📄 syscall.c
字号:
/****************************************************************************** * * Copyright (c) 2003 Gerhard W. Gruber * * PROJECT: pICE * $Source: /cvsroot/pice/pice/module/syscall.c,v $ * $Revision: 1.5 $ * $Date: 2004/02/17 23:07:37 $ * $Author: lightweave $ * $Name: $ * * $Log: syscall.c,v $ * Revision 1.5 2004/02/17 23:07:37 lightweave * * Improved the DEBUG facillity and replaced the configuration handler with a * new code which now can read MS Windows INI style files. See CHANGES.txt for * more details. * Also added a macro which prevents compiling for kernels before 2.4.19. * * Revision 1.4 2003/06/18 22:00:22 lightweave * DEBUG and DEBUG_SERIAL added * * *****************************************************************************/static char *ident = "$Header: /cvsroot/pice/pice/module/syscall.c,v 1.5 2004/02/17 23:07:37 lightweave Exp $";/*++Copyright (c) 1998-2001 Klaus P. GerlicherModule Name: syscall.cAbstract:Environment: Kernel mode onlyAuthor: Klaus P. Gerlicher Gerhard W. GruberRevision History: 12-Nov-1999: created 15-Nov-2000: general cleanup of source filesCopyright notice: This file may be distributed under the terms of the GNU Public License.--*/////////////////////////////////////////////////////// INCLUDES////#include "remods.h"#include <linux/kernel.h>#include <linux/module.h>#include <linux/sched.h>#include <asm/io.h>#include <asm/page.h>#include <asm/pgtable.h>#include <linux/utsname.h>#include <linux/sched.h>#include <asm/unistd.h>#if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,0)#define SYSCALL_VECTOR (0x80)#else#include <linux/irq.h>#endif#include "precomp.h"#include "syscall_string.h"////////////////////////////////////////////////////// GLOBALS////BOOLEAN bReportProcessEvents = TRUE;BOOLEAN bReportAllSyscalls = FALSE;ULONG ulOldSyscallHandler=0;ULONG ulFreeModule=0;struct module* pModJustFreed=NULL;void (*old_cleanup_module)(void)=NULL;ULONG pice_sys_call_table[256];static int (*pice_sys_execve)(struct pt_regs);//*************************************************************************// other_module_cleanup_module()////*************************************************************************void other_module_cleanup_module(void){ ENTER_FUNC(); if(old_cleanup_module) { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"other_module_cleanup_module(): calling %x\n",(ULONG)old_cleanup_module); old_cleanup_module(); } if(pModJustFreed) { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"other_module_cleanup_module(): calling RevirtualizeBreakpointsForModule(%x)\n",(ULONG)pModJustFreed); RevirtualizeBreakpointsForModule(pModJustFreed); }}//*************************************************************************// GetShortName()////*************************************************************************char* GetShortName(char* name){ char* newname = name; while(*name++); while( (*name != '/') && name != newname) name--; name++; return name;}//*************************************************************************// HandleSyscall()////*************************************************************************void HandleSyscall(EXCEPTION_FRAME* pFrame){ DECL_TEMP; ENTER_FUNC(); switch(pFrame->eax) { case __NR_exit: // sys_exit { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"sys_exit\n"); // remove breakpoints if any RemoveSWBreakpointOnProcessExit((ULONG)current); if(bReportProcessEvents) { ALLOC_TEMP(1024); PICE_sprintf(TEMP,"pICE: process destroyed \"%s\" PID=%.4X\n",current->comm,current->pid); AddToRingBuffer(TEMP); FREE_TEMP(); } } break; case __NR_execve: // sys_execve { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"sys_execve\n"); if(bReportProcessEvents) { TEMP = PICE_HeapAlloc(1024); if(PICE_strlen((char*)pFrame->ebx)) PICE_sprintf(TEMP,"pICE: process created \"%s\" PID=%.4X (parent \"%s\")\n",(char *)pFrame->ebx,current->pid,current->comm); else