Syscall Hooking on Kali Linux (kernel version 5)

Question

I am trying to set up a hook for the bind() system call on Kali Linux 2021-W1 (Linux kernel version 5), but for some reason, calling the original system call fails and an error occurs.

Here is my code:

/* includes, license, author... */

void **sys_call_table_addr = (void **) 0xffffffff9e0002c0;

int enable_page_rw(void *ptr){
        unsigned int level;
        pte_t *pte = lookup_address((unsigned long) ptr, &level);
        if(pte->pte &~_PAGE_RW){
            pte->pte |=_PAGE_RW;
        }
        return 0;
}

int disable_page_rw(void *ptr){
        unsigned int level;
        pte_t *pte = lookup_address((unsigned long) ptr, &level);
        pte->pte = pte->pte &~_PAGE_RW;
        return 0;
}

asmlinkage int (*original_bind) (int, const struct sockaddr *, int);
asmlinkage int log_bind(int sockfd, const struct sockaddr *addr, int addrlen) {
        int ret;
        printk(KERN_INFO SOCKETLOG "bind was called");
        return (*original_bind)(sockfd, addr, addrlen);
}

static int __init socketlog_init(void) {
        printk(KERN_INFO SOCKETLOG "socketlog module has been loaded\n");

        enable_page_rw(sys_call_table_addr);
        original_bind = sys_call_table_addr[__NR_bind];
        if (!original_bind) return -1;
        sys_call_table_addr[__NR_bind] = log_bind;
        disable_page_rw(sys_call_table_addr);

        printk(KERN_INFO SOCKETLOG "original_bind = %p", original_bind);
        return 0;
}

static void __exit socketlog_exit(void) {
        printk(KERN_INFO SOCKETLOG "socketlog module has been unloaded\n");

        enable_page_rw(sys_call_table_addr);
        sys_call_table_addr[__NR_bind] = original_bind;
        disable_page_rw(sys_call_table_addr);
}

module_init(socketlog_init);
module_exit(socketlog_exit);

After executing sudo insmod socketlog.ko, I can see the expected output:

[  +0.000488] [SOCKETLOG] socketlog module has been loaded
[  +0.000002] [SOCKETLOG] original_bind = 00000000bbf288f1

But every time a bind() is called, I get the weird behavior:

[  +0.000488] [SOCKETLOG] bind was called
[  +0.000005] BUG: unable to handle page fault for address: 0000000040697fb8 
[  +0.000002] #PF: supervisor read access in kernel mode
[  +0.000001] #PF: error_code(0x0000) - not-present page

As expected 0x0000000040697fb8 is the address pointed to by 0x00000000bbf288f1: the content of the original system call. What am I missing?

Answer 1

Perhaps the way you are wrapping the system call does not work. For example, on Linux 5.4.0-59-generic x86_64 architecture, a system call in the kernel is called through a common wrapper called do_syscall_64(). It passes the parameters through the pt_regs structure to the entry in sys_call_table[]:

__visible void do_syscall_64(unsigned long nr, struct pt_regs *regs)
{
    struct thread_info *ti;

    enter_from_user_mode();
    local_irq_enable();
    ti = current_thread_info();
    if (READ_ONCE(ti->flags) & _TIF_WORK_SYSCALL_ENTRY)
        nr = syscall_trace_enter(regs);

    if (likely(nr < NR_syscalls)) {
        nr = array_index_nospec(nr, NR_syscalls);
        regs->ax = sys_call_table[nr](regs); <-------- Call to the entry with pt_regs structure
#ifdef CONFIG_X86_X32_ABI
    } else if (likely((nr & __X32_SYSCALL_BIT) &&
              (nr & ~__X32_SYSCALL_BIT) < X32_NR_syscalls)) {
        nr = array_index_nospec(nr & ~__X32_SYSCALL_BIT,
                    X32_NR_syscalls);
        regs->ax = x32_sys_call_table[nr](regs);
#endif
    }

    syscall_return_slowpath(regs);
}

The pt_regs structure embeds the parameters passed to the system call by the user. So this may explain why you are crashing : the printk(..."bind was called") works as it does not access the parameters but after the call to the original system call entry does not comply with the expected parameters.

If you look at the source code of bind() system call in net/socket.c, it is defined as:

SYSCALL_DEFINE3(bind, int, fd, struct sockaddr __user *, umyaddr, int, addrlen)
{
    return __sys_bind(fd, umyaddr, addrlen);
}

The above macro SYSCALL_DEFINE3() expands into some wrappers which extract the parameters from the pt_regs structure.

So, here is as an example, some fixes in your module which works on my 5.4.0-60-generic Ubuntu x86_64:

#include <linux/version.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <asm/ptrace.h>
#include <linux/socket.h>
#include <linux/kallsyms.h>


MODULE_LICENSE("Dual BSD/GPL");

typedef int (* syscall_wrapper)(struct pt_regs *);

unsigned long sys_call_table_addr;

#define SOCKETLOG "[SOCKETLOG]"


int enable_page_rw(void *ptr){
  unsigned int level;
  pte_t *pte = lookup_address((unsigned long) ptr, &level);
  if(pte->pte &~_PAGE_RW){
    pte->pte |=_PAGE_RW;
  }
  return 0;
}

int disable_page_rw(void *ptr){
  unsigned int level;
  pte_t *pte = lookup_address((unsigned long) ptr, &level);
  pte->pte = pte->pte &~_PAGE_RW;
  return 0;
}

syscall_wrapper original_bind;

