Welcome! Log In Create A New Profile

Advanced

SYSENTER hook

Posted by ivanko 
SYSENTER hook
March 12, 2010 02:58PM
Hello to everybody! Recently I have been trying to intercept the sysenter execution (trying to understand how rootkits work) and I ve got nothing more than complete system freezes and system panic. Of course, the hook that is now in the code should do nothing except giving control to the original ia32_sysenter_target. So this is the code:
#include <linux/module.h>
#include <linux/kernel.h>

void hook(void);

void (*old_handl)(void);
void (*new_handl)(void);
void (**old_handl_pp)(void);



void hook(void)
{
  // Pointer to a pointer to a function
  __asm__ __volatile__("ljmp *%0" : : "m"(old_handl_pp));
  return;
  }

int init_module(void)
{
  new_handl = hook;
  old_handl_pp = &old_handl;

  __asm__ __volatile__("mov $0x176, %%ecx\n\t"
                       "rdmsr\n\t"
                       "mov %0, %%eax\n\t"
                       "wrmsr" : : "r"(old_handl) : "%ecx", "%eax", "%edx" ) ;

  return 0;
}
It compiles without any errors nor warnings. Yes, and the Makefile is this:
EXTRA_CFLAGS = -g -Wall
obj-m += msr.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
I tried it both in VMs and my real machine, the results are the same (failure). I will appreciate any help, and thanks in advance!



Edited 2 time(s). Last edit at 03/12/2010 03:00PM by ivanko.
Re: SYSENTER hook
March 21, 2010 03:53AM
Well, it appears that I solved it =)! Here is the working code:

void (*old_handl_p)(void) = 0;
void (*new_handl_p)(void) = 0;

void hook(void)
{
  /* Pointer to the original handler */
  asm("jmp *%0" : : "m"(old_handl_p));
  return;
}

int init_module(void)
{
  new_handl_p = &hook;

  asm("rdmsr\n\t"
      : "=a"(old_handl_p) /* EAX now has a pointer to the hook */
      : "c"(0x176) /* Number of MSR register */
      : "%edx" ) ; /* RDMSR also changes the EDX register */
  
  asm("wrmsr\n\t"
      : /* No output */
      : "c"(0x176), "d"(0x0), "a"(new_handl_p));
  
  return 0;
}
Author:

Subject:


Message: