github-mirror/lkmpg
github-mirror/lkmpg
2
0
Fork 0
mirror of https://github.com/sysprog21/lkmpg.git synced 2025-04-23 21:14:04 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

deploy: 3a09a1e47314bad5f697ac6b5c24ba086af04691

Browse Source
This commit is contained in:
jserv 2024-10-05 04:04:15 +00:00
parent 81cc9e8b05
commit cefcf5716a
2 changed files with 388 additions and 392 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

390
index.html
View File

@ -3616,154 +3616,154 @@ dry run of this example, you will have to patch your current kernel in order to
<a id='x1-41228r93'></a><span class='ecrm-0500'>93</span><span class='ectt-0800'>    .symbol_name = </span><span id='textcolor1606'><span class='ectt-0800'>"__x64_sys_openat"</span></span><span class='ectt-0800'>,</span>
<a id='x1-41230r94'></a><span class='ecrm-0500'>94</span><span class='ectt-0800'>    .pre_handler = sys_call_kprobe_pre_handler,</span>
<a id='x1-41232r95'></a><span class='ecrm-0500'>95</span><span class='ectt-0800'>};</span>
<a id='x1-41234r96'></a><span class='ecrm-0500'>96</span><span id='textcolor1607'><span class='ectt-0800'>#else</span></span>
<a id='x1-41236r97'></a><span class='ecrm-0500'>97</span>
<a id='x1-41238r98'></a><span class='ecrm-0500'>98</span><span id='textcolor1608'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1609'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1610'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sys_call_table_stolen;</span>
<a id='x1-41240r99'></a><span class='ecrm-0500'>99</span>
<a id='x1-41242r100'></a><span class='ecrm-0500'>100</span><span id='textcolor1611'><span class='ectt-0800'>/* A pointer to the original system call. The reason we keep this, rather</span></span>
<a id='x1-41244r101'></a><span class='ecrm-0500'>101</span><span id='textcolor1612'><span class='ectt-0800'> * than call the original function (sys_openat), is because somebody else</span></span>
<a id='x1-41246r102'></a><span class='ecrm-0500'>102</span><span id='textcolor1613'><span class='ectt-0800'> * might have replaced the system call before us. Note that this is not</span></span>
<a id='x1-41248r103'></a><span class='ecrm-0500'>103</span><span id='textcolor1614'><span class='ectt-0800'> * 100% safe, because if another module replaced sys_openat before us,</span></span>
<a id='x1-41250r104'></a><span class='ecrm-0500'>104</span><span id='textcolor1615'><span class='ectt-0800'> * then when we are inserted, we will call the function in that module -</span></span>
<a id='x1-41252r105'></a><span class='ecrm-0500'>105</span><span id='textcolor1616'><span class='ectt-0800'> * and it might be removed before we are.</span></span>
<a id='x1-41254r106'></a><span class='ecrm-0500'>106</span><span id='textcolor1617'><span class='ectt-0800'> *</span></span>
<a id='x1-41256r107'></a><span class='ecrm-0500'>107</span><span id='textcolor1618'><span class='ectt-0800'> * Another reason for this is that we can not get sys_openat.</span></span>
<a id='x1-41258r108'></a><span class='ecrm-0500'>108</span><span id='textcolor1619'><span class='ectt-0800'> * It is a static variable, so it is not exported.</span></span>
<a id='x1-41260r109'></a><span class='ecrm-0500'>109</span><span id='textcolor1620'><span class='ectt-0800'> */</span></span>
<a id='x1-41262r110'></a><span class='ecrm-0500'>110</span><span id='textcolor1621'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41264r111'></a><span class='ecrm-0500'>111</span><span id='textcolor1622'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1623'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1624'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *);</span>
<a id='x1-41266r112'></a><span class='ecrm-0500'>112</span><span id='textcolor1625'><span class='ectt-0800'>#else</span></span>
<a id='x1-41268r113'></a><span class='ecrm-0500'>113</span><span id='textcolor1626'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1627'><span class='ectt-0800'>int</span></span><span class='ectt-0800'></span><span id='textcolor1628'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1629'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *, </span><span id='textcolor1630'><span class='ectt-0800'>int</span></span><span class='ectt-0800'>, umode_t);</span>
<a id='x1-41270r114'></a><span class='ecrm-0500'>114</span><span id='textcolor1631'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41272r115'></a><span class='ecrm-0500'>115</span>
<a id='x1-41274r116'></a><span class='ecrm-0500'>116</span><span id='textcolor1632'><span class='ectt-0800'>/* The function we will replace sys_openat (the function called when you</span></span>
<a id='x1-41276r117'></a><span class='ecrm-0500'>117</span><span id='textcolor1633'><span class='ectt-0800'> * call the open system call) with. To find the exact prototype, with</span></span>
<a id='x1-41278r118'></a><span class='ecrm-0500'>118</span><span id='textcolor1634'><span class='ectt-0800'> * the number and type of arguments, we find the original function first</span></span>
<a id='x1-41280r119'></a><span class='ecrm-0500'>119</span><span id='textcolor1635'><span class='ectt-0800'> * (it is at fs/open.c).</span></span>
<a id='x1-41282r120'></a><span class='ecrm-0500'>120</span><span id='textcolor1636'><span class='ectt-0800'> *</span></span>
<a id='x1-41284r121'></a><span class='ecrm-0500'>121</span><span id='textcolor1637'><span class='ectt-0800'> * In theory, this means that we are tied to the current version of the</span></span>
<a id='x1-41286r122'></a><span class='ecrm-0500'>122</span><span id='textcolor1638'><span class='ectt-0800'> * kernel. In practice, the system calls almost never change (it would</span></span>
<a id='x1-41288r123'></a><span class='ecrm-0500'>123</span><span id='textcolor1639'><span class='ectt-0800'> * wreck havoc and require programs to be recompiled, since the system</span></span>
<a id='x1-41290r124'></a><span class='ecrm-0500'>124</span><span id='textcolor1640'><span class='ectt-0800'> * calls are the interface between the kernel and the processes).</span></span>
<a id='x1-41292r125'></a><span class='ecrm-0500'>125</span><span id='textcolor1641'><span class='ectt-0800'> */</span></span>
<a id='x1-41294r126'></a><span class='ecrm-0500'>126</span><span id='textcolor1642'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41296r127'></a><span class='ecrm-0500'>127</span><span id='textcolor1643'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1644'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1645'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1646'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *regs)</span>
<a id='x1-41298r128'></a><span class='ecrm-0500'>128</span><span id='textcolor1647'><span class='ectt-0800'>#else</span></span>
<a id='x1-41300r129'></a><span class='ecrm-0500'>129</span><span id='textcolor1648'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1649'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1650'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> dfd, </span><span id='textcolor1651'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1652'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *filename,</span>
<a id='x1-41302r130'></a><span class='ecrm-0500'>130</span><span class='ectt-0800'>                                      </span><span id='textcolor1653'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> flags, umode_t mode)</span>
<a id='x1-41304r131'></a><span class='ecrm-0500'>131</span><span id='textcolor1654'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41306r132'></a><span class='ecrm-0500'>132</span><span class='ectt-0800'>{</span>
<a id='x1-41308r133'></a><span class='ecrm-0500'>133</span><span class='ectt-0800'>    </span><span id='textcolor1655'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> i = 0;</span>
<a id='x1-41310r134'></a><span class='ecrm-0500'>134</span><span class='ectt-0800'>    </span><span id='textcolor1656'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> ch;</span>
<a id='x1-41312r135'></a><span class='ecrm-0500'>135</span>
<a id='x1-41314r136'></a><span class='ecrm-0500'>136</span><span class='ectt-0800'>    </span><span id='textcolor1657'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (__kuid_val(current_uid()) != uid)</span>
<a id='x1-41316r137'></a><span class='ecrm-0500'>137</span><span class='ectt-0800'>        </span><span id='textcolor1658'><span class='ectt-0800'>goto</span></span><span class='ectt-0800'> orig_call;</span>
<a id='x1-41318r138'></a><span class='ecrm-0500'>138</span>
<a id='x1-41320r139'></a><span class='ecrm-0500'>139</span><span class='ectt-0800'>    </span><span id='textcolor1659'><span class='ectt-0800'>/* Report the file, if relevant */</span></span>
<a id='x1-41322r140'></a><span class='ecrm-0500'>140</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1660'><span class='ectt-0800'>"Opened file by %d: "</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41324r141'></a><span class='ecrm-0500'>141</span><span class='ectt-0800'>    </span><span id='textcolor1661'><span class='ectt-0800'>do</span></span><span class='ectt-0800'> {</span>
<a id='x1-41326r142'></a><span class='ecrm-0500'>142</span><span id='textcolor1662'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41328r143'></a><span class='ecrm-0500'>143</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1663'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)regs-&gt;si + i);</span>
<a id='x1-41330r144'></a><span class='ecrm-0500'>144</span><span id='textcolor1664'><span class='ectt-0800'>#else</span></span>
<a id='x1-41332r145'></a><span class='ecrm-0500'>145</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1665'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)filename + i);</span>
<a id='x1-41334r146'></a><span class='ecrm-0500'>146</span><span id='textcolor1666'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41336r147'></a><span class='ecrm-0500'>147</span><span class='ectt-0800'>        i++;</span>
<a id='x1-41338r148'></a><span class='ecrm-0500'>148</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1667'><span class='ectt-0800'>"%c"</span></span><span class='ectt-0800'>, ch);</span>
<a id='x1-41340r149'></a><span class='ecrm-0500'>149</span><span class='ectt-0800'>    </span><span id='textcolor1668'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (ch != 0);</span>
<a id='x1-41342r150'></a><span class='ecrm-0500'>150</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1669'><span class='ectt-0800'>"</span></span><span id='textcolor1670'><span class='ectt-0800'>\n</span></span><span id='textcolor1671'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41344r151'></a><span class='ecrm-0500'>151</span>
<a id='x1-41346r152'></a><span class='ecrm-0500'>152</span><span class='ectt-0800'>orig_call:</span>
<a id='x1-41348r153'></a><span class='ecrm-0500'>153</span><span class='ectt-0800'>    </span><span id='textcolor1672'><span class='ectt-0800'>/* Call the original sys_openat - otherwise, we lose the ability to</span></span>
<a id='x1-41350r154'></a><span class='ecrm-0500'>154</span><span id='textcolor1673'><span class='ectt-0800'>     * open files.</span></span>
<a id='x1-41352r155'></a><span class='ecrm-0500'>155</span><span id='textcolor1674'><span class='ectt-0800'>     */</span></span>
<a id='x1-41354r156'></a><span class='ecrm-0500'>156</span><span id='textcolor1675'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41356r157'></a><span class='ecrm-0500'>157</span><span class='ectt-0800'>    </span><span id='textcolor1676'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(regs);</span>
<a id='x1-41358r158'></a><span class='ecrm-0500'>158</span><span id='textcolor1677'><span class='ectt-0800'>#else</span></span>
<a id='x1-41360r159'></a><span class='ecrm-0500'>159</span><span class='ectt-0800'>    </span><span id='textcolor1678'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(dfd, filename, flags, mode);</span>
<a id='x1-41362r160'></a><span class='ecrm-0500'>160</span><span id='textcolor1679'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41364r161'></a><span class='ecrm-0500'>161</span><span class='ectt-0800'>}</span>
<a id='x1-41366r162'></a><span class='ecrm-0500'>162</span>
<a id='x1-41368r163'></a><span class='ecrm-0500'>163</span><span id='textcolor1680'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1681'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1682'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **acquire_sys_call_table(</span><span id='textcolor1683'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41370r164'></a><span class='ecrm-0500'>164</span><span class='ectt-0800'>{</span>
<a id='x1-41372r165'></a><span class='ecrm-0500'>165</span><span id='textcolor1684'><span class='ectt-0800'>#ifdef HAVE_KSYS_CLOSE</span></span>
<a id='x1-41374r166'></a><span class='ecrm-0500'>166</span><span class='ectt-0800'>    </span><span id='textcolor1685'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1686'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> </span><span id='textcolor1687'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> offset = PAGE_OFFSET;</span>
<a id='x1-41376r167'></a><span class='ecrm-0500'>167</span><span class='ectt-0800'>    </span><span id='textcolor1688'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1689'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sct;</span>
<a id='x1-41378r168'></a><span class='ecrm-0500'>168</span>
<a id='x1-41380r169'></a><span class='ecrm-0500'>169</span><span class='ectt-0800'>    </span><span id='textcolor1690'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (offset &lt; ULLONG_MAX) {</span>
<a id='x1-41382r170'></a><span class='ecrm-0500'>170</span><span class='ectt-0800'>        sct = (</span><span id='textcolor1691'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1692'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)offset;</span>
<a id='x1-41384r171'></a><span class='ecrm-0500'>171</span>
<a id='x1-41386r172'></a><span class='ecrm-0500'>172</span><span class='ectt-0800'>        </span><span id='textcolor1693'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sct[__NR_close] == (</span><span id='textcolor1694'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1695'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)ksys_close)</span>
<a id='x1-41388r173'></a><span class='ecrm-0500'>173</span><span class='ectt-0800'>            </span><span id='textcolor1696'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> sct;</span>
<a id='x1-41390r174'></a><span class='ecrm-0500'>174</span>
<a id='x1-41392r175'></a><span class='ecrm-0500'>175</span><span class='ectt-0800'>        offset += </span><span id='textcolor1697'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(</span><span id='textcolor1698'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *);</span>
<a id='x1-41394r176'></a><span class='ecrm-0500'>176</span><span class='ectt-0800'>    }</span>
<a id='x1-41396r177'></a><span class='ecrm-0500'>177</span>
<a id='x1-41398r178'></a><span class='ecrm-0500'>178</span><span class='ectt-0800'>    </span><span id='textcolor1699'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41400r179'></a><span class='ecrm-0500'>179</span><span id='textcolor1700'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41402r180'></a><span class='ecrm-0500'>180</span>
<a id='x1-41404r181'></a><span class='ecrm-0500'>181</span><span id='textcolor1701'><span class='ectt-0800'>#ifdef HAVE_PARAM</span></span>
<a id='x1-41406r182'></a><span class='ecrm-0500'>182</span><span class='ectt-0800'>    </span><span id='textcolor1702'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1703'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> sct_name[15] = </span><span id='textcolor1704'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>;</span>
<a id='x1-41408r183'></a><span class='ecrm-0500'>183</span><span class='ectt-0800'>    </span><span id='textcolor1705'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> symbol[40] = { 0 };</span>
<a id='x1-41410r184'></a><span class='ecrm-0500'>184</span>
<a id='x1-41412r185'></a><span class='ecrm-0500'>185</span><span class='ectt-0800'>    </span><span id='textcolor1706'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sym == 0) {</span>
<a id='x1-41414r186'></a><span class='ecrm-0500'>186</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1707'><span class='ectt-0800'>"For Linux v5.7+, Kprobes is the preferable way to get "</span></span>
<a id='x1-41416r187'></a><span class='ecrm-0500'>187</span><span class='ectt-0800'>                 </span><span id='textcolor1708'><span class='ectt-0800'>"symbol.</span></span><span id='textcolor1709'><span class='ectt-0800'>\n</span></span><span id='textcolor1710'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41418r188'></a><span class='ecrm-0500'>188</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1711'><span class='ectt-0800'>"If Kprobes is absent, you have to specify the address of "</span></span>
