Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kallsyms_lookup_name fix and also added execute permission to napper.py #9

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

kallsyms_lookup_name fix and also added execute permission to napper.py #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 69 additions & 0 deletions napper-driver/napper.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,81 @@
#include <linux/init.h>
#include <asm/text-patching.h>
#include <linux/kallsyms.h>
#include <linux/kprobes.h>

MODULE_LICENSE("GPL v2");
MODULE_AUTHOR("Seunghun Han");
MODULE_VERSION("1.0");
MODULE_DESCRIPTION("Napper kernel module for checking a TPM vulnerability");

//kallsyms_lookup_name workaround

typedef unsigned long (*kln_p)(const char*);

#define KPROBE_PRE_HANDLER(fname) static int __kprobes fname(struct kprobe *p, struct pt_regs *regs)

long unsigned int kln_addr = 0;
unsigned long (*kln_pointer)(const char* name) = NULL;

static struct kprobe kp0, kp1;

KPROBE_PRE_HANDLER(handler_pre0) {
kln_addr = (--regs->ip);

return 0;
}

KPROBE_PRE_HANDLER(handler_pre1) {
return 0;
}

static int do_register_kprobe(struct kprobe* kp, char* symbol_name, void* handler) {
int ret;

kp->symbol_name = symbol_name;
kp->pre_handler = handler;

ret = register_kprobe(kp);
if (ret < 0) {
pr_err("do_register_kprobe: failed to register for symbol %s, returning %d\n", symbol_name, ret);
return ret;
}

pr_info("Planted krpobe for symbol %s at %p\n", symbol_name, kp->addr);

return ret;
}

// this is the function that I have modified, as the name suggests it returns a pointer to the extracted kallsyms_lookup_name function
kln_p get_kln_p(void) {
int status;

status = do_register_kprobe(&kp0, "kallsyms_lookup_name", handler_pre0);

if (status < 0) return NULL;

status = do_register_kprobe(&kp1, "kallsyms_lookup_name", handler_pre1);

if (status < 0) {
// cleaning initial krpobe
unregister_kprobe(&kp0);
return NULL;
}

unregister_kprobe(&kp0);
unregister_kprobe(&kp1);

pr_info("kallsyms_lookup_name address = 0x%lx\n", kln_addr);

kln_pointer = (unsigned long (*)(const char* name)) kln_addr;

return kln_pointer;
}

#define kallsyms_lookup_name(name) (get_kln_p())(name);

//end kallsyms_lookup_name workaround

typedef void *(*TEXT_POKE) (void *addr, const void *opcode, size_t len);

TEXT_POKE g_fn_text_poke;
Expand Down
Empty file modified napper.py
100644 → 100755
View file
Open in desktop
Empty file.