2

I'm writing a kernel module that checks the integrity of code segments for running tasks by controlling checksums. I ran into a few hurdles:

  1. How can I get the module_list variable if it isn't exported by the kernel (there is no such symbol in ksyms)? I can see all modules calling the lsmod command, so how can I get it in my module?
  2. While my module is running it shows that some code segments have been changed. It always happens with certain libraries. Why does it happen? I thought that code segments were constant.
  3. Is it feasible to control memory access for process data from a kernel module and how to do it?
Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
max bushlya
  • 63
  • 1
  • 6

1 Answers1

7

Self-modifying code is fully supported. There is nothing wrong with it, and it is used for all kinds of things. Your assumption that code is constant is simply not correct. It may be, but it may not be.

One typical example is in SMP versus UP systems. On Pentium 4 class Xeon machines, for example, an unlocked increment can take 60 cycles fewer than a locked increment. The locked increment is needed only on SMP machines. To make the same code work on both UP and SMP machines without the overhead of a condition at run time, self-modifying code is typically used. In the place of the lock instruction, an illegal opcode such as ud2 is used. The illegal instruction interrupt is caught and the ud2 is replaced by lock on an SMP system and nop on a UP system.

The kernel exports a module interface. Exported are:

__module_text_address __symbol_get symbol_put_addr use_module
module_layout module_put __module_put_and_exit module_refcount 
register_module_notifier __symbol_put unregister_module_notifier module_get

You could also parse /proc/modules if you really wanted to.

David Schwartz
  • 179,497
  • 17
  • 214
  • 278
  • my kernel doesn`t export such symbols – max bushlya Sep 01 '11 at 12:37
  • Then modify it so it does. That's the great thing about open source software. (What version? What does it export? Grep for "module" or "symbol".) – David Schwartz Sep 01 '11 at 12:45
  • In addition to instruction alternatives, there are some tracing/debugging facilities that rely on modification of the memory image of the kernel proper and of the modules. Kernel markers and Ftrace are the first to come to mind. Ftrace (on x86), for example, may permanently replace 5 bytes left for it after the prologue of each function (`call mcount`) with a call to some other its function to collect necessary data. – Eugene Sep 02 '11 at 04:52
  • unfortunately, my version of Linux-based OS is not open source, can not be modified (russian military os MCBC) – max bushlya Sep 05 '11 at 11:09