<a id='x1-41420r189'></a><span class='ecrm-0500'>189</span><span class='ectt-0800'>                </span><span id='textcolor1712'><span class='ectt-0800'>"sys_call_table symbol</span></span><span id='textcolor1713'><span class='ectt-0800'>\n</span></span><span id='textcolor1714'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41422r190'></a><span class='ecrm-0500'>190</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1715'><span class='ectt-0800'>"by /boot/System.map or /proc/kallsyms, which contains all the "</span></span>
<a id='x1-41424r191'></a><span class='ecrm-0500'>191</span><span class='ectt-0800'>                </span><span id='textcolor1716'><span class='ectt-0800'>"symbol addresses, into sym parameter.</span></span><span id='textcolor1717'><span class='ectt-0800'>\n</span></span><span id='textcolor1718'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41426r192'></a><span class='ecrm-0500'>192</span><span class='ectt-0800'>        </span><span id='textcolor1719'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41428r193'></a><span class='ecrm-0500'>193</span><span class='ectt-0800'>    }</span>
<a id='x1-41430r194'></a><span class='ecrm-0500'>194</span><span class='ectt-0800'>    sprint_symbol(symbol, sym);</span>
<a id='x1-41432r195'></a><span class='ecrm-0500'>195</span><span class='ectt-0800'>    </span><span id='textcolor1720'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!strncmp(sct_name, symbol, </span><span id='textcolor1721'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(sct_name) - 1))</span>
<a id='x1-41434r196'></a><span class='ecrm-0500'>196</span><span class='ectt-0800'>        </span><span id='textcolor1722'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1723'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1724'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)sym;</span>
<a id='x1-41436r197'></a><span class='ecrm-0500'>197</span>
<a id='x1-41438r198'></a><span class='ecrm-0500'>198</span><span class='ectt-0800'>    </span><span id='textcolor1725'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41440r199'></a><span class='ecrm-0500'>199</span><span id='textcolor1726'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41442r200'></a><span class='ecrm-0500'>200</span>
<a id='x1-41444r201'></a><span class='ecrm-0500'>201</span><span id='textcolor1727'><span class='ectt-0800'>#ifdef HAVE_KPROBES</span></span>
<a id='x1-41446r202'></a><span class='ecrm-0500'>202</span><span class='ectt-0800'>    </span><span id='textcolor1728'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1729'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*kallsyms_lookup_name)(</span><span id='textcolor1730'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1731'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name);</span>
<a id='x1-41448r203'></a><span class='ecrm-0500'>203</span><span class='ectt-0800'>    </span><span id='textcolor1732'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> kprobe kp = {</span>
<a id='x1-41450r204'></a><span class='ecrm-0500'>204</span><span class='ectt-0800'>        .symbol_name = </span><span id='textcolor1733'><span class='ectt-0800'>"kallsyms_lookup_name"</span></span><span class='ectt-0800'>,</span>
<a id='x1-41452r205'></a><span class='ecrm-0500'>205</span><span class='ectt-0800'>    };</span>
<a id='x1-41454r206'></a><span class='ecrm-0500'>206</span>
<a id='x1-41456r207'></a><span class='ecrm-0500'>207</span><span class='ectt-0800'>    </span><span id='textcolor1734'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (register_kprobe(&amp;kp) &lt; 0)</span>
<a id='x1-41458r208'></a><span class='ecrm-0500'>208</span><span class='ectt-0800'>        </span><span id='textcolor1735'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41460r209'></a><span class='ecrm-0500'>209</span><span class='ectt-0800'>    kallsyms_lookup_name = (</span><span id='textcolor1736'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1737'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*)(</span><span id='textcolor1738'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1739'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name))kp.addr;</span>
<a id='x1-41462r210'></a><span class='ecrm-0500'>210</span><span class='ectt-0800'>    unregister_kprobe(&amp;kp);</span>
<a id='x1-41464r211'></a><span class='ecrm-0500'>211</span><span id='textcolor1740'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41466r212'></a><span class='ecrm-0500'>212</span>
<a id='x1-41468r213'></a><span class='ecrm-0500'>213</span><span class='ectt-0800'>    </span><span id='textcolor1741'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1742'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1743'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)kallsyms_lookup_name(</span><span id='textcolor1744'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41470r214'></a><span class='ecrm-0500'>214</span><span class='ectt-0800'>}</span>
<a id='x1-41472r215'></a><span class='ecrm-0500'>215</span>
<a id='x1-41474r216'></a><span class='ecrm-0500'>216</span><span id='textcolor1745'><span class='ectt-0800'>#if LINUX_VERSION_CODE &gt;= KERNEL_VERSION(5, 3, 0)</span></span>
<a id='x1-41476r217'></a><span class='ecrm-0500'>217</span><span id='textcolor1746'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1747'><span class='ectt-0800'>inline</span></span><span class='ectt-0800'> </span><span id='textcolor1748'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __write_cr0(</span><span id='textcolor1749'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1750'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0)</span>
<a id='x1-41478r218'></a><span class='ecrm-0500'>218</span><span class='ectt-0800'>{</span>
<a id='x1-41480r219'></a><span class='ecrm-0500'>219</span><span class='ectt-0800'>    </span><span id='textcolor1751'><span class='ectt-0800'>asm</span></span><span class='ectt-0800'> </span><span id='textcolor1752'><span class='ectt-0800'>volatile</span></span><span class='ectt-0800'>(</span><span id='textcolor1753'><span class='ectt-0800'>"mov %0,%%cr0"</span></span><span class='ectt-0800'> : </span><span id='textcolor1754'><span class='ectt-0800'>"+r"</span></span><span class='ectt-0800'>(cr0) : : </span><span id='textcolor1755'><span class='ectt-0800'>"memory"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41482r220'></a><span class='ecrm-0500'>220</span><span class='ectt-0800'>}</span>
<a id='x1-41484r221'></a><span class='ecrm-0500'>221</span><span id='textcolor1756'><span class='ectt-0800'>#else</span></span>
<a id='x1-41486r222'></a><span class='ecrm-0500'>222</span><span id='textcolor1757'><span class='ectt-0800'>#define __write_cr0 write_cr0</span></span>
<a id='x1-41488r223'></a><span class='ecrm-0500'>223</span><span id='textcolor1758'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41490r224'></a><span class='ecrm-0500'>224</span>
<a id='x1-41492r225'></a><span class='ecrm-0500'>225</span><span id='textcolor1759'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1760'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> enable_write_protection(</span><span id='textcolor1761'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41494r226'></a><span class='ecrm-0500'>226</span><span class='ectt-0800'>{</span>
<a id='x1-41496r227'></a><span class='ecrm-0500'>227</span><span class='ectt-0800'>    </span><span id='textcolor1762'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1763'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41498r228'></a><span class='ecrm-0500'>228</span><span class='ectt-0800'>    set_bit(16, &amp;cr0);</span>
<a id='x1-41500r229'></a><span class='ecrm-0500'>229</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41502r230'></a><span class='ecrm-0500'>230</span><span class='ectt-0800'>}</span>
<a id='x1-41504r231'></a><span class='ecrm-0500'>231</span>
<a id='x1-41506r232'></a><span class='ecrm-0500'>232</span><span id='textcolor1764'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1765'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> disable_write_protection(</span><span id='textcolor1766'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41508r233'></a><span class='ecrm-0500'>233</span><span class='ectt-0800'>{</span>
<a id='x1-41510r234'></a><span class='ecrm-0500'>234</span><span class='ectt-0800'>    </span><span id='textcolor1767'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1768'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41512r235'></a><span class='ecrm-0500'>235</span><span class='ectt-0800'>    clear_bit(16, &amp;cr0);</span>
<a id='x1-41514r236'></a><span class='ecrm-0500'>236</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41516r237'></a><span class='ecrm-0500'>237</span><span class='ectt-0800'>}</span>
<a id='x1-41518r238'></a><span class='ecrm-0500'>238</span><span id='textcolor1769'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41520r239'></a><span class='ecrm-0500'>239</span>
<a id='x1-41522r240'></a><span class='ecrm-0500'>240</span><span id='textcolor1770'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1771'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> __init syscall_steal_start(</span><span id='textcolor1772'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41524r241'></a><span class='ecrm-0500'>241</span><span class='ectt-0800'>{</span>
<a id='x1-41526r242'></a><span class='ecrm-0500'>242</span><span id='textcolor1773'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41528r243'></a><span class='ecrm-0500'>243</span>
<a id='x1-41234r96'></a><span class='ecrm-0500'>96</span>
<a id='x1-41236r97'></a><span class='ecrm-0500'>97</span><span id='textcolor1607'><span class='ectt-0800'>#else</span></span>
<a id='x1-41238r98'></a><span class='ecrm-0500'>98</span>
<a id='x1-41240r99'></a><span class='ecrm-0500'>99</span><span id='textcolor1608'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1609'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1610'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sys_call_table_stolen;</span>
<a id='x1-41242r100'></a><span class='ecrm-0500'>100</span>
<a id='x1-41244r101'></a><span class='ecrm-0500'>101</span><span id='textcolor1611'><span class='ectt-0800'>/* A pointer to the original system call. The reason we keep this, rather</span></span>
<a id='x1-41246r102'></a><span class='ecrm-0500'>102</span><span id='textcolor1612'><span class='ectt-0800'> * than call the original function (sys_openat), is because somebody else</span></span>
<a id='x1-41248r103'></a><span class='ecrm-0500'>103</span><span id='textcolor1613'><span class='ectt-0800'> * might have replaced the system call before us. Note that this is not</span></span>
<a id='x1-41250r104'></a><span class='ecrm-0500'>104</span><span id='textcolor1614'><span class='ectt-0800'> * 100% safe, because if another module replaced sys_openat before us,</span></span>
<a id='x1-41252r105'></a><span class='ecrm-0500'>105</span><span id='textcolor1615'><span class='ectt-0800'> * then when we are inserted, we will call the function in that module -</span></span>
<a id='x1-41254r106'></a><span class='ecrm-0500'>106</span><span id='textcolor1616'><span class='ectt-0800'> * and it might be removed before we are.</span></span>
<a id='x1-41256r107'></a><span class='ecrm-0500'>107</span><span id='textcolor1617'><span class='ectt-0800'> *</span></span>
<a id='x1-41258r108'></a><span class='ecrm-0500'>108</span><span id='textcolor1618'><span class='ectt-0800'> * Another reason for this is that we can not get sys_openat.</span></span>
<a id='x1-41260r109'></a><span class='ecrm-0500'>109</span><span id='textcolor1619'><span class='ectt-0800'> * It is a static variable, so it is not exported.</span></span>
<a id='x1-41262r110'></a><span class='ecrm-0500'>110</span><span id='textcolor1620'><span class='ectt-0800'> */</span></span>
<a id='x1-41264r111'></a><span class='ecrm-0500'>111</span><span id='textcolor1621'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41266r112'></a><span class='ecrm-0500'>112</span><span id='textcolor1622'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1623'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1624'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *);</span>
<a id='x1-41268r113'></a><span class='ecrm-0500'>113</span><span id='textcolor1625'><span class='ectt-0800'>#else</span></span>
<a id='x1-41270r114'></a><span class='ecrm-0500'>114</span><span id='textcolor1626'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1627'><span class='ectt-0800'>int</span></span><span class='ectt-0800'></span><span id='textcolor1628'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1629'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *, </span><span id='textcolor1630'><span class='ectt-0800'>int</span></span><span class='ectt-0800'>, umode_t);</span>
<a id='x1-41272r115'></a><span class='ecrm-0500'>115</span><span id='textcolor1631'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41274r116'></a><span class='ecrm-0500'>116</span>
<a id='x1-41276r117'></a><span class='ecrm-0500'>117</span><span id='textcolor1632'><span class='ectt-0800'>/* The function we will replace sys_openat (the function called when you</span></span>
<a id='x1-41278r118'></a><span class='ecrm-0500'>118</span><span id='textcolor1633'><span class='ectt-0800'> * call the open system call) with. To find the exact prototype, with</span></span>
<a id='x1-41280r119'></a><span class='ecrm-0500'>119</span><span id='textcolor1634'><span class='ectt-0800'> * the number and type of arguments, we find the original function first</span></span>
<a id='x1-41282r120'></a><span class='ecrm-0500'>120</span><span id='textcolor1635'><span class='ectt-0800'> * (it is at fs/open.c).</span></span>
<a id='x1-41284r121'></a><span class='ecrm-0500'>121</span><span id='textcolor1636'><span class='ectt-0800'> *</span></span>
<a id='x1-41286r122'></a><span class='ecrm-0500'>122</span><span id='textcolor1637'><span class='ectt-0800'> * In theory, this means that we are tied to the current version of the</span></span>
<a id='x1-41288r123'></a><span class='ecrm-0500'>123</span><span id='textcolor1638'><span class='ectt-0800'> * kernel. In practice, the system calls almost never change (it would</span></span>
<a id='x1-41290r124'></a><span class='ecrm-0500'>124</span><span id='textcolor1639'><span class='ectt-0800'> * wreck havoc and require programs to be recompiled, since the system</span></span>
<a id='x1-41292r125'></a><span class='ecrm-0500'>125</span><span id='textcolor1640'><span class='ectt-0800'> * calls are the interface between the kernel and the processes).</span></span>
<a id='x1-41294r126'></a><span class='ecrm-0500'>126</span><span id='textcolor1641'><span class='ectt-0800'> */</span></span>
<a id='x1-41296r127'></a><span class='ecrm-0500'>127</span><span id='textcolor1642'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41298r128'></a><span class='ecrm-0500'>128</span><span id='textcolor1643'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1644'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1645'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1646'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *regs)</span>
<a id='x1-41300r129'></a><span class='ecrm-0500'>129</span><span id='textcolor1647'><span class='ectt-0800'>#else</span></span>
<a id='x1-41302r130'></a><span class='ecrm-0500'>130</span><span id='textcolor1648'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1649'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1650'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> dfd, </span><span id='textcolor1651'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1652'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *filename,</span>
<a id='x1-41304r131'></a><span class='ecrm-0500'>131</span><span class='ectt-0800'>                                      </span><span id='textcolor1653'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> flags, umode_t mode)</span>
<a id='x1-41306r132'></a><span class='ecrm-0500'>132</span><span id='textcolor1654'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41308r133'></a><span class='ecrm-0500'>133</span><span class='ectt-0800'>{</span>
<a id='x1-41310r134'></a><span class='ecrm-0500'>134</span><span class='ectt-0800'>    </span><span id='textcolor1655'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> i = 0;</span>
<a id='x1-41312r135'></a><span class='ecrm-0500'>135</span><span class='ectt-0800'>    </span><span id='textcolor1656'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> ch;</span>
<a id='x1-41314r136'></a><span class='ecrm-0500'>136</span>
<a id='x1-41316r137'></a><span class='ecrm-0500'>137</span><span class='ectt-0800'>    </span><span id='textcolor1657'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (__kuid_val(current_uid()) != uid)</span>
<a id='x1-41318r138'></a><span class='ecrm-0500'>138</span><span class='ectt-0800'>        </span><span id='textcolor1658'><span class='ectt-0800'>goto</span></span><span class='ectt-0800'> orig_call;</span>
