1

I hook execve in kernel mode(change system_call_table entry __NR_execve to my function). I want to check the ELF's assembly code. If it harmful, I'll return directly without executing it.

I am writing a linux module. In Linux kernel mode, I want to use objdump to disassembly the ELF file. I want to go user mode to execute objdump, and go back to kernel mode. Is this possible? Thank you.

siyuan
  • 113
  • 7
  • 1
    Sounds strange. What do you need this for? Maybe it can be done in another way, without running user-space application from kernel. So please explain us the whole task so perhaps we can come up with some more appropriate and elegant solution. – Sam Protsenko Oct 24 '15 at 12:12
  • Sam Protsenko, I hook execve in kernel mode(change system_call_table entry __NR_execve to my function). I want to check the ELF's assembly code. If it harmful, I'll return directly without executing it. Do you have any other idea to do this? – siyuan Oct 24 '15 at 12:42
  • It would be much more better if you can do the same in user-space. Just doesn't sound like kernel task to me. But I may be mistaken. – Sam Protsenko Oct 24 '15 at 12:45
  • How to hijack execve in user space? LD_PRELOAD doesn't work. – siyuan Oct 24 '15 at 13:00

1 Answers1

2

Maybe you can split your project into two parts: kernel module and user-space application. So you can hook execve() in kernel, then tell your application about hook triggered, then do disassembling and checking in your application, send computed result back to kernel module, and then either continue or break execve() execution.

If you still want to run objdump from kernel -- check out call_usermodhelper().

See also this related question.

Community
  • 1
  • 1
Sam Protsenko
  • 14,045
  • 4
  • 59
  • 75
  • Thank you very much, Sam Protsenko. This is very helpful. I want to use call_usermodhelper(). I'm going to write a user space script(or C program) to check assembly code, and then send the result (0 or 1) back to kernel. So my next question is, how can I get the value in kernel mode? write to a file? – siyuan Oct 24 '15 at 13:48
  • 1
    You can just run your user-space app as a daemon and don't use `call_usermodhelper()`. Regarding interaction between kernel and user-space: there are a lot of options here. The easiest, perhaps, is to utilize **character device driver** capabilities to exchange some data between kernel and user-space. The other possible and easy option -- is to create some **sysfs** file/files in your kernel module, and read/write to them from user-space app. – Sam Protsenko Oct 24 '15 at 13:53
  • Sam Protsenko, could you give me an example of transfer data from user space to kernel space? Thank you very much. – siyuan Oct 24 '15 at 23:34
  • The thing is, there is a lot of options how you can implement such a transfer. Ideally you should choose it for your particular case. If you don't have much of experience in kernel development -- I'd recommend you to look into **miscellaneous character device** API Next particular function can be useful: `misc_register()`, `misc_deregister()`, `simple_read_from_buffer()`, `simple_write_to_buffer()`. Once you registered misc char device and implemented read/write file operations in kernel, you will be able to read/write to corresponding file in `/dev` directory to talk with your kernel module. – Sam Protsenko Oct 25 '15 at 00:13
  • Look [here](http://www.linuxvoice.com/be-a-kernel-hacker/) and [here](https://github.com/svijaykr/eudyptula/blob/master/task06/hello-world.c) for examples (I just googled by "misc_register simple_read_from_buffer" and chose what I liked most). – Sam Protsenko Oct 25 '15 at 00:20