1

In order to write to a read-only memory location (an example for such a memory location would be the sys_call table) in kernel module, is it sufficient to disable the page protection by manipulating the 16th bit of CR0 register?
Or do we need something more to write to a read-only memory location?

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180
PaulDaviesC
  • 1,161
  • 3
  • 16
  • 31
  • 1
    Why do you want to do that? And you should add some locking machinery... (what happens if two cores of your processor are changing that table simultaneously) – Basile Starynkevitch Jan 27 '13 at 08:09
  • root kits probably would want to. Otherwise your subverting sections that are marked read only for good reason. – stsquad Jan 27 '13 at 08:23
  • Bad, bad idea. Please don't try mess with things in the kernel, unless you are the real kernel. When writing modules, try to only go through Linux API calls, instead of messing with low down CPU bits. Why do you need to do this anyway? – Linuxios Jan 28 '13 at 00:52
  • @Linuxious to manipulate sys_call_table so that I can hook system calls.Doing it for experimentation. – PaulDaviesC Jan 28 '13 at 15:07
  • If you want a new syscall then you'll need to compile a fresh kernel with your new definition. If you are trying to patch the syscall table to redirect an existing syscall then you'll need to do something like:http://stackoverflow.com/questions/2103315/linux-kernel-system-call-hooking-example – stsquad Jan 28 '13 at 16:56
  • @stsquad I have tried it.Here is the code http://pastebin.com/aWN3jdQU It is not working although there are no error messages.Here is the question I asked in the kernel newbies forum http://lists.kernelnewbies.org/pipermail/kernelnewbies/2013-January/007116.html . – PaulDaviesC Jan 28 '13 at 17:03
  • If the purpose is to hook into system (or any other) calls (incl interrupt handlers!), there's a clean elegant mechanism available: the Kprobes framework [https://www.kernel.org/doc/Documentation/kprobes.txt]; IMHO using jprobes is esp useful for sys call hooking, etc.. – kaiwan Sep 05 '16 at 12:20

1 Answers1

0

If you disable page write protection, you may break something dependent on it (e.g. any copy-on-write occurring on kernel pages). If you do it that way, you probably want to temporarily disable interrupts/scheduling, so the memory modification looks atomic on that CPU, this will also avoid moving of the thread to a different CPU if you have more than 1.

I'm not sure that using hard-coded addresses like 0xc12c9e90 is a good idea. I don't know how Linux lays out things in the kernel portion of the address space, but addresses may change from one boot to another either because of dynamic memory allocation or for security reasons (moving things around is useful thing as it reduces the chances of exploitation of kernel bugs).

Alexey Frunze
  • 61,140
  • 12
  • 83
  • 180