<a id='x1-41320r139'></a><span class='ecrm-0500'>139</span>
<a id='x1-41322r140'></a><span class='ecrm-0500'>140</span><span class='ectt-0800'>    </span><span id='textcolor1659'><span class='ectt-0800'>/* Report the file, if relevant */</span></span>
<a id='x1-41324r141'></a><span class='ecrm-0500'>141</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1660'><span class='ectt-0800'>"Opened file by %d: "</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41326r142'></a><span class='ecrm-0500'>142</span><span class='ectt-0800'>    </span><span id='textcolor1661'><span class='ectt-0800'>do</span></span><span class='ectt-0800'> {</span>
<a id='x1-41328r143'></a><span class='ecrm-0500'>143</span><span id='textcolor1662'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41330r144'></a><span class='ecrm-0500'>144</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1663'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)regs-&gt;si + i);</span>
<a id='x1-41332r145'></a><span class='ecrm-0500'>145</span><span id='textcolor1664'><span class='ectt-0800'>#else</span></span>
<a id='x1-41334r146'></a><span class='ecrm-0500'>146</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1665'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)filename + i);</span>
<a id='x1-41336r147'></a><span class='ecrm-0500'>147</span><span id='textcolor1666'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41338r148'></a><span class='ecrm-0500'>148</span><span class='ectt-0800'>        i++;</span>
<a id='x1-41340r149'></a><span class='ecrm-0500'>149</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1667'><span class='ectt-0800'>"%c"</span></span><span class='ectt-0800'>, ch);</span>
<a id='x1-41342r150'></a><span class='ecrm-0500'>150</span><span class='ectt-0800'>    </span><span id='textcolor1668'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (ch != 0);</span>
<a id='x1-41344r151'></a><span class='ecrm-0500'>151</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1669'><span class='ectt-0800'>"</span></span><span id='textcolor1670'><span class='ectt-0800'>\n</span></span><span id='textcolor1671'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41346r152'></a><span class='ecrm-0500'>152</span>
<a id='x1-41348r153'></a><span class='ecrm-0500'>153</span><span class='ectt-0800'>orig_call:</span>
<a id='x1-41350r154'></a><span class='ecrm-0500'>154</span><span class='ectt-0800'>    </span><span id='textcolor1672'><span class='ectt-0800'>/* Call the original sys_openat - otherwise, we lose the ability to</span></span>
<a id='x1-41352r155'></a><span class='ecrm-0500'>155</span><span id='textcolor1673'><span class='ectt-0800'>     * open files.</span></span>
<a id='x1-41354r156'></a><span class='ecrm-0500'>156</span><span id='textcolor1674'><span class='ectt-0800'>     */</span></span>
<a id='x1-41356r157'></a><span class='ecrm-0500'>157</span><span id='textcolor1675'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41358r158'></a><span class='ecrm-0500'>158</span><span class='ectt-0800'>    </span><span id='textcolor1676'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(regs);</span>
<a id='x1-41360r159'></a><span class='ecrm-0500'>159</span><span id='textcolor1677'><span class='ectt-0800'>#else</span></span>
<a id='x1-41362r160'></a><span class='ecrm-0500'>160</span><span class='ectt-0800'>    </span><span id='textcolor1678'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(dfd, filename, flags, mode);</span>
<a id='x1-41364r161'></a><span class='ecrm-0500'>161</span><span id='textcolor1679'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41366r162'></a><span class='ecrm-0500'>162</span><span class='ectt-0800'>}</span>
<a id='x1-41368r163'></a><span class='ecrm-0500'>163</span>
<a id='x1-41370r164'></a><span class='ecrm-0500'>164</span><span id='textcolor1680'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1681'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1682'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **acquire_sys_call_table(</span><span id='textcolor1683'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41372r165'></a><span class='ecrm-0500'>165</span><span class='ectt-0800'>{</span>
<a id='x1-41374r166'></a><span class='ecrm-0500'>166</span><span id='textcolor1684'><span class='ectt-0800'>#ifdef HAVE_KSYS_CLOSE</span></span>
<a id='x1-41376r167'></a><span class='ecrm-0500'>167</span><span class='ectt-0800'>    </span><span id='textcolor1685'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1686'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> </span><span id='textcolor1687'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> offset = PAGE_OFFSET;</span>
<a id='x1-41378r168'></a><span class='ecrm-0500'>168</span><span class='ectt-0800'>    </span><span id='textcolor1688'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1689'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sct;</span>
<a id='x1-41380r169'></a><span class='ecrm-0500'>169</span>
<a id='x1-41382r170'></a><span class='ecrm-0500'>170</span><span class='ectt-0800'>    </span><span id='textcolor1690'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (offset &lt; ULLONG_MAX) {</span>
<a id='x1-41384r171'></a><span class='ecrm-0500'>171</span><span class='ectt-0800'>        sct = (</span><span id='textcolor1691'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1692'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)offset;</span>
<a id='x1-41386r172'></a><span class='ecrm-0500'>172</span>
<a id='x1-41388r173'></a><span class='ecrm-0500'>173</span><span class='ectt-0800'>        </span><span id='textcolor1693'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sct[__NR_close] == (</span><span id='textcolor1694'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1695'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)ksys_close)</span>
<a id='x1-41390r174'></a><span class='ecrm-0500'>174</span><span class='ectt-0800'>            </span><span id='textcolor1696'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> sct;</span>
<a id='x1-41392r175'></a><span class='ecrm-0500'>175</span>
<a id='x1-41394r176'></a><span class='ecrm-0500'>176</span><span class='ectt-0800'>        offset += </span><span id='textcolor1697'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(</span><span id='textcolor1698'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *);</span>
<a id='x1-41396r177'></a><span class='ecrm-0500'>177</span><span class='ectt-0800'>    }</span>
<a id='x1-41398r178'></a><span class='ecrm-0500'>178</span>
<a id='x1-41400r179'></a><span class='ecrm-0500'>179</span><span class='ectt-0800'>    </span><span id='textcolor1699'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41402r180'></a><span class='ecrm-0500'>180</span><span id='textcolor1700'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41404r181'></a><span class='ecrm-0500'>181</span>
<a id='x1-41406r182'></a><span class='ecrm-0500'>182</span><span id='textcolor1701'><span class='ectt-0800'>#ifdef HAVE_PARAM</span></span>
<a id='x1-41408r183'></a><span class='ecrm-0500'>183</span><span class='ectt-0800'>    </span><span id='textcolor1702'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1703'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> sct_name[15] = </span><span id='textcolor1704'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>;</span>
<a id='x1-41410r184'></a><span class='ecrm-0500'>184</span><span class='ectt-0800'>    </span><span id='textcolor1705'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> symbol[40] = { 0 };</span>
<a id='x1-41412r185'></a><span class='ecrm-0500'>185</span>
<a id='x1-41414r186'></a><span class='ecrm-0500'>186</span><span class='ectt-0800'>    </span><span id='textcolor1706'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sym == 0) {</span>
<a id='x1-41416r187'></a><span class='ecrm-0500'>187</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1707'><span class='ectt-0800'>"For Linux v5.7+, Kprobes is the preferable way to get "</span></span>
<a id='x1-41418r188'></a><span class='ecrm-0500'>188</span><span class='ectt-0800'>                 </span><span id='textcolor1708'><span class='ectt-0800'>"symbol.</span></span><span id='textcolor1709'><span class='ectt-0800'>\n</span></span><span id='textcolor1710'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41420r189'></a><span class='ecrm-0500'>189</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1711'><span class='ectt-0800'>"If Kprobes is absent, you have to specify the address of "</span></span>
<a id='x1-41422r190'></a><span class='ecrm-0500'>190</span><span class='ectt-0800'>                </span><span id='textcolor1712'><span class='ectt-0800'>"sys_call_table symbol</span></span><span id='textcolor1713'><span class='ectt-0800'>\n</span></span><span id='textcolor1714'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41424r191'></a><span class='ecrm-0500'>191</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1715'><span class='ectt-0800'>"by /boot/System.map or /proc/kallsyms, which contains all the "</span></span>
<a id='x1-41426r192'></a><span class='ecrm-0500'>192</span><span class='ectt-0800'>                </span><span id='textcolor1716'><span class='ectt-0800'>"symbol addresses, into sym parameter.</span></span><span id='textcolor1717'><span class='ectt-0800'>\n</span></span><span id='textcolor1718'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41428r193'></a><span class='ecrm-0500'>193</span><span class='ectt-0800'>        </span><span id='textcolor1719'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41430r194'></a><span class='ecrm-0500'>194</span><span class='ectt-0800'>    }</span>
<a id='x1-41432r195'></a><span class='ecrm-0500'>195</span><span class='ectt-0800'>    sprint_symbol(symbol, sym);</span>
<a id='x1-41434r196'></a><span class='ecrm-0500'>196</span><span class='ectt-0800'>    </span><span id='textcolor1720'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!strncmp(sct_name, symbol, </span><span id='textcolor1721'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(sct_name) - 1))</span>
<a id='x1-41436r197'></a><span class='ecrm-0500'>197</span><span class='ectt-0800'>        </span><span id='textcolor1722'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1723'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1724'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)sym;</span>
<a id='x1-41438r198'></a><span class='ecrm-0500'>198</span>
<a id='x1-41440r199'></a><span class='ecrm-0500'>199</span><span class='ectt-0800'>    </span><span id='textcolor1725'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41442r200'></a><span class='ecrm-0500'>200</span><span id='textcolor1726'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41444r201'></a><span class='ecrm-0500'>201</span>
<a id='x1-41446r202'></a><span class='ecrm-0500'>202</span><span id='textcolor1727'><span class='ectt-0800'>#ifdef HAVE_KPROBES</span></span>
<a id='x1-41448r203'></a><span class='ecrm-0500'>203</span><span class='ectt-0800'>    </span><span id='textcolor1728'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1729'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*kallsyms_lookup_name)(</span><span id='textcolor1730'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1731'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name);</span>
<a id='x1-41450r204'></a><span class='ecrm-0500'>204</span><span class='ectt-0800'>    </span><span id='textcolor1732'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> kprobe kp = {</span>
<a id='x1-41452r205'></a><span class='ecrm-0500'>205</span><span class='ectt-0800'>        .symbol_name = </span><span id='textcolor1733'><span class='ectt-0800'>"kallsyms_lookup_name"</span></span><span class='ectt-0800'>,</span>
<a id='x1-41454r206'></a><span class='ecrm-0500'>206</span><span class='ectt-0800'>    };</span>
<a id='x1-41456r207'></a><span class='ecrm-0500'>207</span>
<a id='x1-41458r208'></a><span class='ecrm-0500'>208</span><span class='ectt-0800'>    </span><span id='textcolor1734'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (register_kprobe(&amp;kp) &lt; 0)</span>
<a id='x1-41460r209'></a><span class='ecrm-0500'>209</span><span class='ectt-0800'>        </span><span id='textcolor1735'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41462r210'></a><span class='ecrm-0500'>210</span><span class='ectt-0800'>    kallsyms_lookup_name = (</span><span id='textcolor1736'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1737'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*)(</span><span id='textcolor1738'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1739'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name))kp.addr;</span>
<a id='x1-41464r211'></a><span class='ecrm-0500'>211</span><span class='ectt-0800'>    unregister_kprobe(&amp;kp);</span>
<a id='x1-41466r212'></a><span class='ecrm-0500'>212</span><span id='textcolor1740'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41468r213'></a><span class='ecrm-0500'>213</span>
<a id='x1-41470r214'></a><span class='ecrm-0500'>214</span><span class='ectt-0800'>    </span><span id='textcolor1741'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1742'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1743'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)kallsyms_lookup_name(</span><span id='textcolor1744'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41472r215'></a><span class='ecrm-0500'>215</span><span class='ectt-0800'>}</span>
<a id='x1-41474r216'></a><span class='ecrm-0500'>216</span>
<a id='x1-41476r217'></a><span class='ecrm-0500'>217</span><span id='textcolor1745'><span class='ectt-0800'>#if LINUX_VERSION_CODE &gt;= KERNEL_VERSION(5, 3, 0)</span></span>
<a id='x1-41478r218'></a><span class='ecrm-0500'>218</span><span id='textcolor1746'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1747'><span class='ectt-0800'>inline</span></span><span class='ectt-0800'> </span><span id='textcolor1748'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __write_cr0(</span><span id='textcolor1749'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1750'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0)</span>
<a id='x1-41480r219'></a><span class='ecrm-0500'>219</span><span class='ectt-0800'>{</span>
<a id='x1-41482r220'></a><span class='ecrm-0500'>220</span><span class='ectt-0800'>    </span><span id='textcolor1751'><span class='ectt-0800'>asm</span></span><span class='ectt-0800'> </span><span id='textcolor1752'><span class='ectt-0800'>volatile</span></span><span class='ectt-0800'>(</span><span id='textcolor1753'><span class='ectt-0800'>"mov %0,%%cr0"</span></span><span class='ectt-0800'> : </span><span id='textcolor1754'><span class='ectt-0800'>"+r"</span></span><span class='ectt-0800'>(cr0) : : </span><span id='textcolor1755'><span class='ectt-0800'>"memory"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41484r221'></a><span class='ecrm-0500'>221</span><span class='ectt-0800'>}</span>
<a id='x1-41486r222'></a><span class='ecrm-0500'>222</span><span id='textcolor1756'><span class='ectt-0800'>#else</span></span>
<a id='x1-41488r223'></a><span class='ecrm-0500'>223</span><span id='textcolor1757'><span class='ectt-0800'>#define __write_cr0 write_cr0</span></span>
<a id='x1-41490r224'></a><span class='ecrm-0500'>224</span><span id='textcolor1758'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41492r225'></a><span class='ecrm-0500'>225</span>
<a id='x1-41494r226'></a><span class='ecrm-0500'>226</span><span id='textcolor1759'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1760'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> enable_write_protection(</span><span id='textcolor1761'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41496r227'></a><span class='ecrm-0500'>227</span><span class='ectt-0800'>{</span>
<a id='x1-41498r228'></a><span class='ecrm-0500'>228</span><span class='ectt-0800'>    </span><span id='textcolor1762'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1763'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41500r229'></a><span class='ecrm-0500'>229</span><span class='ectt-0800'>    set_bit(16, &amp;cr0);</span>
<a id='x1-41502r230'></a><span class='ecrm-0500'>230</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41504r231'></a><span class='ecrm-0500'>231</span><span class='ectt-0800'>}</span>
<a id='x1-41506r232'></a><span class='ecrm-0500'>232</span>
<a id='x1-41508r233'></a><span class='ecrm-0500'>233</span><span id='textcolor1764'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1765'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> disable_write_protection(</span><span id='textcolor1766'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41510r234'></a><span class='ecrm-0500'>234</span><span class='ectt-0800'>{</span>
