VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Kernel function hijacking

Silvio Cesare
November 1999

[Back to index] [Comments]


This article describes a method of hijacking internal kernel functions, that is, kernel functions that are declared inside the kernel without a function pointer or vector for changing the kernel function it points too. This can have practical uses, as given in example code which patches the process accounting code to not log specially marked processes (processes given signal 31).

Kernel function hijacking

The basic premise for this attack is to replace the first bytes of the original function with an asm jump to the replacement jump. The algorithm follows

In init_module...

In cleanup_module...

In the replacement function...

The asm jump used is an indirect jump... This means no messing around with calculating offsets.

	movl $address_to_jump,%eax
	jmp *%eax

The implemented example

The example code patches acct_process in kernel/sys.c which accounts for process accounting. Normally, you cannot redirect acct_process, but this does all the logging for process accounting, so we hijack the function to control process logging.

The code works by waiting for a kill -31 to a process, when this is recieved, the replacement kill syscall sets a bit in the process flags that marks the process as not to be logged by process accounting. This technique is ideal as when the process forks, the process flags are copied, so children remaing log free aswell. The heart of the code is in _acct_process which looks at the process flags and if marked not to be logged, returns without calling the original acct_process.

The acct_process variable must be assigned the correct address of the function in the kernel. Typically, this is found in but if no map is present then the techniques described in my paper RUNTIME KERNEL KMEM PATCHING

acct_nolog.c (Linux 2.0.35)

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka