

inline hook

syscall hook

实际案例分析

具体代码分析

声明do_filp_open函数指针

inline_hook_control0函数是设置文件编号, 假设是2

查找并保存几个重要的内核函数地址

hook do_filp_open

do_filp_open_before的实现

do_filp_open_after的实现

编译(Ubuntu)

官方编译指南: https://github.com/bmax121/KernelPatch/blob/main/doc/en/build.md

先下载交叉编译

下载 AArch64 bare-metal target (aarch64-none-elf)解压

设置环境变量

编译

KPM模块安装

发表回复取消回复

近期文章

近期评论

归档

分类

APatch kpm模块开发

什么是KernelPatch Module (KPM)

官方文档与代码案例

Hello

inline hook

syscall hook

实际案例分析

具体代码分析

声明do_filp_open函数指针

inline_hook_control0函数是设置文件编号, 假设是2

查找并保存几个重要的内核函数地址

hook do_filp_open

do_filp_open_before的实现

do_filp_open_after的实现

编译(Ubuntu)

官方编译指南: https://github.com/bmax121/KernelPatch/blob/main/doc/en/build.md

先下载交叉编译

下载 AArch64 bare-metal target (aarch64-none-elf)解压

设置环境变量

编译

KPM模块安装

发表回复 取消回复

近期文章

近期评论

发表回复取消回复