<a id='x1-41512r235'></a><span class='ecrm-0500'>235</span><span class='ectt-0800'>    </span><span id='textcolor1767'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1768'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41514r236'></a><span class='ecrm-0500'>236</span><span class='ectt-0800'>    clear_bit(16, &amp;cr0);</span>
<a id='x1-41516r237'></a><span class='ecrm-0500'>237</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41518r238'></a><span class='ecrm-0500'>238</span><span class='ectt-0800'>}</span>
<a id='x1-41520r239'></a><span class='ecrm-0500'>239</span><span id='textcolor1769'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41522r240'></a><span class='ecrm-0500'>240</span>
<a id='x1-41524r241'></a><span class='ecrm-0500'>241</span><span id='textcolor1770'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1771'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> __init syscall_steal_start(</span><span id='textcolor1772'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41526r242'></a><span class='ecrm-0500'>242</span><span class='ectt-0800'>{</span>
<a id='x1-41528r243'></a><span class='ecrm-0500'>243</span><span id='textcolor1773'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41530r244'></a><span class='ecrm-0500'>244</span><span class='ectt-0800'>    </span><span id='textcolor1774'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> err;</span>
<a id='x1-41532r245'></a><span class='ecrm-0500'>245</span><span class='ectt-0800'>    </span><span id='textcolor1775'><span class='ectt-0800'>/* use symbol name from the module parameter */</span></span>
<a id='x1-41534r246'></a><span class='ecrm-0500'>246</span><span class='ectt-0800'>    syscall_kprobe.symbol_name = syscall_sym;</span>
@ -3773,55 +3773,53 @@ dry run of this example, you will have to patch your current kernel in order to
<a id='x1-41542r250'></a><span class='ecrm-0500'>250</span><span class='ectt-0800'>        pr_err(</span><span id='textcolor1780'><span class='ectt-0800'>"Please check the symbol name from </span><span class='tctt-0800'>'</span><span class='ectt-0800'>syscall_sym</span><span class='tctt-0800'>'</span><span class='ectt-0800'> parameter.</span></span><span id='textcolor1781'><span class='ectt-0800'>\n</span></span><span id='textcolor1782'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41544r251'></a><span class='ecrm-0500'>251</span><span class='ectt-0800'>        </span><span id='textcolor1783'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> err;</span>
<a id='x1-41546r252'></a><span class='ecrm-0500'>252</span><span class='ectt-0800'>    }</span>
<a id='x1-41548r253'></a><span class='ecrm-0500'>253</span>
<a id='x1-41550r254'></a><span class='ecrm-0500'>254</span><span id='textcolor1784'><span class='ectt-0800'>#else</span></span>
<a id='x1-41552r255'></a><span class='ecrm-0500'>255</span><span class='ectt-0800'>    </span><span id='textcolor1785'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!(sys_call_table_stolen = acquire_sys_call_table()))</span>
<a id='x1-41554r256'></a><span class='ecrm-0500'>256</span><span class='ectt-0800'>        </span><span id='textcolor1786'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> -1;</span>
<a id='x1-41556r257'></a><span class='ecrm-0500'>257</span>
<a id='x1-41558r258'></a><span class='ecrm-0500'>258</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41560r259'></a><span class='ecrm-0500'>259</span>
<a id='x1-41562r260'></a><span class='ecrm-0500'>260</span><span class='ectt-0800'>    </span><span id='textcolor1787'><span class='ectt-0800'>/* keep track of the original open function */</span></span>
<a id='x1-41564r261'></a><span class='ecrm-0500'>261</span><span class='ectt-0800'>    original_call = (</span><span id='textcolor1788'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *)sys_call_table_stolen[__NR_openat];</span>
<a id='x1-41566r262'></a><span class='ecrm-0500'>262</span>
<a id='x1-41568r263'></a><span class='ecrm-0500'>263</span><span class='ectt-0800'>    </span><span id='textcolor1789'><span class='ectt-0800'>/* use our openat function instead */</span></span>
<a id='x1-41570r264'></a><span class='ecrm-0500'>264</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1790'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1791'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat;</span>
<a id='x1-41572r265'></a><span class='ecrm-0500'>265</span>
<a id='x1-41574r266'></a><span class='ecrm-0500'>266</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41548r253'></a><span class='ecrm-0500'>253</span><span id='textcolor1784'><span class='ectt-0800'>#else</span></span>
<a id='x1-41550r254'></a><span class='ecrm-0500'>254</span><span class='ectt-0800'>    </span><span id='textcolor1785'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!(sys_call_table_stolen = acquire_sys_call_table()))</span>
<a id='x1-41552r255'></a><span class='ecrm-0500'>255</span><span class='ectt-0800'>        </span><span id='textcolor1786'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> -1;</span>
<a id='x1-41554r256'></a><span class='ecrm-0500'>256</span>
<a id='x1-41556r257'></a><span class='ecrm-0500'>257</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41558r258'></a><span class='ecrm-0500'>258</span>
<a id='x1-41560r259'></a><span class='ecrm-0500'>259</span><span class='ectt-0800'>    </span><span id='textcolor1787'><span class='ectt-0800'>/* keep track of the original open function */</span></span>
<a id='x1-41562r260'></a><span class='ecrm-0500'>260</span><span class='ectt-0800'>    original_call = (</span><span id='textcolor1788'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *)sys_call_table_stolen[__NR_openat];</span>
<a id='x1-41564r261'></a><span class='ecrm-0500'>261</span>
<a id='x1-41566r262'></a><span class='ecrm-0500'>262</span><span class='ectt-0800'>    </span><span id='textcolor1789'><span class='ectt-0800'>/* use our openat function instead */</span></span>
<a id='x1-41568r263'></a><span class='ecrm-0500'>263</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1790'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1791'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat;</span>
<a id='x1-41570r264'></a><span class='ecrm-0500'>264</span>
<a id='x1-41572r265'></a><span class='ecrm-0500'>265</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41574r266'></a><span class='ecrm-0500'>266</span><span id='textcolor1792'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41576r267'></a><span class='ecrm-0500'>267</span>
<a id='x1-41578r268'></a><span class='ecrm-0500'>268</span><span id='textcolor1792'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41580r269'></a><span class='ecrm-0500'>269</span>
<a id='x1-41582r270'></a><span class='ecrm-0500'>270</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1793'><span class='ectt-0800'>"Spying on UID:%d</span></span><span id='textcolor1794'><span class='ectt-0800'>\n</span></span><span id='textcolor1795'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41584r271'></a><span class='ecrm-0500'>271</span><span class='ectt-0800'>    </span><span id='textcolor1796'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> 0;</span>
<a id='x1-41586r272'></a><span class='ecrm-0500'>272</span><span class='ectt-0800'>}</span>
<a id='x1-41588r273'></a><span class='ecrm-0500'>273</span>
<a id='x1-41590r274'></a><span class='ecrm-0500'>274</span><span id='textcolor1797'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1798'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __exit syscall_steal_end(</span><span id='textcolor1799'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41592r275'></a><span class='ecrm-0500'>275</span><span class='ectt-0800'>{</span>
<a id='x1-41594r276'></a><span class='ecrm-0500'>276</span><span id='textcolor1800'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41596r277'></a><span class='ecrm-0500'>277</span><span class='ectt-0800'>    unregister_kprobe(&amp;syscall_kprobe);</span>
<a id='x1-41598r278'></a><span class='ecrm-0500'>278</span><span id='textcolor1801'><span class='ectt-0800'>#else</span></span>
<a id='x1-41600r279'></a><span class='ecrm-0500'>279</span><span class='ectt-0800'>    </span><span id='textcolor1802'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!sys_call_table_stolen)</span>
<a id='x1-41602r280'></a><span class='ecrm-0500'>280</span><span class='ectt-0800'>        </span><span id='textcolor1803'><span class='ectt-0800'>return</span></span><span class='ectt-0800'>;</span>
<a id='x1-41604r281'></a><span class='ecrm-0500'>281</span>
<a id='x1-41606r282'></a><span class='ecrm-0500'>282</span><span class='ectt-0800'>    </span><span id='textcolor1804'><span class='ectt-0800'>/* Return the system call back to normal */</span></span>
<a id='x1-41608r283'></a><span class='ecrm-0500'>283</span><span class='ectt-0800'>    </span><span id='textcolor1805'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sys_call_table_stolen[__NR_openat] != (</span><span id='textcolor1806'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1807'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat) {</span>
<a id='x1-41610r284'></a><span class='ecrm-0500'>284</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1808'><span class='ectt-0800'>"Somebody else also played with the "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41612r285'></a><span class='ecrm-0500'>285</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1809'><span class='ectt-0800'>"open system call</span></span><span id='textcolor1810'><span class='ectt-0800'>\n</span></span><span id='textcolor1811'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41614r286'></a><span class='ecrm-0500'>286</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1812'><span class='ectt-0800'>"The system may be left in "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41616r287'></a><span class='ecrm-0500'>287</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1813'><span class='ectt-0800'>"an unstable state.</span></span><span id='textcolor1814'><span class='ectt-0800'>\n</span></span><span id='textcolor1815'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41618r288'></a><span class='ecrm-0500'>288</span><span class='ectt-0800'>    }</span>
<a id='x1-41620r289'></a><span class='ecrm-0500'>289</span>
<a id='x1-41622r290'></a><span class='ecrm-0500'>290</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41624r291'></a><span class='ecrm-0500'>291</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1816'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1817'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)original_call;</span>
<a id='x1-41626r292'></a><span class='ecrm-0500'>292</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41628r293'></a><span class='ecrm-0500'>293</span><span id='textcolor1818'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41630r294'></a><span class='ecrm-0500'>294</span>
<a id='x1-41632r295'></a><span class='ecrm-0500'>295</span><span class='ectt-0800'>    msleep(2000);</span>
<a id='x1-41634r296'></a><span class='ecrm-0500'>296</span><span class='ectt-0800'>}</span>
<a id='x1-41636r297'></a><span class='ecrm-0500'>297</span>
<a id='x1-41638r298'></a><span class='ecrm-0500'>298</span><span class='ectt-0800'>module_init(syscall_steal_start);</span>
<a id='x1-41640r299'></a><span class='ecrm-0500'>299</span><span class='ectt-0800'>module_exit(syscall_steal_end);</span>
<a id='x1-41642r300'></a><span class='ecrm-0500'>300</span>
<a id='x1-41644r301'></a><span class='ecrm-0500'>301</span><span class='ectt-0800'>MODULE_LICENSE(</span><span id='textcolor1819'><span class='ectt-0800'>"GPL"</span></span><span class='ectt-0800'>);</span></pre>
<a id='x1-41578r268'></a><span class='ecrm-0500'>268</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1793'><span class='ectt-0800'>"Spying on UID:%d</span></span><span id='textcolor1794'><span class='ectt-0800'>\n</span></span><span id='textcolor1795'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41580r269'></a><span class='ecrm-0500'>269</span><span class='ectt-0800'>    </span><span id='textcolor1796'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> 0;</span>
<a id='x1-41582r270'></a><span class='ecrm-0500'>270</span><span class='ectt-0800'>}</span>
<a id='x1-41584r271'></a><span class='ecrm-0500'>271</span>
<a id='x1-41586r272'></a><span class='ecrm-0500'>272</span><span id='textcolor1797'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1798'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __exit syscall_steal_end(</span><span id='textcolor1799'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41588r273'></a><span class='ecrm-0500'>273</span><span class='ectt-0800'>{</span>
<a id='x1-41590r274'></a><span class='ecrm-0500'>274</span><span id='textcolor1800'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41592r275'></a><span class='ecrm-0500'>275</span><span class='ectt-0800'>    unregister_kprobe(&amp;syscall_kprobe);</span>
<a id='x1-41594r276'></a><span class='ecrm-0500'>276</span><span id='textcolor1801'><span class='ectt-0800'>#else</span></span>
<a id='x1-41596r277'></a><span class='ecrm-0500'>277</span><span class='ectt-0800'>    </span><span id='textcolor1802'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!sys_call_table_stolen)</span>
<a id='x1-41598r278'></a><span class='ecrm-0500'>278</span><span class='ectt-0800'>        </span><span id='textcolor1803'><span class='ectt-0800'>return</span></span><span class='ectt-0800'>;</span>
<a id='x1-41600r279'></a><span class='ecrm-0500'>279</span>
<a id='x1-41602r280'></a><span class='ecrm-0500'>280</span><span class='ectt-0800'>    </span><span id='textcolor1804'><span class='ectt-0800'>/* Return the system call back to normal */</span></span>
<a id='x1-41604r281'></a><span class='ecrm-0500'>281</span><span class='ectt-0800'>    </span><span id='textcolor1805'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sys_call_table_stolen[__NR_openat] != (</span><span id='textcolor1806'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1807'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat) {</span>
<a id='x1-41606r282'></a><span class='ecrm-0500'>282</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1808'><span class='ectt-0800'>"Somebody else also played with the "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41608r283'></a><span class='ecrm-0500'>283</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1809'><span class='ectt-0800'>"open system call</span></span><span id='textcolor1810'><span class='ectt-0800'>\n</span></span><span id='textcolor1811'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41610r284'></a><span class='ecrm-0500'>284</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1812'><span class='ectt-0800'>"The system may be left in "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41612r285'></a><span class='ecrm-0500'>285</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1813'><span class='ectt-0800'>"an unstable state.</span></span><span id='textcolor1814'><span class='ectt-0800'>\n</span></span><span id='textcolor1815'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41614r286'></a><span class='ecrm-0500'>286</span><span class='ectt-0800'>    }</span>
<a id='x1-41616r287'></a><span class='ecrm-0500'>287</span>
<a id='x1-41618r288'></a><span class='ecrm-0500'>288</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41620r289'></a><span class='ecrm-0500'>289</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1816'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1817'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)original_call;</span>
<a id='x1-41622r290'></a><span class='ecrm-0500'>290</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41624r291'></a><span class='ecrm-0500'>291</span><span id='textcolor1818'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41626r292'></a><span class='ecrm-0500'>292</span>
<a id='x1-41628r293'></a><span class='ecrm-0500'>293</span><span class='ectt-0800'>    msleep(2000);</span>
<a id='x1-41630r294'></a><span class='ecrm-0500'>294</span><span class='ectt-0800'>}</span>
<a id='x1-41632r295'></a><span class='ecrm-0500'>295</span>
<a id='x1-41634r296'></a><span class='ecrm-0500'>296</span><span class='ectt-0800'>module_init(syscall_steal_start);</span>
<a id='x1-41636r297'></a><span class='ecrm-0500'>297</span><span class='ectt-0800'>module_exit(syscall_steal_end);</span>
<a id='x1-41638r298'></a><span class='ecrm-0500'>298</span>
<a id='x1-41640r299'></a><span class='ecrm-0500'>299</span><span class='ectt-0800'>MODULE_LICENSE(</span><span id='textcolor1819'><span class='ectt-0800'>"GPL"</span></span><span class='ectt-0800'>);</span></pre>
<!-- l. 1580 --><p class='noindent'>
</p>
<h3 class='sectionHead' id='blocking-processes-and-threads'><span class='titlemark'>11 </span> <a id='x1-4200011'></a>Blocking Processes and threads</h3>

390
lkmpg-for-ht.html
View File

@ -3616,154 +3616,154 @@ dry run of this example, you will have to patch your current kernel in order to
<a id='x1-41228r93'></a><span class='ecrm-0500'>93</span><span class='ectt-0800'>    .symbol_name = </span><span id='textcolor1606'><span class='ectt-0800'>"__x64_sys_openat"</span></span><span class='ectt-0800'>,</span>