PICE_sprintf(TEMP,"pICE: process created PID=%.4X (parent \"%s\")\n",current->pid,current->comm); AddToRingBuffer(TEMP); FREE_TEMP(); } } break; case __NR_init_module: // sys_init_module { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"sys_init_module\n"); TEMP = PICE_HeapAlloc(1024); if(PICE_strlen((char *)pFrame->ebx)) { if(pmodule_list) { struct module* pMod = pmodule_list; do { if(PICE_strcmpi((char*)pFrame->ebx,(LPSTR)pMod->name)==0) { ULONG ulInitAddress; PICE_sprintf(TEMP,"pICE: module \"%s\" loaded (%x-%x init @ %x)\n",(char*)pFrame->ebx,pMod,(ULONG)pMod+pMod->size,pMod->init); if((ulInitAddress=FindFunctionInModuleByName("init_module",pMod))) { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"setting DR1=%.8x\n",ulInitAddress); SetHardwareBreakPoint(ulInitAddress,1); } } }while((pMod = pMod->next)); } else { PICE_sprintf(TEMP,"pICE: module loaded \"%s\"\n",(char *)pFrame->ebx); } } else PICE_sprintf(TEMP,"pICE: module loaded\n"); AddToRingBuffer(TEMP); FREE_TEMP(); } break; case __NR_delete_module: // sys_delete_module { DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"sys_delete_module\n"); TEMP = PICE_HeapAlloc(1024); if(PICE_strlen((char *)pFrame->ebx)) { if(IsModuleLoaded((LPSTR)pFrame->ebx)!=NULL && PICE_strcmpi((char*)pFrame->ebx,"pice")!=0 ) { PICE_sprintf(TEMP,"pICE: module freed \"%s\"\n",(char *)pFrame->ebx); AddToRingBuffer(TEMP); if((pModJustFreed = FindModuleByName((char*)pFrame->ebx)) ) { if(pModJustFreed->cleanup) { old_cleanup_module = pModJustFreed->cleanup; pModJustFreed->cleanup = other_module_cleanup_module; } else { RevirtualizeBreakpointsForModule(pModJustFreed); } } } } else { PICE_sprintf(TEMP,"pICE: module freed\n"); AddToRingBuffer(TEMP); } FREE_TEMP(); } break; default: { ULONG i = pFrame->eax; char *s; if(i >= PICE_MAX_SYSCALL) s = syscall_string[0]; else s = syscall_string[i]; DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"coming from %.4X:%.8X (syscall = %u [%s])\n", pFrame->cs, pFrame->eip, i, s); if(bReportAllSyscalls) { TEMP = PICE_HeapAlloc(1024); PICE_sprintf(TEMP,"pICE: syscall #%u\n",pFrame->eax); AddToRingBuffer(TEMP); FREE_TEMP(); } } break; } LEAVE_FUNC();}//*************************************************************************// InstallSyscallHook()////*************************************************************************asmlinkage int pice_execve(struct pt_regs regs){ int result; ENTER_FUNC(); result = pice_sys_execve(regs); LEAVE_FUNC(); return result;}//*************************************************************************// InstallSyscallHook()////*************************************************************************void InstallSyscallHook(void){#ifdef ACTIVATE_SYSCALL_HOOKING void DebuggerSyscall(void); ENTER_FUNC(); if(!ulOldSyscallHandler) { ScanSystemMap("free_module",(PULONG)&ulFreeModule); DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"free_module @ %x\n",ulFreeModule); if(ulFreeModule) { HookInterruptVector(SYSCALL_VECTOR,(PVOID)&DebuggerSyscall,(PVOID)&ulOldSyscallHandler); // hook syscall// pice_sys_execve = (int (*)(struct pt_regs))sys_call_table[__NR_execve];// sys_call_table[__NR_execve] = (ULONG)pice_execve; DPRINT(PICE_DEBUG, DBT_SYSCALL, DBL_INFO,"pice_sys_execve = %p pice_execve @ %p\n", pice_sys_execve, pice_execve); } }#endif // ACTIVATE_SYSCALL_HOOKING}//*************************************************************************// DeInstallSyscallHook()////*************************************************************************void DeInstallSyscallHook(void){#ifdef ACTIVATE_SYSCALL_HOOKING ENTER_FUNC(); if(ulOldSyscallHandler) { HookInterruptVector(SYSCALL_VECTOR,(PVOID)ulOldSyscallHandler,NULL); // unhook syscall //sys_call_table[__NR_execve]= (ULONG)pice_sys_execve; } LEAVE_FUNC();#endif // ACTIVATE_SYSCALL_HOOKING}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -