一、hello world
编写hello.c
#include <linux/module.h> MODULE_LICENSE("GPL"); static int __init syscall_init(void){ printk("hello world ! "); return 0; } static void __exit syscall_release(void){ printk("bye bye ! "); } module_init(syscall_init); module_exit(syscall_release);
编写Makefile
obj-m := hello.o CURRENT_PATH := $(shell pwd) LINUX_KERNEL := $(shell uname -r) LINUX_KERNEL_PATH := /usr/src/linux-headers-$(LINUX_KERNEL) all: make -C $(LINUX_KERNEL_PATH) M=$(CURRENT_PATH) modules clean: make -C $(LINUX_KERNEL_PATH) M=$(CURRENT_PATH) clean
编译和测试:
sudo make
安装模块:
insmod hello.ko
卸载模块:
rmmod hello
查看输出信息:
dmesg 或 tail -f /var/log/syslog
#######################################################################
资料:
syscall函数原型 https://elixir.bootlin.com/linux/v5.0/source/include/linux/syscalls.h
syscall调用号 https://elixir.bootlin.com/linux/v5.0/source/arch/sh/include/uapi/asm/unistd_64.h
syscall参数 http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
ftrace hook https://xz.aliyun.com/t/2948
hook in higher kernel version https://stackoverflow.com/questions/48912653/how-to-hook-sys-clone-in-newer-linux-kernel/48965890
https://stackoverflow.com/questions/47115802/hooking-sys-execve-on-linux-kernel-4-6-or-higher
hook方案比较 https://xz.aliyun.com/t/2947
案例:
https://github.com/sssokar/Proxy
https://github.com/milabs/awesome-linux-rootkits