<a id='x1-41230r94'></a><span class='ecrm-0500'>94</span><span class='ectt-0800'>    .pre_handler = sys_call_kprobe_pre_handler,</span>
<a id='x1-41232r95'></a><span class='ecrm-0500'>95</span><span class='ectt-0800'>};</span>
<a id='x1-41234r96'></a><span class='ecrm-0500'>96</span><span id='textcolor1607'><span class='ectt-0800'>#else</span></span>
<a id='x1-41236r97'></a><span class='ecrm-0500'>97</span>
<a id='x1-41238r98'></a><span class='ecrm-0500'>98</span><span id='textcolor1608'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1609'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1610'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sys_call_table_stolen;</span>
<a id='x1-41240r99'></a><span class='ecrm-0500'>99</span>
<a id='x1-41242r100'></a><span class='ecrm-0500'>100</span><span id='textcolor1611'><span class='ectt-0800'>/* A pointer to the original system call. The reason we keep this, rather</span></span>
<a id='x1-41244r101'></a><span class='ecrm-0500'>101</span><span id='textcolor1612'><span class='ectt-0800'> * than call the original function (sys_openat), is because somebody else</span></span>
<a id='x1-41246r102'></a><span class='ecrm-0500'>102</span><span id='textcolor1613'><span class='ectt-0800'> * might have replaced the system call before us. Note that this is not</span></span>
<a id='x1-41248r103'></a><span class='ecrm-0500'>103</span><span id='textcolor1614'><span class='ectt-0800'> * 100% safe, because if another module replaced sys_openat before us,</span></span>
<a id='x1-41250r104'></a><span class='ecrm-0500'>104</span><span id='textcolor1615'><span class='ectt-0800'> * then when we are inserted, we will call the function in that module -</span></span>
<a id='x1-41252r105'></a><span class='ecrm-0500'>105</span><span id='textcolor1616'><span class='ectt-0800'> * and it might be removed before we are.</span></span>
<a id='x1-41254r106'></a><span class='ecrm-0500'>106</span><span id='textcolor1617'><span class='ectt-0800'> *</span></span>
<a id='x1-41256r107'></a><span class='ecrm-0500'>107</span><span id='textcolor1618'><span class='ectt-0800'> * Another reason for this is that we can not get sys_openat.</span></span>
<a id='x1-41258r108'></a><span class='ecrm-0500'>108</span><span id='textcolor1619'><span class='ectt-0800'> * It is a static variable, so it is not exported.</span></span>
<a id='x1-41260r109'></a><span class='ecrm-0500'>109</span><span id='textcolor1620'><span class='ectt-0800'> */</span></span>
<a id='x1-41262r110'></a><span class='ecrm-0500'>110</span><span id='textcolor1621'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41264r111'></a><span class='ecrm-0500'>111</span><span id='textcolor1622'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1623'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1624'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *);</span>
<a id='x1-41266r112'></a><span class='ecrm-0500'>112</span><span id='textcolor1625'><span class='ectt-0800'>#else</span></span>
<a id='x1-41268r113'></a><span class='ecrm-0500'>113</span><span id='textcolor1626'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1627'><span class='ectt-0800'>int</span></span><span class='ectt-0800'></span><span id='textcolor1628'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1629'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *, </span><span id='textcolor1630'><span class='ectt-0800'>int</span></span><span class='ectt-0800'>, umode_t);</span>
<a id='x1-41270r114'></a><span class='ecrm-0500'>114</span><span id='textcolor1631'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41272r115'></a><span class='ecrm-0500'>115</span>
<a id='x1-41274r116'></a><span class='ecrm-0500'>116</span><span id='textcolor1632'><span class='ectt-0800'>/* The function we will replace sys_openat (the function called when you</span></span>
<a id='x1-41276r117'></a><span class='ecrm-0500'>117</span><span id='textcolor1633'><span class='ectt-0800'> * call the open system call) with. To find the exact prototype, with</span></span>
<a id='x1-41278r118'></a><span class='ecrm-0500'>118</span><span id='textcolor1634'><span class='ectt-0800'> * the number and type of arguments, we find the original function first</span></span>
<a id='x1-41280r119'></a><span class='ecrm-0500'>119</span><span id='textcolor1635'><span class='ectt-0800'> * (it is at fs/open.c).</span></span>
<a id='x1-41282r120'></a><span class='ecrm-0500'>120</span><span id='textcolor1636'><span class='ectt-0800'> *</span></span>
<a id='x1-41284r121'></a><span class='ecrm-0500'>121</span><span id='textcolor1637'><span class='ectt-0800'> * In theory, this means that we are tied to the current version of the</span></span>
<a id='x1-41286r122'></a><span class='ecrm-0500'>122</span><span id='textcolor1638'><span class='ectt-0800'> * kernel. In practice, the system calls almost never change (it would</span></span>
<a id='x1-41288r123'></a><span class='ecrm-0500'>123</span><span id='textcolor1639'><span class='ectt-0800'> * wreck havoc and require programs to be recompiled, since the system</span></span>
<a id='x1-41290r124'></a><span class='ecrm-0500'>124</span><span id='textcolor1640'><span class='ectt-0800'> * calls are the interface between the kernel and the processes).</span></span>
<a id='x1-41292r125'></a><span class='ecrm-0500'>125</span><span id='textcolor1641'><span class='ectt-0800'> */</span></span>
<a id='x1-41294r126'></a><span class='ecrm-0500'>126</span><span id='textcolor1642'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41296r127'></a><span class='ecrm-0500'>127</span><span id='textcolor1643'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1644'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1645'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1646'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *regs)</span>
<a id='x1-41298r128'></a><span class='ecrm-0500'>128</span><span id='textcolor1647'><span class='ectt-0800'>#else</span></span>
<a id='x1-41300r129'></a><span class='ecrm-0500'>129</span><span id='textcolor1648'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1649'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1650'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> dfd, </span><span id='textcolor1651'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1652'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *filename,</span>
<a id='x1-41302r130'></a><span class='ecrm-0500'>130</span><span class='ectt-0800'>                                      </span><span id='textcolor1653'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> flags, umode_t mode)</span>
<a id='x1-41304r131'></a><span class='ecrm-0500'>131</span><span id='textcolor1654'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41306r132'></a><span class='ecrm-0500'>132</span><span class='ectt-0800'>{</span>
<a id='x1-41308r133'></a><span class='ecrm-0500'>133</span><span class='ectt-0800'>    </span><span id='textcolor1655'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> i = 0;</span>
<a id='x1-41310r134'></a><span class='ecrm-0500'>134</span><span class='ectt-0800'>    </span><span id='textcolor1656'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> ch;</span>
<a id='x1-41312r135'></a><span class='ecrm-0500'>135</span>
<a id='x1-41314r136'></a><span class='ecrm-0500'>136</span><span class='ectt-0800'>    </span><span id='textcolor1657'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (__kuid_val(current_uid()) != uid)</span>
<a id='x1-41316r137'></a><span class='ecrm-0500'>137</span><span class='ectt-0800'>        </span><span id='textcolor1658'><span class='ectt-0800'>goto</span></span><span class='ectt-0800'> orig_call;</span>
<a id='x1-41318r138'></a><span class='ecrm-0500'>138</span>
<a id='x1-41320r139'></a><span class='ecrm-0500'>139</span><span class='ectt-0800'>    </span><span id='textcolor1659'><span class='ectt-0800'>/* Report the file, if relevant */</span></span>
<a id='x1-41322r140'></a><span class='ecrm-0500'>140</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1660'><span class='ectt-0800'>"Opened file by %d: "</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41324r141'></a><span class='ecrm-0500'>141</span><span class='ectt-0800'>    </span><span id='textcolor1661'><span class='ectt-0800'>do</span></span><span class='ectt-0800'> {</span>
<a id='x1-41326r142'></a><span class='ecrm-0500'>142</span><span id='textcolor1662'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41328r143'></a><span class='ecrm-0500'>143</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1663'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)regs-&gt;si + i);</span>
<a id='x1-41330r144'></a><span class='ecrm-0500'>144</span><span id='textcolor1664'><span class='ectt-0800'>#else</span></span>
<a id='x1-41332r145'></a><span class='ecrm-0500'>145</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1665'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)filename + i);</span>
<a id='x1-41334r146'></a><span class='ecrm-0500'>146</span><span id='textcolor1666'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41336r147'></a><span class='ecrm-0500'>147</span><span class='ectt-0800'>        i++;</span>
<a id='x1-41338r148'></a><span class='ecrm-0500'>148</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1667'><span class='ectt-0800'>"%c"</span></span><span class='ectt-0800'>, ch);</span>
<a id='x1-41340r149'></a><span class='ecrm-0500'>149</span><span class='ectt-0800'>    </span><span id='textcolor1668'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (ch != 0);</span>
<a id='x1-41342r150'></a><span class='ecrm-0500'>150</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1669'><span class='ectt-0800'>"</span></span><span id='textcolor1670'><span class='ectt-0800'>\n</span></span><span id='textcolor1671'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41344r151'></a><span class='ecrm-0500'>151</span>
<a id='x1-41346r152'></a><span class='ecrm-0500'>152</span><span class='ectt-0800'>orig_call:</span>
<a id='x1-41348r153'></a><span class='ecrm-0500'>153</span><span class='ectt-0800'>    </span><span id='textcolor1672'><span class='ectt-0800'>/* Call the original sys_openat - otherwise, we lose the ability to</span></span>
<a id='x1-41350r154'></a><span class='ecrm-0500'>154</span><span id='textcolor1673'><span class='ectt-0800'>     * open files.</span></span>
<a id='x1-41352r155'></a><span class='ecrm-0500'>155</span><span id='textcolor1674'><span class='ectt-0800'>     */</span></span>
<a id='x1-41354r156'></a><span class='ecrm-0500'>156</span><span id='textcolor1675'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41356r157'></a><span class='ecrm-0500'>157</span><span class='ectt-0800'>    </span><span id='textcolor1676'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(regs);</span>
<a id='x1-41358r158'></a><span class='ecrm-0500'>158</span><span id='textcolor1677'><span class='ectt-0800'>#else</span></span>
<a id='x1-41360r159'></a><span class='ecrm-0500'>159</span><span class='ectt-0800'>    </span><span id='textcolor1678'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(dfd, filename, flags, mode);</span>
<a id='x1-41362r160'></a><span class='ecrm-0500'>160</span><span id='textcolor1679'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41364r161'></a><span class='ecrm-0500'>161</span><span class='ectt-0800'>}</span>
<a id='x1-41366r162'></a><span class='ecrm-0500'>162</span>
<a id='x1-41368r163'></a><span class='ecrm-0500'>163</span><span id='textcolor1680'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1681'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1682'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **acquire_sys_call_table(</span><span id='textcolor1683'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41370r164'></a><span class='ecrm-0500'>164</span><span class='ectt-0800'>{</span>
<a id='x1-41372r165'></a><span class='ecrm-0500'>165</span><span id='textcolor1684'><span class='ectt-0800'>#ifdef HAVE_KSYS_CLOSE</span></span>
<a id='x1-41374r166'></a><span class='ecrm-0500'>166</span><span class='ectt-0800'>    </span><span id='textcolor1685'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1686'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> </span><span id='textcolor1687'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> offset = PAGE_OFFSET;</span>
<a id='x1-41376r167'></a><span class='ecrm-0500'>167</span><span class='ectt-0800'>    </span><span id='textcolor1688'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1689'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sct;</span>
<a id='x1-41378r168'></a><span class='ecrm-0500'>168</span>
<a id='x1-41380r169'></a><span class='ecrm-0500'>169</span><span class='ectt-0800'>    </span><span id='textcolor1690'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (offset &lt; ULLONG_MAX) {</span>
<a id='x1-41382r170'></a><span class='ecrm-0500'>170</span><span class='ectt-0800'>        sct = (</span><span id='textcolor1691'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1692'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)offset;</span>
<a id='x1-41384r171'></a><span class='ecrm-0500'>171</span>
<a id='x1-41386r172'></a><span class='ecrm-0500'>172</span><span class='ectt-0800'>        </span><span id='textcolor1693'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sct[__NR_close] == (</span><span id='textcolor1694'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1695'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)ksys_close)</span>
<a id='x1-41388r173'></a><span class='ecrm-0500'>173</span><span class='ectt-0800'>            </span><span id='textcolor1696'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> sct;</span>
<a id='x1-41390r174'></a><span class='ecrm-0500'>174</span>
<a id='x1-41392r175'></a><span class='ecrm-0500'>175</span><span class='ectt-0800'>        offset += </span><span id='textcolor1697'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(</span><span id='textcolor1698'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *);</span>
<a id='x1-41394r176'></a><span class='ecrm-0500'>176</span><span class='ectt-0800'>    }</span>
<a id='x1-41396r177'></a><span class='ecrm-0500'>177</span>
<a id='x1-41398r178'></a><span class='ecrm-0500'>178</span><span class='ectt-0800'>    </span><span id='textcolor1699'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41400r179'></a><span class='ecrm-0500'>179</span><span id='textcolor1700'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41402r180'></a><span class='ecrm-0500'>180</span>
<a id='x1-41404r181'></a><span class='ecrm-0500'>181</span><span id='textcolor1701'><span class='ectt-0800'>#ifdef HAVE_PARAM</span></span>
<a id='x1-41406r182'></a><span class='ecrm-0500'>182</span><span class='ectt-0800'>    </span><span id='textcolor1702'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1703'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> sct_name[15] = </span><span id='textcolor1704'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>;</span>
<a id='x1-41408r183'></a><span class='ecrm-0500'>183</span><span class='ectt-0800'>    </span><span id='textcolor1705'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> symbol[40] = { 0 };</span>
<a id='x1-41410r184'></a><span class='ecrm-0500'>184</span>
<a id='x1-41412r185'></a><span class='ecrm-0500'>185</span><span class='ectt-0800'>    </span><span id='textcolor1706'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sym == 0) {</span>
<a id='x1-41414r186'></a><span class='ecrm-0500'>186</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1707'><span class='ectt-0800'>"For Linux v5.7+, Kprobes is the preferable way to get "</span></span>
<a id='x1-41416r187'></a><span class='ecrm-0500'>187</span><span class='ectt-0800'>                 </span><span id='textcolor1708'><span class='ectt-0800'>"symbol.</span></span><span id='textcolor1709'><span class='ectt-0800'>\n</span></span><span id='textcolor1710'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41418r188'></a><span class='ecrm-0500'>188</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1711'><span class='ectt-0800'>"If Kprobes is absent, you have to specify the address of "</span></span>
<a id='x1-41420r189'></a><span class='ecrm-0500'>189</span><span class='ectt-0800'>                </span><span id='textcolor1712'><span class='ectt-0800'>"sys_call_table symbol</span></span><span id='textcolor1713'><span class='ectt-0800'>\n</span></span><span id='textcolor1714'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41422r190'></a><span class='ecrm-0500'>190</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1715'><span class='ectt-0800'>"by /boot/System.map or /proc/kallsyms, which contains all the "</span></span>