//asmlinkage int log_bind(int sockfd, const struct sockaddr *addr, int addrlen) {
int log_bind(struct pt_regs *regs) {
  printk(KERN_INFO SOCKETLOG "bind was called");
  return (*original_bind)(regs);
}

static int __init socketlog_init(void) {

  printk(KERN_INFO SOCKETLOG "socketlog module has been loaded\n");

  sys_call_table_addr = kallsyms_lookup_name("sys_call_table");

  printk(KERN_INFO SOCKETLOG "sys_call_table@%lx\n", sys_call_table_addr);

  enable_page_rw((void *)sys_call_table_addr);
  original_bind = ((syscall_wrapper *)sys_call_table_addr)[__NR_bind];
  if (!original_bind) return -1;
  ((syscall_wrapper *)sys_call_table_addr)[__NR_bind] = log_bind;
  disable_page_rw((void *)sys_call_table_addr);

  printk(KERN_INFO SOCKETLOG "original_bind = %p", original_bind);
  return 0;
}

static void __exit socketlog_exit(void) {
  printk(KERN_INFO SOCKETLOG "socketlog module has been unloaded\n");

  enable_page_rw((void *)sys_call_table_addr);
  ((syscall_wrapper *)sys_call_table_addr)[__NR_bind] = original_bind;
  disable_page_rw((void *)sys_call_table_addr);
}

module_init(socketlog_init);
module_exit(socketlog_exit);

With a test:

$ sudo insmod ./bind_ovl.ko
$ dmesg
[ 2253.201888] [SOCKETLOG]socketlog module has been loaded
[ 2253.209486] [SOCKETLOG]sys_call_table@ffffffff88c013a0
[ 2253.209489] [SOCKETLOG]original_bind = 00000000f54304a9

After a reload of a WEB page for example, I get:

$ dmesg
[ 2136.946042] [SOCKETLOG]socketlog module has been unloaded
[ 2253.201888] [SOCKETLOG]socketlog module has been loaded
[ 2253.209486] [SOCKETLOG]sys_call_table@ffffffff88c013a0
[ 2253.209489] [SOCKETLOG]original_bind = 00000000f54304a9
[ 2281.716581] [SOCKETLOG]bind was called
[ 2295.607476] [SOCKETLOG]bind was called
[ 2301.947866] [SOCKETLOG]bind was called
[ 2304.088116] [SOCKETLOG]bind was called
[ 2309.599634] [SOCKETLOG]bind was called
[ 2310.946833] [SOCKETLOG]bind was called

After unloading the module:

$ sudo rmmod bind_ovl
$ dmesg
[...]
[ 2390.908456] [SOCKETLOG]bind was called
[ 2398.921475] [SOCKETLOG]bind was called
[ 2398.928855] [SOCKETLOG]socketlog module has been unloaded

You can of course enhance the overload by displaying the parameters passed to the system call. On x86_64, the system calls are passed at most 6 parameters through the processor registers. We can retrieve them in the pt_regs structure. The latter is defined in arch/x86/include/asm/ptrace.h as:

struct pt_regs {
/*
 * C ABI says these regs are callee-preserved. They aren't saved on kernel entry
 * unless syscall needs a complete, fully filled "struct pt_regs".
 */
    unsigned long r15;
    unsigned long r14;
    unsigned long r13;
    unsigned long r12;
    unsigned long bp;
    unsigned long bx;
/* These regs are callee-clobbered. Always saved on kernel entry. */
    unsigned long r11;
    unsigned long r10;
    unsigned long r9;
    unsigned long r8;
    unsigned long ax;
    unsigned long cx;
    unsigned long dx;
    unsigned long si;
    unsigned long di;
/*
 * On syscall entry, this is syscall#. On CPU exception, this is error code.
 * On hw interrupt, it's IRQ number:
 */
    unsigned long orig_ax;
/* Return frame for iretq */
    unsigned long ip;
    unsigned long cs;
    unsigned long flags;
    unsigned long sp;
    unsigned long ss;
/* top of stack page */
};

The parameter passing convention for a system call is: param#0 to param#5 are respectively passed into the RDI, RSI, RDX, R10, R8 and R9 registers.

According to this rule, for bind() system call, the parameters are in the following registers:

• RDI = int (socket descriptor)
• RSI = struct sockaddr *addr
• RDX = socklen_t addrlen

You can then enhance the log function with something like:

int log_bind(struct pt_regs *regs) {
  printk(KERN_INFO SOCKETLOG "bind was called(%d, %p, %u)", (int)(regs->di), (void *)(regs->si), (unsigned int)(regs->dx));
  return (*original_bind)(regs);
}

The traces from the module become more detailed:

[ 3259.589915] [SOCKETLOG]socketlog module has been loaded
[ 3259.594631] [SOCKETLOG]sys_call_table@ffffffff88c013a0
[ 3259.594634] [SOCKETLOG]original_bind = 00000000f54304a9
[ 3274.368906] [SOCKETLOG]bind was called(149, 0000000091c163d5, 12)
[ 3276.040330] [SOCKETLOG]bind was called(149, 0000000075b17cb4, 12)
[ 3278.203942] [SOCKETLOG]bind was called(188, 0000000091c163d5, 12)
[ 3287.014980] [SOCKETLOG]bind was called(214, 0000000075b17cb4, 12)
[ 3287.021167] [SOCKETLOG]bind was called(214, 0000000091c163d5, 12)
[ 3298.395713] [SOCKETLOG]bind was called(3, 000000008c2a9103, 12)
[ 3298.403249] [SOCKETLOG]socketlog module has been unloaded