I am new to kernel coding and at present I am working with ELF files which have been modified a little bit for the security purposes for which I need to look at some of it's custom section headers and extract the unique code encryption key from it for the CPU to decrypt the contents of the modified ELF.
我新内核编码和目前我使用精灵文件已被修改一点为安全目的,我需要看一些自定义标题和部分提取独特的代码从它的CPU加密密钥来解密的内容修改后的精灵。
At present the above logic has been implemented within the load_elf_binary function in the fs/binfmt_elf.c file in the kernel source tree, however it is only about 250 lines of code change for which I need to recompile the whole kernel, so I am looking to improvise this functionality by implementing it as a loadable kernel module(LKM) so that every time an ELF is loaded it checks whether its the modified ELF or not and if it is then it extacts the key from the corresponding section.
目前,上述逻辑已经在fs/binfmt_elf的load_elf_binary函数中实现。c文件在内核源代码树,但是它只有250行代码改变,我需要重新编译整个内核,所以我希望即兴发挥这种功能通过实现它作为一个可加载内核模块(LKM),这样每次加载一个精灵,它检查是否修改过的精灵,如果它是那么萃取的关键从相应的部分。
EDIT: To summarize it, I am looking at making a loadable kernel module to read through the sections of an ELF and fetch the contents of a custom section that contains the encryption key and related metadata and set those values in CPU registers.
编辑:总结一下,我希望创建一个可加载的内核模块来读取ELF部分,并获取包含加密密钥和相关元数据的自定义部分的内容,并在CPU寄存器中设置这些值。
1 个解决方案
#1
3
Yes, it's possible, but definitely not easy. There is even a supported kernel facility "kprobes" that allows you to insert calls to your own code from specified locations (see Documentation/kprobes.txt). If inserting calls to your own code is insufficient, I think you would need to use the same sort of mechanisms as kprobe: patching the desired location by overwriting instructions with jmps or calls into your own code.
是的,这是可能的,但绝对不容易。甚至还有一个受支持的内核功能“kprobes”,允许您从指定的位置向自己的代码插入调用(参见文档/kprobes.txt)。如果向您自己的代码插入调用是不够的,我认为您将需要使用与kprobe相同的机制:通过使用jmp覆盖指令或调用到您自己的代码中来修补所需的位置。
I once worked at a company whose security product installed its hooks by runtime-patching the Windows kernel. This is pretty much the same thing, though at least with Windows at the time there were a finite number of versions that had to be supported.
我曾在一家公司工作,该公司的安全产品通过运行时补丁Windows内核来安装挂钩。这几乎是相同的事情,尽管至少在Windows上,当时需要支持的版本数量是有限的。
So, it's definitely possible, but I wouldn't want to try it. It will be very brittle; you'll be in effect trying to hit a moving target. Every kernel security patch or version upgrade is likely to break your code.
这是完全可能的,但我不想尝试。它会很脆;你实际上是在试图击中一个移动的目标。每个内核安全补丁或版本升级都可能破坏您的代码。
#1
3
Yes, it's possible, but definitely not easy. There is even a supported kernel facility "kprobes" that allows you to insert calls to your own code from specified locations (see Documentation/kprobes.txt). If inserting calls to your own code is insufficient, I think you would need to use the same sort of mechanisms as kprobe: patching the desired location by overwriting instructions with jmps or calls into your own code.
是的,这是可能的,但绝对不容易。甚至还有一个受支持的内核功能“kprobes”,允许您从指定的位置向自己的代码插入调用(参见文档/kprobes.txt)。如果向您自己的代码插入调用是不够的,我认为您将需要使用与kprobe相同的机制:通过使用jmp覆盖指令或调用到您自己的代码中来修补所需的位置。
I once worked at a company whose security product installed its hooks by runtime-patching the Windows kernel. This is pretty much the same thing, though at least with Windows at the time there were a finite number of versions that had to be supported.
我曾在一家公司工作,该公司的安全产品通过运行时补丁Windows内核来安装挂钩。这几乎是相同的事情,尽管至少在Windows上,当时需要支持的版本数量是有限的。
So, it's definitely possible, but I wouldn't want to try it. It will be very brittle; you'll be in effect trying to hit a moving target. Every kernel security patch or version upgrade is likely to break your code.
这是完全可能的,但我不想尝试。它会很脆;你实际上是在试图击中一个移动的目标。每个内核安全补丁或版本升级都可能破坏您的代码。