<a id='x1-41424r191'></a><span class='ecrm-0500'>191</span><span class='ectt-0800'>                </span><span id='textcolor1716'><span class='ectt-0800'>"symbol addresses, into sym parameter.</span></span><span id='textcolor1717'><span class='ectt-0800'>\n</span></span><span id='textcolor1718'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41426r192'></a><span class='ecrm-0500'>192</span><span class='ectt-0800'>        </span><span id='textcolor1719'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41428r193'></a><span class='ecrm-0500'>193</span><span class='ectt-0800'>    }</span>
<a id='x1-41430r194'></a><span class='ecrm-0500'>194</span><span class='ectt-0800'>    sprint_symbol(symbol, sym);</span>
<a id='x1-41432r195'></a><span class='ecrm-0500'>195</span><span class='ectt-0800'>    </span><span id='textcolor1720'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!strncmp(sct_name, symbol, </span><span id='textcolor1721'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(sct_name) - 1))</span>
<a id='x1-41434r196'></a><span class='ecrm-0500'>196</span><span class='ectt-0800'>        </span><span id='textcolor1722'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1723'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1724'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)sym;</span>
<a id='x1-41436r197'></a><span class='ecrm-0500'>197</span>
<a id='x1-41438r198'></a><span class='ecrm-0500'>198</span><span class='ectt-0800'>    </span><span id='textcolor1725'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41440r199'></a><span class='ecrm-0500'>199</span><span id='textcolor1726'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41442r200'></a><span class='ecrm-0500'>200</span>
<a id='x1-41444r201'></a><span class='ecrm-0500'>201</span><span id='textcolor1727'><span class='ectt-0800'>#ifdef HAVE_KPROBES</span></span>
<a id='x1-41446r202'></a><span class='ecrm-0500'>202</span><span class='ectt-0800'>    </span><span id='textcolor1728'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1729'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*kallsyms_lookup_name)(</span><span id='textcolor1730'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1731'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name);</span>
<a id='x1-41448r203'></a><span class='ecrm-0500'>203</span><span class='ectt-0800'>    </span><span id='textcolor1732'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> kprobe kp = {</span>
<a id='x1-41450r204'></a><span class='ecrm-0500'>204</span><span class='ectt-0800'>        .symbol_name = </span><span id='textcolor1733'><span class='ectt-0800'>"kallsyms_lookup_name"</span></span><span class='ectt-0800'>,</span>
<a id='x1-41452r205'></a><span class='ecrm-0500'>205</span><span class='ectt-0800'>    };</span>
<a id='x1-41454r206'></a><span class='ecrm-0500'>206</span>
<a id='x1-41456r207'></a><span class='ecrm-0500'>207</span><span class='ectt-0800'>    </span><span id='textcolor1734'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (register_kprobe(&amp;kp) &lt; 0)</span>
<a id='x1-41458r208'></a><span class='ecrm-0500'>208</span><span class='ectt-0800'>        </span><span id='textcolor1735'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41460r209'></a><span class='ecrm-0500'>209</span><span class='ectt-0800'>    kallsyms_lookup_name = (</span><span id='textcolor1736'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1737'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*)(</span><span id='textcolor1738'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1739'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name))kp.addr;</span>
<a id='x1-41462r210'></a><span class='ecrm-0500'>210</span><span class='ectt-0800'>    unregister_kprobe(&amp;kp);</span>
<a id='x1-41464r211'></a><span class='ecrm-0500'>211</span><span id='textcolor1740'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41466r212'></a><span class='ecrm-0500'>212</span>
<a id='x1-41468r213'></a><span class='ecrm-0500'>213</span><span class='ectt-0800'>    </span><span id='textcolor1741'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1742'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1743'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)kallsyms_lookup_name(</span><span id='textcolor1744'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41470r214'></a><span class='ecrm-0500'>214</span><span class='ectt-0800'>}</span>
<a id='x1-41472r215'></a><span class='ecrm-0500'>215</span>
<a id='x1-41474r216'></a><span class='ecrm-0500'>216</span><span id='textcolor1745'><span class='ectt-0800'>#if LINUX_VERSION_CODE &gt;= KERNEL_VERSION(5, 3, 0)</span></span>
<a id='x1-41476r217'></a><span class='ecrm-0500'>217</span><span id='textcolor1746'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1747'><span class='ectt-0800'>inline</span></span><span class='ectt-0800'> </span><span id='textcolor1748'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __write_cr0(</span><span id='textcolor1749'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1750'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0)</span>
<a id='x1-41478r218'></a><span class='ecrm-0500'>218</span><span class='ectt-0800'>{</span>
<a id='x1-41480r219'></a><span class='ecrm-0500'>219</span><span class='ectt-0800'>    </span><span id='textcolor1751'><span class='ectt-0800'>asm</span></span><span class='ectt-0800'> </span><span id='textcolor1752'><span class='ectt-0800'>volatile</span></span><span class='ectt-0800'>(</span><span id='textcolor1753'><span class='ectt-0800'>"mov %0,%%cr0"</span></span><span class='ectt-0800'> : </span><span id='textcolor1754'><span class='ectt-0800'>"+r"</span></span><span class='ectt-0800'>(cr0) : : </span><span id='textcolor1755'><span class='ectt-0800'>"memory"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41482r220'></a><span class='ecrm-0500'>220</span><span class='ectt-0800'>}</span>
<a id='x1-41484r221'></a><span class='ecrm-0500'>221</span><span id='textcolor1756'><span class='ectt-0800'>#else</span></span>
<a id='x1-41486r222'></a><span class='ecrm-0500'>222</span><span id='textcolor1757'><span class='ectt-0800'>#define __write_cr0 write_cr0</span></span>
<a id='x1-41488r223'></a><span class='ecrm-0500'>223</span><span id='textcolor1758'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41490r224'></a><span class='ecrm-0500'>224</span>
<a id='x1-41492r225'></a><span class='ecrm-0500'>225</span><span id='textcolor1759'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1760'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> enable_write_protection(</span><span id='textcolor1761'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41494r226'></a><span class='ecrm-0500'>226</span><span class='ectt-0800'>{</span>
<a id='x1-41496r227'></a><span class='ecrm-0500'>227</span><span class='ectt-0800'>    </span><span id='textcolor1762'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1763'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41498r228'></a><span class='ecrm-0500'>228</span><span class='ectt-0800'>    set_bit(16, &amp;cr0);</span>
<a id='x1-41500r229'></a><span class='ecrm-0500'>229</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41502r230'></a><span class='ecrm-0500'>230</span><span class='ectt-0800'>}</span>
<a id='x1-41504r231'></a><span class='ecrm-0500'>231</span>
<a id='x1-41506r232'></a><span class='ecrm-0500'>232</span><span id='textcolor1764'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1765'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> disable_write_protection(</span><span id='textcolor1766'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41508r233'></a><span class='ecrm-0500'>233</span><span class='ectt-0800'>{</span>
<a id='x1-41510r234'></a><span class='ecrm-0500'>234</span><span class='ectt-0800'>    </span><span id='textcolor1767'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1768'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41512r235'></a><span class='ecrm-0500'>235</span><span class='ectt-0800'>    clear_bit(16, &amp;cr0);</span>
<a id='x1-41514r236'></a><span class='ecrm-0500'>236</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41516r237'></a><span class='ecrm-0500'>237</span><span class='ectt-0800'>}</span>
<a id='x1-41518r238'></a><span class='ecrm-0500'>238</span><span id='textcolor1769'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41520r239'></a><span class='ecrm-0500'>239</span>
<a id='x1-41522r240'></a><span class='ecrm-0500'>240</span><span id='textcolor1770'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1771'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> __init syscall_steal_start(</span><span id='textcolor1772'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41524r241'></a><span class='ecrm-0500'>241</span><span class='ectt-0800'>{</span>
<a id='x1-41526r242'></a><span class='ecrm-0500'>242</span><span id='textcolor1773'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41528r243'></a><span class='ecrm-0500'>243</span>
<a id='x1-41234r96'></a><span class='ecrm-0500'>96</span>
<a id='x1-41236r97'></a><span class='ecrm-0500'>97</span><span id='textcolor1607'><span class='ectt-0800'>#else</span></span>
<a id='x1-41238r98'></a><span class='ecrm-0500'>98</span>
<a id='x1-41240r99'></a><span class='ecrm-0500'>99</span><span id='textcolor1608'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1609'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1610'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sys_call_table_stolen;</span>
<a id='x1-41242r100'></a><span class='ecrm-0500'>100</span>
<a id='x1-41244r101'></a><span class='ecrm-0500'>101</span><span id='textcolor1611'><span class='ectt-0800'>/* A pointer to the original system call. The reason we keep this, rather</span></span>
<a id='x1-41246r102'></a><span class='ecrm-0500'>102</span><span id='textcolor1612'><span class='ectt-0800'> * than call the original function (sys_openat), is because somebody else</span></span>
<a id='x1-41248r103'></a><span class='ecrm-0500'>103</span><span id='textcolor1613'><span class='ectt-0800'> * might have replaced the system call before us. Note that this is not</span></span>
<a id='x1-41250r104'></a><span class='ecrm-0500'>104</span><span id='textcolor1614'><span class='ectt-0800'> * 100% safe, because if another module replaced sys_openat before us,</span></span>
<a id='x1-41252r105'></a><span class='ecrm-0500'>105</span><span id='textcolor1615'><span class='ectt-0800'> * then when we are inserted, we will call the function in that module -</span></span>
<a id='x1-41254r106'></a><span class='ecrm-0500'>106</span><span id='textcolor1616'><span class='ectt-0800'> * and it might be removed before we are.</span></span>
<a id='x1-41256r107'></a><span class='ecrm-0500'>107</span><span id='textcolor1617'><span class='ectt-0800'> *</span></span>
<a id='x1-41258r108'></a><span class='ecrm-0500'>108</span><span id='textcolor1618'><span class='ectt-0800'> * Another reason for this is that we can not get sys_openat.</span></span>
<a id='x1-41260r109'></a><span class='ecrm-0500'>109</span><span id='textcolor1619'><span class='ectt-0800'> * It is a static variable, so it is not exported.</span></span>
<a id='x1-41262r110'></a><span class='ecrm-0500'>110</span><span id='textcolor1620'><span class='ectt-0800'> */</span></span>
<a id='x1-41264r111'></a><span class='ecrm-0500'>111</span><span id='textcolor1621'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41266r112'></a><span class='ecrm-0500'>112</span><span id='textcolor1622'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1623'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1624'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *);</span>
<a id='x1-41268r113'></a><span class='ecrm-0500'>113</span><span id='textcolor1625'><span class='ectt-0800'>#else</span></span>
<a id='x1-41270r114'></a><span class='ecrm-0500'>114</span><span id='textcolor1626'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage long (*original_call)(</span><span id='textcolor1627'><span class='ectt-0800'>int</span></span><span class='ectt-0800'></span><span id='textcolor1628'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1629'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *, </span><span id='textcolor1630'><span class='ectt-0800'>int</span></span><span class='ectt-0800'>, umode_t);</span>
<a id='x1-41272r115'></a><span class='ecrm-0500'>115</span><span id='textcolor1631'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41274r116'></a><span class='ecrm-0500'>116</span>
<a id='x1-41276r117'></a><span class='ecrm-0500'>117</span><span id='textcolor1632'><span class='ectt-0800'>/* The function we will replace sys_openat (the function called when you</span></span>
<a id='x1-41278r118'></a><span class='ecrm-0500'>118</span><span id='textcolor1633'><span class='ectt-0800'> * call the open system call) with. To find the exact prototype, with</span></span>
<a id='x1-41280r119'></a><span class='ecrm-0500'>119</span><span id='textcolor1634'><span class='ectt-0800'> * the number and type of arguments, we find the original function first</span></span>
<a id='x1-41282r120'></a><span class='ecrm-0500'>120</span><span id='textcolor1635'><span class='ectt-0800'> * (it is at fs/open.c).</span></span>
<a id='x1-41284r121'></a><span class='ecrm-0500'>121</span><span id='textcolor1636'><span class='ectt-0800'> *</span></span>
<a id='x1-41286r122'></a><span class='ecrm-0500'>122</span><span id='textcolor1637'><span class='ectt-0800'> * In theory, this means that we are tied to the current version of the</span></span>
<a id='x1-41288r123'></a><span class='ecrm-0500'>123</span><span id='textcolor1638'><span class='ectt-0800'> * kernel. In practice, the system calls almost never change (it would</span></span>
<a id='x1-41290r124'></a><span class='ecrm-0500'>124</span><span id='textcolor1639'><span class='ectt-0800'> * wreck havoc and require programs to be recompiled, since the system</span></span>
<a id='x1-41292r125'></a><span class='ecrm-0500'>125</span><span id='textcolor1640'><span class='ectt-0800'> * calls are the interface between the kernel and the processes).</span></span>
<a id='x1-41294r126'></a><span class='ecrm-0500'>126</span><span id='textcolor1641'><span class='ectt-0800'> */</span></span>
<a id='x1-41296r127'></a><span class='ecrm-0500'>127</span><span id='textcolor1642'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41298r128'></a><span class='ecrm-0500'>128</span><span id='textcolor1643'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1644'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1645'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1646'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> pt_regs *regs)</span>
<a id='x1-41300r129'></a><span class='ecrm-0500'>129</span><span id='textcolor1647'><span class='ectt-0800'>#else</span></span>
<a id='x1-41302r130'></a><span class='ecrm-0500'>130</span><span id='textcolor1648'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> asmlinkage </span><span id='textcolor1649'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> our_sys_openat(</span><span id='textcolor1650'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> dfd, </span><span id='textcolor1651'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1652'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *filename,</span>
<a id='x1-41304r131'></a><span class='ecrm-0500'>131</span><span class='ectt-0800'>                                      </span><span id='textcolor1653'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> flags, umode_t mode)</span>
<a id='x1-41306r132'></a><span class='ecrm-0500'>132</span><span id='textcolor1654'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41308r133'></a><span class='ecrm-0500'>133</span><span class='ectt-0800'>{</span>
<a id='x1-41310r134'></a><span class='ecrm-0500'>134</span><span class='ectt-0800'>    </span><span id='textcolor1655'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> i = 0;</span>
<a id='x1-41312r135'></a><span class='ecrm-0500'>135</span><span class='ectt-0800'>    </span><span id='textcolor1656'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> ch;</span>
<a id='x1-41314r136'></a><span class='ecrm-0500'>136</span>
<a id='x1-41316r137'></a><span class='ecrm-0500'>137</span><span class='ectt-0800'>    </span><span id='textcolor1657'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (__kuid_val(current_uid()) != uid)</span>
<a id='x1-41318r138'></a><span class='ecrm-0500'>138</span><span class='ectt-0800'>        </span><span id='textcolor1658'><span class='ectt-0800'>goto</span></span><span class='ectt-0800'> orig_call;</span>
<a id='x1-41320r139'></a><span class='ecrm-0500'>139</span>
<a id='x1-41322r140'></a><span class='ecrm-0500'>140</span><span class='ectt-0800'>    </span><span id='textcolor1659'><span class='ectt-0800'>/* Report the file, if relevant */</span></span>
<a id='x1-41324r141'></a><span class='ecrm-0500'>141</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1660'><span class='ectt-0800'>"Opened file by %d: "</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41326r142'></a><span class='ecrm-0500'>142</span><span class='ectt-0800'>    </span><span id='textcolor1661'><span class='ectt-0800'>do</span></span><span class='ectt-0800'> {</span>
