0

I am doing an exercise where I need to hide my kernel from lsmod but I can still remove it using rmmod. To do that I hook the delete module function and want to check the deleted module name but I can't make it work.

module_name is always empty (even if I use copy_from_user()) but name_len always contains value that is greater than 0 (kernal version 5.19.0-40-generic)

asmlinkage long delete_module_func(const char __user *name_user, unsigned int flags)
{
    long ret;
    char module_name[256];
    int name_len;
    struct module *mod;

    name_len = strncpy_from_user(module_name, name_user, sizeof(module_name));
    printk(KERN_INFO "name_len %d", name_len);
    if (name_len <= 0 ) {
        printk(KERN_INFO "failed");
        goto done;
    }

done:
    ret = orig_delete_module_func(name_user, flags);    
    return ret;
}
0andriy
  • 4,183
  • 1
  • 24
  • 37
Falafel_Truck
  • 41
  • 1
  • 4
  • "but i can't make it work" - What exact behavior you observe, so you decide that it is not working? Does it prints "failed"? Or what? In the current state your problem is unclear. – Tsyvarev Apr 27 '23 at 10:42
  • module_name is always empty (even if I use "copy_from_user") but name_len always return value that is greater than 0 – Falafel_Truck Apr 27 '23 at 10:49
  • Please, update the question post with that information. – Tsyvarev Apr 27 '23 at 10:51
  • did it, any idea why coping from user space isn't working correctly? I even look in the source code of the original function and it still wont work. – Falafel_Truck Apr 27 '23 at 11:00
  • 1
    Does this answer your question? [System call hooking example arguments are incorrect](https://stackoverflow.com/questions/59851520/system-call-hooking-example-arguments-are-incorrect) – Tsyvarev Apr 27 '23 at 11:23
  • i tried it with the di and bx register and it seems to fail do you know which register is needed to be used? – Falafel_Truck Apr 27 '23 at 13:27
  • 2
    According to the [Linux System Call convention](https://stackoverflow.com/questions/2535989/what-are-the-calling-conventions-for-unix-linux-system-calls-and-user-space-f), on x86_64 the first syscall argument is passed via `rdi` register, and the second argument - via `rsi` register. You could also find useful an [example from lwn](https://lwn.net/Articles/750536/). – Tsyvarev Apr 27 '23 at 15:23

0 Answers0