Latest Tweets

MODEST: Sharing “the peeping routine” between shared & static binaries

Preamble

Previous versions of MODEST source code have two different routines so as to intercept all I/O calls using sys_write() and sys_writev() functions, respectively, depending on what type of binary was issuing those calls. Thus, it was quite obvious that we had to merge these two different mechanisms in order to minimize all MODEST code, using Kprobes.

The syscall_call entry point

As hugely discussed some posts earlier concerning MODEST, Ring 0 calls, etcetera, we do know we can use Kprobes not only to intercept or catch sysenter/sysexit instructions, but the classic int $0x80/iret instructions pair, also. So, taking a quick look at the entry point sources in the GNU/Linux Kernel mainstream, we found out where we could install our pre_handler routine:

356 syscall_call:
357     call *sys_call_table(,%eax,4)
358     movl %eax,EAX(%esp)     # store the return value
359 syscall_exit:

This code snippet is showing us the syscall_call symbol, located in the arch/i386/kernel/entry.S file.

Obviously, our pre_handler routine this time would be exactly the same than when it came to intercepting sysenter_past_esp entry point. This way, we have got only one common routine for catching system calls, instead of two of them. This routine was hugely explained on a previous POST, read it right HERE.

All we needed to do was to add a new kprobes structure to our code, ensuring this will be pointing at syscall_call address this way:

357     kprobe_sta.addr = (kprobe_opcode_t *)kallsyms_lookup_name("syscall_call");

Discriminating the mechanisms

Now, when a system call is served, inside our pre_handler routine – thanks to kprobes aid -, we can determine what type of mechanism was used in order to differentiate between shared or static binaries, if we really need to do so. In fact, we can check this out by using the p pointer, received as a parameter to our pre_handler routine this way:

102                 /* On p->addr we've got the original probed address. */
103                 /* This way, we can determine the "original" entry call mechanism ... : */
104                 printk(KERN_INFO "MODEST %s by %s: PID %d on cpu %d ==> [Called through : (0x%p)]\n",
105                     _VERSION_, _AUTHOR_, current->pid , current->thread_info->cpu , p->addr);

And now … the results!

Next, a screen shot showing MODEST behaviour when running over static and shared binaries, now all of them working through the very same routine, avoiding all assembler code concerning original int $0x80 and IDT technique:

; Running MODEST through over a static binary – syscall –
2 Jan 19 14:13:42 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Load s    uccessful. Compiled at Jan 19 2010 14:13:41
3 Jan 19 14:13:42 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: @ syse    nter_past_esp at: 0xc0102bbb , catched by 0xd0a32803
4 Jan 19 14:13:42 etch32 kernel: @ syscall_call at: 0xc0102c74 , catched by 0xd0a32803
5 Jan 19 14:13:42 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Restore FDT requested …
6 Jan 19 14:13:43 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: PID 24    979 on cpu 0 ==> [Called through : (0xc0102c74)]
7 Jan 19 14:14:00 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Pause     peeping has been requested  …
8 Jan 19 14:14:02 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Resumi    ng peeping process  …
9 Jan 19 14:14:03 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: PID 24    979 on cpu 0 ==> [Called through : (0xc0102c74)]
10 Jan 19 14:14:08 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Restor    e FDT requested …
11 Jan 19 14:14:13 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Cleanu    p successful
..
13 ; Running MODEST over a dynamic binary – sysenter –
14 Jan 19 14:14:15 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Load s    uccessful. Compiled at Jan 19 2010 14:14:14
15 Jan 19 14:14:15 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: @ syse    nter_past_esp at: 0xc0102bbb , catched by 0xd0a32803
16 Jan 19 14:14:15 etch32 kernel: @ syscall_call at: 0xc0102c74 , catched by 0xd0a32803
17 Jan 19 14:14:17 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Restor    e FDT requested …
18 Jan 19 14:14:17 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: PID 25    161 on cpu 0 ==> [Called through : (0xc0102bbb)]
19 Jan 19 14:14:25 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Pause     peeping has been requested  …
20 Jan 19 14:14:26 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Resumi    ng peeping process  …
21 Jan 19 14:14:26 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: PID 25    161 on cpu 0 ==> [Called through : (0xc0102bbb)]
22 Jan 19 14:14:26 etch32 kernel: MODEST 0.3b by Toni Castillo Girona <toni.castillo@fa.upc.edu>: Restor    e FDT requested …

References and links

The new “code branch” can be found on our CVS repository, hosted on Source Forge: here.