<a id='x1-41328r143'></a><span class='ecrm-0500'>143</span><span id='textcolor1662'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41330r144'></a><span class='ecrm-0500'>144</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1663'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)regs-&gt;si + i);</span>
<a id='x1-41332r145'></a><span class='ecrm-0500'>145</span><span id='textcolor1664'><span class='ectt-0800'>#else</span></span>
<a id='x1-41334r146'></a><span class='ecrm-0500'>146</span><span class='ectt-0800'>        get_user(ch, (</span><span id='textcolor1665'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> __user *)filename + i);</span>
<a id='x1-41336r147'></a><span class='ecrm-0500'>147</span><span id='textcolor1666'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41338r148'></a><span class='ecrm-0500'>148</span><span class='ectt-0800'>        i++;</span>
<a id='x1-41340r149'></a><span class='ecrm-0500'>149</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1667'><span class='ectt-0800'>"%c"</span></span><span class='ectt-0800'>, ch);</span>
<a id='x1-41342r150'></a><span class='ecrm-0500'>150</span><span class='ectt-0800'>    </span><span id='textcolor1668'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (ch != 0);</span>
<a id='x1-41344r151'></a><span class='ecrm-0500'>151</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1669'><span class='ectt-0800'>"</span></span><span id='textcolor1670'><span class='ectt-0800'>\n</span></span><span id='textcolor1671'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41346r152'></a><span class='ecrm-0500'>152</span>
<a id='x1-41348r153'></a><span class='ecrm-0500'>153</span><span class='ectt-0800'>orig_call:</span>
<a id='x1-41350r154'></a><span class='ecrm-0500'>154</span><span class='ectt-0800'>    </span><span id='textcolor1672'><span class='ectt-0800'>/* Call the original sys_openat - otherwise, we lose the ability to</span></span>
<a id='x1-41352r155'></a><span class='ecrm-0500'>155</span><span id='textcolor1673'><span class='ectt-0800'>     * open files.</span></span>
<a id='x1-41354r156'></a><span class='ecrm-0500'>156</span><span id='textcolor1674'><span class='ectt-0800'>     */</span></span>
<a id='x1-41356r157'></a><span class='ecrm-0500'>157</span><span id='textcolor1675'><span class='ectt-0800'>#ifdef CONFIG_ARCH_HAS_SYSCALL_WRAPPER</span></span>
<a id='x1-41358r158'></a><span class='ecrm-0500'>158</span><span class='ectt-0800'>    </span><span id='textcolor1676'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(regs);</span>
<a id='x1-41360r159'></a><span class='ecrm-0500'>159</span><span id='textcolor1677'><span class='ectt-0800'>#else</span></span>
<a id='x1-41362r160'></a><span class='ecrm-0500'>160</span><span class='ectt-0800'>    </span><span id='textcolor1678'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> original_call(dfd, filename, flags, mode);</span>
<a id='x1-41364r161'></a><span class='ecrm-0500'>161</span><span id='textcolor1679'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41366r162'></a><span class='ecrm-0500'>162</span><span class='ectt-0800'>}</span>
<a id='x1-41368r163'></a><span class='ecrm-0500'>163</span>
<a id='x1-41370r164'></a><span class='ecrm-0500'>164</span><span id='textcolor1680'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1681'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1682'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **acquire_sys_call_table(</span><span id='textcolor1683'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41372r165'></a><span class='ecrm-0500'>165</span><span class='ectt-0800'>{</span>
<a id='x1-41374r166'></a><span class='ecrm-0500'>166</span><span id='textcolor1684'><span class='ectt-0800'>#ifdef HAVE_KSYS_CLOSE</span></span>
<a id='x1-41376r167'></a><span class='ecrm-0500'>167</span><span class='ectt-0800'>    </span><span id='textcolor1685'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1686'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> </span><span id='textcolor1687'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> offset = PAGE_OFFSET;</span>
<a id='x1-41378r168'></a><span class='ecrm-0500'>168</span><span class='ectt-0800'>    </span><span id='textcolor1688'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1689'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **sct;</span>
<a id='x1-41380r169'></a><span class='ecrm-0500'>169</span>
<a id='x1-41382r170'></a><span class='ecrm-0500'>170</span><span class='ectt-0800'>    </span><span id='textcolor1690'><span class='ectt-0800'>while</span></span><span class='ectt-0800'> (offset &lt; ULLONG_MAX) {</span>
<a id='x1-41384r171'></a><span class='ecrm-0500'>171</span><span class='ectt-0800'>        sct = (</span><span id='textcolor1691'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1692'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)offset;</span>
<a id='x1-41386r172'></a><span class='ecrm-0500'>172</span>
<a id='x1-41388r173'></a><span class='ecrm-0500'>173</span><span class='ectt-0800'>        </span><span id='textcolor1693'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sct[__NR_close] == (</span><span id='textcolor1694'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1695'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)ksys_close)</span>
<a id='x1-41390r174'></a><span class='ecrm-0500'>174</span><span class='ectt-0800'>            </span><span id='textcolor1696'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> sct;</span>
<a id='x1-41392r175'></a><span class='ecrm-0500'>175</span>
<a id='x1-41394r176'></a><span class='ecrm-0500'>176</span><span class='ectt-0800'>        offset += </span><span id='textcolor1697'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(</span><span id='textcolor1698'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *);</span>
<a id='x1-41396r177'></a><span class='ecrm-0500'>177</span><span class='ectt-0800'>    }</span>
<a id='x1-41398r178'></a><span class='ecrm-0500'>178</span>
<a id='x1-41400r179'></a><span class='ecrm-0500'>179</span><span class='ectt-0800'>    </span><span id='textcolor1699'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41402r180'></a><span class='ecrm-0500'>180</span><span id='textcolor1700'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41404r181'></a><span class='ecrm-0500'>181</span>
<a id='x1-41406r182'></a><span class='ecrm-0500'>182</span><span id='textcolor1701'><span class='ectt-0800'>#ifdef HAVE_PARAM</span></span>
<a id='x1-41408r183'></a><span class='ecrm-0500'>183</span><span class='ectt-0800'>    </span><span id='textcolor1702'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1703'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> sct_name[15] = </span><span id='textcolor1704'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>;</span>
<a id='x1-41410r184'></a><span class='ecrm-0500'>184</span><span class='ectt-0800'>    </span><span id='textcolor1705'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> symbol[40] = { 0 };</span>
<a id='x1-41412r185'></a><span class='ecrm-0500'>185</span>
<a id='x1-41414r186'></a><span class='ecrm-0500'>186</span><span class='ectt-0800'>    </span><span id='textcolor1706'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sym == 0) {</span>
<a id='x1-41416r187'></a><span class='ecrm-0500'>187</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1707'><span class='ectt-0800'>"For Linux v5.7+, Kprobes is the preferable way to get "</span></span>
<a id='x1-41418r188'></a><span class='ecrm-0500'>188</span><span class='ectt-0800'>                 </span><span id='textcolor1708'><span class='ectt-0800'>"symbol.</span></span><span id='textcolor1709'><span class='ectt-0800'>\n</span></span><span id='textcolor1710'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41420r189'></a><span class='ecrm-0500'>189</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1711'><span class='ectt-0800'>"If Kprobes is absent, you have to specify the address of "</span></span>
<a id='x1-41422r190'></a><span class='ecrm-0500'>190</span><span class='ectt-0800'>                </span><span id='textcolor1712'><span class='ectt-0800'>"sys_call_table symbol</span></span><span id='textcolor1713'><span class='ectt-0800'>\n</span></span><span id='textcolor1714'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41424r191'></a><span class='ecrm-0500'>191</span><span class='ectt-0800'>        pr_info(</span><span id='textcolor1715'><span class='ectt-0800'>"by /boot/System.map or /proc/kallsyms, which contains all the "</span></span>
<a id='x1-41426r192'></a><span class='ecrm-0500'>192</span><span class='ectt-0800'>                </span><span id='textcolor1716'><span class='ectt-0800'>"symbol addresses, into sym parameter.</span></span><span id='textcolor1717'><span class='ectt-0800'>\n</span></span><span id='textcolor1718'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41428r193'></a><span class='ecrm-0500'>193</span><span class='ectt-0800'>        </span><span id='textcolor1719'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41430r194'></a><span class='ecrm-0500'>194</span><span class='ectt-0800'>    }</span>
<a id='x1-41432r195'></a><span class='ecrm-0500'>195</span><span class='ectt-0800'>    sprint_symbol(symbol, sym);</span>
<a id='x1-41434r196'></a><span class='ecrm-0500'>196</span><span class='ectt-0800'>    </span><span id='textcolor1720'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!strncmp(sct_name, symbol, </span><span id='textcolor1721'><span class='ectt-0800'>sizeof</span></span><span class='ectt-0800'>(sct_name) - 1))</span>
<a id='x1-41436r197'></a><span class='ecrm-0500'>197</span><span class='ectt-0800'>        </span><span id='textcolor1722'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1723'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1724'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)sym;</span>
<a id='x1-41438r198'></a><span class='ecrm-0500'>198</span>
<a id='x1-41440r199'></a><span class='ecrm-0500'>199</span><span class='ectt-0800'>    </span><span id='textcolor1725'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41442r200'></a><span class='ecrm-0500'>200</span><span id='textcolor1726'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41444r201'></a><span class='ecrm-0500'>201</span>
<a id='x1-41446r202'></a><span class='ecrm-0500'>202</span><span id='textcolor1727'><span class='ectt-0800'>#ifdef HAVE_KPROBES</span></span>
<a id='x1-41448r203'></a><span class='ecrm-0500'>203</span><span class='ectt-0800'>    </span><span id='textcolor1728'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1729'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*kallsyms_lookup_name)(</span><span id='textcolor1730'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1731'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name);</span>
<a id='x1-41450r204'></a><span class='ecrm-0500'>204</span><span class='ectt-0800'>    </span><span id='textcolor1732'><span class='ectt-0800'>struct</span></span><span class='ectt-0800'> kprobe kp = {</span>
<a id='x1-41452r205'></a><span class='ecrm-0500'>205</span><span class='ectt-0800'>        .symbol_name = </span><span id='textcolor1733'><span class='ectt-0800'>"kallsyms_lookup_name"</span></span><span class='ectt-0800'>,</span>
<a id='x1-41454r206'></a><span class='ecrm-0500'>206</span><span class='ectt-0800'>    };</span>
<a id='x1-41456r207'></a><span class='ecrm-0500'>207</span>
<a id='x1-41458r208'></a><span class='ecrm-0500'>208</span><span class='ectt-0800'>    </span><span id='textcolor1734'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (register_kprobe(&amp;kp) &lt; 0)</span>
<a id='x1-41460r209'></a><span class='ecrm-0500'>209</span><span class='ectt-0800'>        </span><span id='textcolor1735'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> NULL;</span>
<a id='x1-41462r210'></a><span class='ecrm-0500'>210</span><span class='ectt-0800'>    kallsyms_lookup_name = (</span><span id='textcolor1736'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1737'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> (*)(</span><span id='textcolor1738'><span class='ectt-0800'>const</span></span><span class='ectt-0800'> </span><span id='textcolor1739'><span class='ectt-0800'>char</span></span><span class='ectt-0800'> *name))kp.addr;</span>
<a id='x1-41464r211'></a><span class='ecrm-0500'>211</span><span class='ectt-0800'>    unregister_kprobe(&amp;kp);</span>
<a id='x1-41466r212'></a><span class='ecrm-0500'>212</span><span id='textcolor1740'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41468r213'></a><span class='ecrm-0500'>213</span>
<a id='x1-41470r214'></a><span class='ecrm-0500'>214</span><span class='ectt-0800'>    </span><span id='textcolor1741'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> (</span><span id='textcolor1742'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1743'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> **)kallsyms_lookup_name(</span><span id='textcolor1744'><span class='ectt-0800'>"sys_call_table"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41472r215'></a><span class='ecrm-0500'>215</span><span class='ectt-0800'>}</span>
<a id='x1-41474r216'></a><span class='ecrm-0500'>216</span>
<a id='x1-41476r217'></a><span class='ecrm-0500'>217</span><span id='textcolor1745'><span class='ectt-0800'>#if LINUX_VERSION_CODE &gt;= KERNEL_VERSION(5, 3, 0)</span></span>
<a id='x1-41478r218'></a><span class='ecrm-0500'>218</span><span id='textcolor1746'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1747'><span class='ectt-0800'>inline</span></span><span class='ectt-0800'> </span><span id='textcolor1748'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __write_cr0(</span><span id='textcolor1749'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1750'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0)</span>
<a id='x1-41480r219'></a><span class='ecrm-0500'>219</span><span class='ectt-0800'>{</span>
<a id='x1-41482r220'></a><span class='ecrm-0500'>220</span><span class='ectt-0800'>    </span><span id='textcolor1751'><span class='ectt-0800'>asm</span></span><span class='ectt-0800'> </span><span id='textcolor1752'><span class='ectt-0800'>volatile</span></span><span class='ectt-0800'>(</span><span id='textcolor1753'><span class='ectt-0800'>"mov %0,%%cr0"</span></span><span class='ectt-0800'> : </span><span id='textcolor1754'><span class='ectt-0800'>"+r"</span></span><span class='ectt-0800'>(cr0) : : </span><span id='textcolor1755'><span class='ectt-0800'>"memory"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41484r221'></a><span class='ecrm-0500'>221</span><span class='ectt-0800'>}</span>
<a id='x1-41486r222'></a><span class='ecrm-0500'>222</span><span id='textcolor1756'><span class='ectt-0800'>#else</span></span>
<a id='x1-41488r223'></a><span class='ecrm-0500'>223</span><span id='textcolor1757'><span class='ectt-0800'>#define __write_cr0 write_cr0</span></span>
<a id='x1-41490r224'></a><span class='ecrm-0500'>224</span><span id='textcolor1758'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41492r225'></a><span class='ecrm-0500'>225</span>
<a id='x1-41494r226'></a><span class='ecrm-0500'>226</span><span id='textcolor1759'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1760'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> enable_write_protection(</span><span id='textcolor1761'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41496r227'></a><span class='ecrm-0500'>227</span><span class='ectt-0800'>{</span>
<a id='x1-41498r228'></a><span class='ecrm-0500'>228</span><span class='ectt-0800'>    </span><span id='textcolor1762'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1763'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41500r229'></a><span class='ecrm-0500'>229</span><span class='ectt-0800'>    set_bit(16, &amp;cr0);</span>
<a id='x1-41502r230'></a><span class='ecrm-0500'>230</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41504r231'></a><span class='ecrm-0500'>231</span><span class='ectt-0800'>}</span>
<a id='x1-41506r232'></a><span class='ecrm-0500'>232</span>
<a id='x1-41508r233'></a><span class='ecrm-0500'>233</span><span id='textcolor1764'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1765'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> disable_write_protection(</span><span id='textcolor1766'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41510r234'></a><span class='ecrm-0500'>234</span><span class='ectt-0800'>{</span>
<a id='x1-41512r235'></a><span class='ecrm-0500'>235</span><span class='ectt-0800'>    </span><span id='textcolor1767'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1768'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> cr0 = read_cr0();</span>
<a id='x1-41514r236'></a><span class='ecrm-0500'>236</span><span class='ectt-0800'>    clear_bit(16, &amp;cr0);</span>
