[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: [LI] Hiding LKM's -- Beta-test



On Thu, Jan 20, 2000 at 12:12:11PM +0530, Vimal Mathew wrote:
> Hi,
> 
> 	I patched the SGI kernel debugger into my kernel today morning and
> found the assembly equivalent of the foll. C lines

You don't need a kernel debugger to do this. Just load vmlinux into
gdb and disassemble the function.

> 
>         /* Initialize the module.  */
>         atomic_set(&mod->uc.usecount,1);
>         if (mod->init && mod->init() != 0) {
>                 atomic_set(&mod->uc.usecount,0);
>                 error = -EBUSY;
>                 goto err0;
>         }
> to be
> 
> sys_init_module+0x433:		movl	$01,0x10(%ebx)
> sys_init_module+0x43a:		movl	0x2c(%ebx),%edx
> sys_init_module+0x43d:		testl	%edx,%edx
> sys_init_module+0x43f:		je	sys_init_module+0x458
> sys_init_module+0x441:		call	*%edx
> sys_init_module+0x443:		testl	%eax,%eax
> sys_init_module+0x445:		je	sys_init_module+0x458
> sys_init_module+0x447:		movl	$0x0,0x10(%ebx)
> sys_init_module+0x44e:		movl	$0xfffffff0,0xffffffac(%ebp)
> sys_init_module+0x455:		jmp	sys_init_module+0x4be
> 
> "mod" seems to be stored in %ebx for quite some time (I think from its
> first occurence in sys_init_module, even). I dont know why.
> 

Here is a guess - %ebx is a callee saved register. Read the calling 
convention at:

http://www.linuxdoc.org/HOWTO/Assembly-HOWTO-5.html

If you put mod in %ebx, it is guaranteed to be there even after the call.
So the instruction at sys_init_module+0x447 can use it without reloading
it.

It looks like the hack can be defeated simply by inserting a couple of
lines of dummy code in sys_init_module.

> And, about my original question, if I take my module out of the module link-
> list, will it cause any problems? Till now, my modules have only been 
> replacing other system-calls (such as "getdents"). Would the kernel try
> to reuse my kernel-memory (garbage-collection?) if I dont belong to the
> module-list?

There is no such thing as garbage collection in C or UNIX kernels. At best,
you can see reference counting. But no mark and sweep style garbage
collection. 

The kernel memory won't be freed unless you explicitly do it.

	-Arun

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.