Intercept ELF loader in linux kernel: fs/binfmt_elf.c file via loadable kernel module

前端 未结 1 1312
攒了一身酷
攒了一身酷 2021-01-18 21:43

I am new to kernel coding and at present I am working with ELF files which have been modified a little bit for the security purposes for which I need to look at some of it\'

1条回答
  •  醉梦人生
    2021-01-18 22:13

    Yes, it's possible, but definitely not easy. There is even a supported kernel facility "kprobes" that allows you to insert calls to your own code from specified locations (see Documentation/kprobes.txt). If inserting calls to your own code is insufficient, I think you would need to use the same sort of mechanisms as kprobe: patching the desired location by overwriting instructions with jmps or calls into your own code.

    I once worked at a company whose security product installed its hooks by runtime-patching the Windows kernel. This is pretty much the same thing, though at least with Windows at the time there were a finite number of versions that had to be supported.

    So, it's definitely possible, but I wouldn't want to try it. It will be very brittle; you'll be in effect trying to hit a moving target. Every kernel security patch or version upgrade is likely to break your code.

    0 讨论(0)
提交回复
热议问题