<a id='x1-41516r237'></a><span class='ecrm-0500'>237</span><span class='ectt-0800'>    __write_cr0(cr0);</span>
<a id='x1-41518r238'></a><span class='ecrm-0500'>238</span><span class='ectt-0800'>}</span>
<a id='x1-41520r239'></a><span class='ecrm-0500'>239</span><span id='textcolor1769'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41522r240'></a><span class='ecrm-0500'>240</span>
<a id='x1-41524r241'></a><span class='ecrm-0500'>241</span><span id='textcolor1770'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1771'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> __init syscall_steal_start(</span><span id='textcolor1772'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41526r242'></a><span class='ecrm-0500'>242</span><span class='ectt-0800'>{</span>
<a id='x1-41528r243'></a><span class='ecrm-0500'>243</span><span id='textcolor1773'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41530r244'></a><span class='ecrm-0500'>244</span><span class='ectt-0800'>    </span><span id='textcolor1774'><span class='ectt-0800'>int</span></span><span class='ectt-0800'> err;</span>
<a id='x1-41532r245'></a><span class='ecrm-0500'>245</span><span class='ectt-0800'>    </span><span id='textcolor1775'><span class='ectt-0800'>/* use symbol name from the module parameter */</span></span>
<a id='x1-41534r246'></a><span class='ecrm-0500'>246</span><span class='ectt-0800'>    syscall_kprobe.symbol_name = syscall_sym;</span>
@ -3773,55 +3773,53 @@ dry run of this example, you will have to patch your current kernel in order to
<a id='x1-41542r250'></a><span class='ecrm-0500'>250</span><span class='ectt-0800'>        pr_err(</span><span id='textcolor1780'><span class='ectt-0800'>"Please check the symbol name from </span><span class='tctt-0800'>'</span><span class='ectt-0800'>syscall_sym</span><span class='tctt-0800'>'</span><span class='ectt-0800'> parameter.</span></span><span id='textcolor1781'><span class='ectt-0800'>\n</span></span><span id='textcolor1782'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41544r251'></a><span class='ecrm-0500'>251</span><span class='ectt-0800'>        </span><span id='textcolor1783'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> err;</span>
<a id='x1-41546r252'></a><span class='ecrm-0500'>252</span><span class='ectt-0800'>    }</span>
<a id='x1-41548r253'></a><span class='ecrm-0500'>253</span>
<a id='x1-41550r254'></a><span class='ecrm-0500'>254</span><span id='textcolor1784'><span class='ectt-0800'>#else</span></span>
<a id='x1-41552r255'></a><span class='ecrm-0500'>255</span><span class='ectt-0800'>    </span><span id='textcolor1785'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!(sys_call_table_stolen = acquire_sys_call_table()))</span>
<a id='x1-41554r256'></a><span class='ecrm-0500'>256</span><span class='ectt-0800'>        </span><span id='textcolor1786'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> -1;</span>
<a id='x1-41556r257'></a><span class='ecrm-0500'>257</span>
<a id='x1-41558r258'></a><span class='ecrm-0500'>258</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41560r259'></a><span class='ecrm-0500'>259</span>
<a id='x1-41562r260'></a><span class='ecrm-0500'>260</span><span class='ectt-0800'>    </span><span id='textcolor1787'><span class='ectt-0800'>/* keep track of the original open function */</span></span>
<a id='x1-41564r261'></a><span class='ecrm-0500'>261</span><span class='ectt-0800'>    original_call = (</span><span id='textcolor1788'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *)sys_call_table_stolen[__NR_openat];</span>
<a id='x1-41566r262'></a><span class='ecrm-0500'>262</span>
<a id='x1-41568r263'></a><span class='ecrm-0500'>263</span><span class='ectt-0800'>    </span><span id='textcolor1789'><span class='ectt-0800'>/* use our openat function instead */</span></span>
<a id='x1-41570r264'></a><span class='ecrm-0500'>264</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1790'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1791'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat;</span>
<a id='x1-41572r265'></a><span class='ecrm-0500'>265</span>
<a id='x1-41574r266'></a><span class='ecrm-0500'>266</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41548r253'></a><span class='ecrm-0500'>253</span><span id='textcolor1784'><span class='ectt-0800'>#else</span></span>
<a id='x1-41550r254'></a><span class='ecrm-0500'>254</span><span class='ectt-0800'>    </span><span id='textcolor1785'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!(sys_call_table_stolen = acquire_sys_call_table()))</span>
<a id='x1-41552r255'></a><span class='ecrm-0500'>255</span><span class='ectt-0800'>        </span><span id='textcolor1786'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> -1;</span>
<a id='x1-41554r256'></a><span class='ecrm-0500'>256</span>
<a id='x1-41556r257'></a><span class='ecrm-0500'>257</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41558r258'></a><span class='ecrm-0500'>258</span>
<a id='x1-41560r259'></a><span class='ecrm-0500'>259</span><span class='ectt-0800'>    </span><span id='textcolor1787'><span class='ectt-0800'>/* keep track of the original open function */</span></span>
<a id='x1-41562r260'></a><span class='ecrm-0500'>260</span><span class='ectt-0800'>    original_call = (</span><span id='textcolor1788'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> *)sys_call_table_stolen[__NR_openat];</span>
<a id='x1-41564r261'></a><span class='ecrm-0500'>261</span>
<a id='x1-41566r262'></a><span class='ecrm-0500'>262</span><span class='ectt-0800'>    </span><span id='textcolor1789'><span class='ectt-0800'>/* use our openat function instead */</span></span>
<a id='x1-41568r263'></a><span class='ecrm-0500'>263</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1790'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1791'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat;</span>
<a id='x1-41570r264'></a><span class='ecrm-0500'>264</span>
<a id='x1-41572r265'></a><span class='ecrm-0500'>265</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41574r266'></a><span class='ecrm-0500'>266</span><span id='textcolor1792'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41576r267'></a><span class='ecrm-0500'>267</span>
<a id='x1-41578r268'></a><span class='ecrm-0500'>268</span><span id='textcolor1792'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41580r269'></a><span class='ecrm-0500'>269</span>
<a id='x1-41582r270'></a><span class='ecrm-0500'>270</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1793'><span class='ectt-0800'>"Spying on UID:%d</span></span><span id='textcolor1794'><span class='ectt-0800'>\n</span></span><span id='textcolor1795'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41584r271'></a><span class='ecrm-0500'>271</span><span class='ectt-0800'>    </span><span id='textcolor1796'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> 0;</span>
<a id='x1-41586r272'></a><span class='ecrm-0500'>272</span><span class='ectt-0800'>}</span>
<a id='x1-41588r273'></a><span class='ecrm-0500'>273</span>
<a id='x1-41590r274'></a><span class='ecrm-0500'>274</span><span id='textcolor1797'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1798'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __exit syscall_steal_end(</span><span id='textcolor1799'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41592r275'></a><span class='ecrm-0500'>275</span><span class='ectt-0800'>{</span>
<a id='x1-41594r276'></a><span class='ecrm-0500'>276</span><span id='textcolor1800'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41596r277'></a><span class='ecrm-0500'>277</span><span class='ectt-0800'>    unregister_kprobe(&amp;syscall_kprobe);</span>
<a id='x1-41598r278'></a><span class='ecrm-0500'>278</span><span id='textcolor1801'><span class='ectt-0800'>#else</span></span>
<a id='x1-41600r279'></a><span class='ecrm-0500'>279</span><span class='ectt-0800'>    </span><span id='textcolor1802'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!sys_call_table_stolen)</span>
<a id='x1-41602r280'></a><span class='ecrm-0500'>280</span><span class='ectt-0800'>        </span><span id='textcolor1803'><span class='ectt-0800'>return</span></span><span class='ectt-0800'>;</span>
<a id='x1-41604r281'></a><span class='ecrm-0500'>281</span>
<a id='x1-41606r282'></a><span class='ecrm-0500'>282</span><span class='ectt-0800'>    </span><span id='textcolor1804'><span class='ectt-0800'>/* Return the system call back to normal */</span></span>
<a id='x1-41608r283'></a><span class='ecrm-0500'>283</span><span class='ectt-0800'>    </span><span id='textcolor1805'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sys_call_table_stolen[__NR_openat] != (</span><span id='textcolor1806'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1807'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat) {</span>
<a id='x1-41610r284'></a><span class='ecrm-0500'>284</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1808'><span class='ectt-0800'>"Somebody else also played with the "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41612r285'></a><span class='ecrm-0500'>285</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1809'><span class='ectt-0800'>"open system call</span></span><span id='textcolor1810'><span class='ectt-0800'>\n</span></span><span id='textcolor1811'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41614r286'></a><span class='ecrm-0500'>286</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1812'><span class='ectt-0800'>"The system may be left in "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41616r287'></a><span class='ecrm-0500'>287</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1813'><span class='ectt-0800'>"an unstable state.</span></span><span id='textcolor1814'><span class='ectt-0800'>\n</span></span><span id='textcolor1815'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41618r288'></a><span class='ecrm-0500'>288</span><span class='ectt-0800'>    }</span>
<a id='x1-41620r289'></a><span class='ecrm-0500'>289</span>
<a id='x1-41622r290'></a><span class='ecrm-0500'>290</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41624r291'></a><span class='ecrm-0500'>291</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1816'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1817'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)original_call;</span>
<a id='x1-41626r292'></a><span class='ecrm-0500'>292</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41628r293'></a><span class='ecrm-0500'>293</span><span id='textcolor1818'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41630r294'></a><span class='ecrm-0500'>294</span>
<a id='x1-41632r295'></a><span class='ecrm-0500'>295</span><span class='ectt-0800'>    msleep(2000);</span>
<a id='x1-41634r296'></a><span class='ecrm-0500'>296</span><span class='ectt-0800'>}</span>
<a id='x1-41636r297'></a><span class='ecrm-0500'>297</span>
<a id='x1-41638r298'></a><span class='ecrm-0500'>298</span><span class='ectt-0800'>module_init(syscall_steal_start);</span>
<a id='x1-41640r299'></a><span class='ecrm-0500'>299</span><span class='ectt-0800'>module_exit(syscall_steal_end);</span>
<a id='x1-41642r300'></a><span class='ecrm-0500'>300</span>
<a id='x1-41644r301'></a><span class='ecrm-0500'>301</span><span class='ectt-0800'>MODULE_LICENSE(</span><span id='textcolor1819'><span class='ectt-0800'>"GPL"</span></span><span class='ectt-0800'>);</span></pre>
<a id='x1-41578r268'></a><span class='ecrm-0500'>268</span><span class='ectt-0800'>    pr_info(</span><span id='textcolor1793'><span class='ectt-0800'>"Spying on UID:%d</span></span><span id='textcolor1794'><span class='ectt-0800'>\n</span></span><span id='textcolor1795'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>, uid);</span>
<a id='x1-41580r269'></a><span class='ecrm-0500'>269</span><span class='ectt-0800'>    </span><span id='textcolor1796'><span class='ectt-0800'>return</span></span><span class='ectt-0800'> 0;</span>
<a id='x1-41582r270'></a><span class='ecrm-0500'>270</span><span class='ectt-0800'>}</span>
<a id='x1-41584r271'></a><span class='ecrm-0500'>271</span>
<a id='x1-41586r272'></a><span class='ecrm-0500'>272</span><span id='textcolor1797'><span class='ectt-0800'>static</span></span><span class='ectt-0800'> </span><span id='textcolor1798'><span class='ectt-0800'>void</span></span><span class='ectt-0800'> __exit syscall_steal_end(</span><span id='textcolor1799'><span class='ectt-0800'>void</span></span><span class='ectt-0800'>)</span>
<a id='x1-41588r273'></a><span class='ecrm-0500'>273</span><span class='ectt-0800'>{</span>
<a id='x1-41590r274'></a><span class='ecrm-0500'>274</span><span id='textcolor1800'><span class='ectt-0800'>#if USE_KPROBES_PRE_HANDLER_BEFORE_SYSCALL</span></span>
<a id='x1-41592r275'></a><span class='ecrm-0500'>275</span><span class='ectt-0800'>    unregister_kprobe(&amp;syscall_kprobe);</span>
<a id='x1-41594r276'></a><span class='ecrm-0500'>276</span><span id='textcolor1801'><span class='ectt-0800'>#else</span></span>
<a id='x1-41596r277'></a><span class='ecrm-0500'>277</span><span class='ectt-0800'>    </span><span id='textcolor1802'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (!sys_call_table_stolen)</span>
<a id='x1-41598r278'></a><span class='ecrm-0500'>278</span><span class='ectt-0800'>        </span><span id='textcolor1803'><span class='ectt-0800'>return</span></span><span class='ectt-0800'>;</span>
<a id='x1-41600r279'></a><span class='ecrm-0500'>279</span>
<a id='x1-41602r280'></a><span class='ecrm-0500'>280</span><span class='ectt-0800'>    </span><span id='textcolor1804'><span class='ectt-0800'>/* Return the system call back to normal */</span></span>
<a id='x1-41604r281'></a><span class='ecrm-0500'>281</span><span class='ectt-0800'>    </span><span id='textcolor1805'><span class='ectt-0800'>if</span></span><span class='ectt-0800'> (sys_call_table_stolen[__NR_openat] != (</span><span id='textcolor1806'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1807'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)our_sys_openat) {</span>
<a id='x1-41606r282'></a><span class='ecrm-0500'>282</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1808'><span class='ectt-0800'>"Somebody else also played with the "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41608r283'></a><span class='ecrm-0500'>283</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1809'><span class='ectt-0800'>"open system call</span></span><span id='textcolor1810'><span class='ectt-0800'>\n</span></span><span id='textcolor1811'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41610r284'></a><span class='ecrm-0500'>284</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1812'><span class='ectt-0800'>"The system may be left in "</span></span><span class='ectt-0800'>);</span>
<a id='x1-41612r285'></a><span class='ecrm-0500'>285</span><span class='ectt-0800'>        pr_alert(</span><span id='textcolor1813'><span class='ectt-0800'>"an unstable state.</span></span><span id='textcolor1814'><span class='ectt-0800'>\n</span></span><span id='textcolor1815'><span class='ectt-0800'>"</span></span><span class='ectt-0800'>);</span>
<a id='x1-41614r286'></a><span class='ecrm-0500'>286</span><span class='ectt-0800'>    }</span>
<a id='x1-41616r287'></a><span class='ecrm-0500'>287</span>
<a id='x1-41618r288'></a><span class='ecrm-0500'>288</span><span class='ectt-0800'>    disable_write_protection();</span>
<a id='x1-41620r289'></a><span class='ecrm-0500'>289</span><span class='ectt-0800'>    sys_call_table_stolen[__NR_openat] = (</span><span id='textcolor1816'><span class='ectt-0800'>unsigned</span></span><span class='ectt-0800'> </span><span id='textcolor1817'><span class='ectt-0800'>long</span></span><span class='ectt-0800'> *)original_call;</span>
<a id='x1-41622r290'></a><span class='ecrm-0500'>290</span><span class='ectt-0800'>    enable_write_protection();</span>
<a id='x1-41624r291'></a><span class='ecrm-0500'>291</span><span id='textcolor1818'><span class='ectt-0800'>#endif</span></span>
<a id='x1-41626r292'></a><span class='ecrm-0500'>292</span>
<a id='x1-41628r293'></a><span class='ecrm-0500'>293</span><span class='ectt-0800'>    msleep(2000);</span>
<a id='x1-41630r294'></a><span class='ecrm-0500'>294</span><span class='ectt-0800'>}</span>
<a id='x1-41632r295'></a><span class='ecrm-0500'>295</span>
<a id='x1-41634r296'></a><span class='ecrm-0500'>296</span><span class='ectt-0800'>module_init(syscall_steal_start);</span>
<a id='x1-41636r297'></a><span class='ecrm-0500'>297</span><span class='ectt-0800'>module_exit(syscall_steal_end);</span>
<a id='x1-41638r298'></a><span class='ecrm-0500'>298</span>
<a id='x1-41640r299'></a><span class='ecrm-0500'>299</span><span class='ectt-0800'>MODULE_LICENSE(</span><span id='textcolor1819'><span class='ectt-0800'>"GPL"</span></span><span class='ectt-0800'>);</span></pre>
<!-- l. 1580 --><p class='noindent'>
</p>
<h3 class='sectionHead' id='blocking-processes-and-threads'><span class='titlemark'>11 </span> <a id='x1-4200011'></a>Blocking Processes and threads</h3>