我目前正在研究一个小型LKM,它会搜索隐藏在内核空间内的模块,就像之前的一些内核级rootkit一样.导致模块的内核空间通过vmalloc()分配,find_module_list()遍历所有条目vmap_area_list并调用check_module():
void find_module_list(void) {
count = 0;
spin_lock(lock);
list_for_each_entry(va,l, list) {
if (!(va->flags & VM_VM_AREA))
continue;
vm = va->vm;
vaddr = (unsigned long) vm->addr;
if((vaddr < VMALLOC_START) || (vaddr > VMALLOC_END))
break;
size = vm->size;
printk(KERN_INFO"ADDRESS: %lx\n",vaddr);
printk(KERN_INFO"SIZE: %lu\n",size);
count++;
printk(KERN_INFO"NUMBER: %lu\n",count);
unsigned char *i =(unsigned char*)vm->addr;
unsigned char *max = (unsigned char*)(vaddr+size);
check_module(i,max-PAGE_SIZE);
}
spin_unlock(lock);
}
int init_module(void) {
lock = (struct spinlock*)0xc1aff8a6; // vmap_area_lock
l = (struct list_head*)0xc18fd01c; // vmap_area_list
printk(KERN_INFO"VMALLOC_START: %lx\n",VMALLOC_START);
printk(KERN_INFO"VMALLOC_END: …