Hi all,
While playing with kernel data structures, I've been confronted to a huge mystery : my system freezes. I hope that someone on this mailing list could help me. For information, i use a 2.6.28 kernel for a x86_64 platform.
These days, I've been trying to set up a kernel module based "rootkit" for x86_64 platform using the classic syscall hooking technique.
I noticed that the sys_call_table (found via /proc/kallsyms) was write protected. As CONFIG_DEBUG_RODATA kernel option is enabled on my distribution, it is normal that this data structure is write-protected.
As a consequence, I override the permissions to access to the sys_call_table entries and made them writable using a lkm. After setting the needed permissions on the page, when I overwrite an entry of the sys_call_table, my system hangs (No kernel oops, my system simply freezes).
Has someone an idea of why the system hangs when i overwrite an entry of the sys_call_table even if i have the needed permissions? I though about locks first but i can't figure out which lock is used (i tried lock_kernel()/unlock_kernel() and unlock_page() but it does not change anything).
Thanks in advance for your replies,
Fernand
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
