I write kernel module which replace syscall and have a problem. Module can't be loaded because is some problem in memory. I tried fix it for 3 hours, but it still not work. This code is working, when I choose memory closer sys_call_table (eg. int3 adress from /proc/kallsyms), but it isn't always works. Problem is usually, when function which search syscall table points to adress which end is 18 (eg ffffffff91000018, ffffffff81000018). Why its not work? I know, I shouldn't do this, but I would like to fix this code for experience in kernel memory. Code: #include <linux/kernel.h> #include <linux/module.h> #include <linux/syscalls.h> #include <linux/list.h> #include <linux/unistd.h> #include <linux/kobject.h> #include <linux/init.h> /* start of 64-bit kernel space is 0xffffffff80000000 */ #define END_MEM 0xffffffffffffffff /* end of 64-bit kernel */ #define START_MEM 0xffffffff81000000 unsigned long long **syscall_tab; asmlinkage long (*orig_mkdir)(const char __user *pathname, umode_t mode); asmlinkage long my_mkdir(const char __user *pathname, umode_t mode) { long ret; ret = orig_mkdir(pathname, mode); printk("Creating dir: %s", pathname); return ret; } static void hide(void) { list_del(&THIS_MODULE->list); kobject_del(&THIS_MODULE->mkobj.kobj); } static unsigned long long **find(void) { unsigned long long **sctable; unsigned long long i = START_MEM; while (i < END_MEM) { sctable = (unsigned long long **) i; if ( sctable[__NR_close] == (unsigned long long *) sys_close) { printk("syscall_tab %lx", syscall_tab); return &sctable[0]; } i += sizeof(void *); } return NULL; } static int __init init(void) { write_cr0(read_cr0() & (~0x10000)); if(!(syscall_tab = find())) { return 0; } orig_mkdir = (void *) syscall_tab[__NR_mkdir]; printk("write_cr0"); syscall_tab[__NR_mkdir] = (unsigned long long*) my_mkdir; printk("po podmiance"); write_cr0(read_cr0() | (~0x10000)); return 0; } static void __exit exitt(void) { write_cr0(read_cr0() & (~0x10000)); syscall_tab[__NR_mkdir] = (unsigned long long*) orig_mkdir; write_cr0(read_cr0() | (~0x10000)); } module_init(init); module_exit(exitt); MODULE_LICENSE("GPL"); *************************************************************************** Error: ******************** [ 299.273838] BUG: unable to handle kernel paging request at ffffffff91000018 [ 299.273856] IP: init+0x23/0x1000 [hijack1] [ 299.273860] PGD b6a0c067 [ 299.273861] P4D b6a0c067 [ 299.273863] PUD b6a0d063 [ 299.273866] PMD 0 [ 299.273872] Oops: 0000 [#1] PREEMPT SMP [ 299.273877] Modules linked in: hijack1(O+) fuse rfcomm bnep nls_iso8859_1 nls_cp437 vfat fat intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel joydev ppdev hp_wmi mousedev iTCO_wdt aes_x86_64 sparse_keymap iTCO_vendor_support mei_wdt crypto_simd psmouse glue_helper pcspkr evdev input_leds cryptd mac_hid intel_cstate intel_rapl_perf uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core btusb btrtl btbcm btintel bluetooth cdc_ether ecdh_generic usbnet videodev uas media mii hid_generic nouveau mxm_wmi ttm arc4 drm_kms_helper iwldvm drm syscopyarea sysfillrect mac80211 sysimgblt iwlwifi fb_sys_fops parport_pc parport snd_hda_codec_hdmi i2c_algo_bit snd_hda_codec_idt cfg80211 [ 299.273953] rfkill snd_hda_codec_generic hp_accel thermal lis3lv02d wmi input_polldev tpm_infineon video ac battery button snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm shpchp snd_timer e1000e snd ptp soundcore tpm_tis mei_me mei pps_core lpc_ich tpm_tis_core tpm sch_fq_codel vboxnetflt(O) vboxnetadp(O) pci_stub vboxpci(O) vboxdrv(O) sg ip_tables x_tables ext4 crc16 jbd2 fscrypto mbcache sr_mod sd_mod cdrom usb_storage usbhid hid serio_raw atkbd libps2 ahci libahci libata scsi_mod xhci_pci xhci_hcd ehci_pci sdhci_pci ehci_hcd sdhci firewire_ohci led_class firewire_core mmc_core crc_itu_t usbcore usb_common i8042 serio [ 299.274005] CPU: 2 PID: 3384 Comm: insmod Tainted: G O 4.12.4-1-ARCH #1 [ 299.274009] Hardware name: Hewlett-Packard HP EliteBook 8560w/1631, BIOS 68SVD Ver. F.60 03/12/2015 [ 299.274014] task: ffff90127cc0c740 task.stack: ffffb72907298000 [ 299.274019] RIP: 0010:init+0x23/0x1000 [hijack1] [ 299.274023] RSP: 0018:ffffb7290729bc88 EFLAGS: 00010206 [ 299.274027] RAX: 0000000080040033 RBX: ffffffff91000000 RCX: 0000000000000000 [ 299.274031] RDX: 00000000004bec82 RSI: 00000000004bec82 RDI: 0000000080040033 [ 299.274036] RBP: ffffb7290729bc90 R08: ffff901339003980 R09: ffffffffa018970a [ 299.274040] R10: ffffe481c211ebc0 R11: 0000000000000000 R12: ffffffffc0030000 [ 299.274044] R13: ffff9012377965e0 R14: ffffffffc0a81050 R15: ffff90132e0eca80 [ 299.274049] FS: 00007f9a842a4b80(0000) GS:ffff90133dc80000(0000) knlGS:0000000000000000 [ 299.274053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080040033 [ 299.274057] CR2: ffffffff91000018 CR3: 000000007cdb9000 CR4: 00000000000406e0 [ 299.274061] Call Trace: [ 299.274068] do_one_initcall+0x50/0x190 [ 299.274073] ? do_init_module+0x27/0x1e6 [ 299.274077] do_init_module+0x5f/0x1e6 [ 299.274082] load_module+0x2610/0x2ab0 [ 299.274087] ? vfs_read+0x115/0x130 [ 299.274091] SYSC_finit_module+0xf6/0x110 [ 299.274095] ? SYSC_finit_module+0xf6/0x110 [ 299.274100] SyS_finit_module+0xe/0x10 [ 299.274105] entry_SYSCALL_64_fastpath+0x1a/0xa5 [ 299.274109] RIP: 0033:0x7f9a839b3bb9 [ 299.274111] RSP: 002b:00007ffd2386ee28 EFLAGS: 00000206 ORIG_RAX: 0000000000000139 [ 299.274120] RAX: ffffffffffffffda RBX: 00007f9a83c74aa0 RCX: 00007f9a839b3bb9 [ 299.274124] RDX: 0000000000000000 RSI: 000000000041aada RDI: 0000000000000003 [ 299.274128] RBP: 00007f9a83c74af8 R08: 0000000000000000 R09: 00007f9a83c76e40 [ 299.274132] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000001020 [ 299.274136] R13: 0000000000001018 R14: 00007f9a83c74af8 R15: 0000000000000001 [ 299.274141] Code: <48> 81 7b 18 40 a8 21 a0 75 2d 48 8b 35 14 13 a5 00 48 c7 c7 35 00 [ 299.276347] RIP: init+0x23/0x1000 [hijack1] RSP: ffffb7290729bc88 [ 299.277333] CR2: ffffffff91000018 [ 299.283408] ---[ end trace 63ac9e1e3a0e12c3 ]--- _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies