16

I want to write a LKM (Linux Kernel Module) that hijacks the realtime clock (interrupt 8). So I want the interrupt to be set to my function and at some point send it back to the old function.

I have tried to use the request_irq function without any success, probably because the kernel function that is there is not willing to share the interrupt (which is a good decision I guess).
I also tried to edit the IDT (Interrupt Descriptor Table), according to some pages I found. Non of them worked, most didn't even compile since they where written for kernel 2.6, and I'm working with 3.10.

This is a simplified code that I have just to give you the idea of what I'm doing.

kpage =__get_free_page( GFP_KERNEL);
asm("sidt %0": : "m"(*idtr) : );
memcpy(kpage, idtr, 256*sizeof(kpage));
newidt = (unsigned long long *)(*(unsigned long*)(idtr+1));
newidt[8] = &my_function;
asm("lidt %0": "=m"(newidt):);

All my attempts ended in good times with a segmentation fault, and in bad times with the kernel crashing forcing me to reboot (luckily I work with a virtual machine and snapshots).

So how can I hijack the realtime interrupt so it does my stuff? (And then send it back to the original function to get executed.)

Here is some nice code to change the pagefault function on the IDT. I couldn't make it work, since it's also written for kernel 2.6. This question is also worth looking into.

To get the bounty please publish working code, or at least sufficient info to make it run.

Community
  • 1
  • 1
Ramzi Khahil
  • 4,932
  • 4
  • 35
  • 69
  • In Linux You have no interrupt access at all. Try to find a suitable syscall in order to access the clock, or ptrace the date command. This should help. – icbytes Dec 06 '13 at 10:12
  • 2
    What do you mean by this? What is the IDT for if so? – Ramzi Khahil Dec 06 '13 at 10:14
  • An example I found: http://stackoverflow.com/questions/2497919/changing-the-interrupt-descriptor-table – Ramzi Khahil Dec 06 '13 at 10:15
  • 6
    @icbytes since the OP is writing a kernel module, he has access to interrupts. – nos Dec 09 '13 at 22:43
  • As far as I know, Linux doesn't use INT 08h, besides possibly on some very old hardware. It usually uses the APIC for that; see: http://stackoverflow.com/a/14481859/149341 –  Dec 09 '13 at 23:12
  • @duskwuff Well I have tried it on university computers, they has a few years on them. But when I tried to use `request_irq` I always got "resource bussy". Do you think that on newer hardware this won't happen? – Ramzi Khahil Dec 09 '13 at 23:44
  • "a few years" - The computers have an Intel Core v processor. – Ramzi Khahil Dec 09 '13 at 23:48
  • 4
    This feels like an instance of the [XY problem](http://www.perlmonks.org/index.pl?node_id=542341). Why do you think you need to do this? There may be a better way to accomplish your larger goal. – zwol Dec 10 '13 at 00:21
  • @Zack I'm doing some research on security issues. I want to write various sanity checks that run periodically, and I need them to be run for sure (even if a rootki ran successfully), constant intervals are a nice plus, but I can work with "It will run sometime in the next X steps". Yes I know that with root access the IDT can be overridden by a virus just like I override it. But that's my 'larger goal' for now. To your XY problem - I need something that will run once within every X steps. – Ramzi Khahil Dec 10 '13 at 00:40
  • So, I am not a kernel guy, but I am certain there already is some kind of mechanism for executing tasks in the kernel at intervals. Get your sanity checks running using that first, then worry about hardening it against a rootkit trying to hide its presence. – zwol Dec 10 '13 at 03:29
  • the very first sentence tells this. ok ok ok. – icbytes Dec 10 '13 at 08:39
  • 1
    You can have a look [how the kernel](http://lxr.linux.no/linux+v3.12.6/kernel/irq/manage.c#L1396) does interrupt management and reverse engineer it. BTW the link to the patch code is dead and Google cache still has it. This is code from 2003/4 (32 bit kernel as ASM is all 32 bit). – egur Dec 26 '13 at 19:15

1 Answers1

2

This can help you : http://cormander.com/2011/12/how-to-hook-into-hijack-linux-kernel-functions-via-lkm/

Why not you simply hook a function that is call every x steps like you want and execute what ever you need ?

Thomas Leclercq
  • 425
  • 3
  • 10