Last active
December 24, 2015 18:19
-
-
Save bearice/6842647 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| obj-m += test.o | |
| all: | |
| make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules | |
| clean: | |
| make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean | |
| test: all | |
| -sudo rmmod test | |
| sudo insmod test.ko |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/module.h> | |
| #include <linux/proc_fs.h> | |
| #include <linux/sched.h> | |
| #include <asm/uaccess.h> | |
| char code[] = | |
| "\xe9\x1e\x00\x00\x00" // jmp 8048083 <MESSAGE> | |
| "\xb8\x04\x00\x00\x00" // mov $0x4,%eax | |
| "\xbb\x01\x00\x00\x00" // mov $0x1,%ebx | |
| "\x59" // pop %ecx | |
| "\xba\x0f\x00\x00\x00" // mov $0xf,%edx | |
| "\xcd\x80" // int $0x80 | |
| "\xb8\x01\x00\x00\x00" // mov $0x1,%eax | |
| "\xbb\x00\x00\x00\x00" // mov $0x0,%ebx | |
| "\xcd\x80" // int $0x80 | |
| "\xe8\xdd\xff\xff\xff" // call 8048065 <GOBACK> | |
| "I break out.\n"; // | |
| static struct proc_dir_entry *pfile; | |
| static char msg[255]; | |
| static int myproc_read(char *page, char **start, off_t off, int count, int *eof, void *data) | |
| { | |
| int len = strlen(msg); | |
| if (off >= len) | |
| return 0; | |
| if (count > len - off) | |
| count = len - off; | |
| memcpy(page + off, msg + off, count); | |
| return off + count; | |
| } | |
| static int myproc_write(struct file *file, const char __user *buffer, unsigned long count, void *data) | |
| { | |
| unsigned long count2 = count; | |
| if (count2 >= sizeof(msg)) | |
| count2 = sizeof(msg) - 1; | |
| if (copy_from_user(msg, buffer, count2)) | |
| return -EFAULT; | |
| msg[count2] = 0; | |
| long pid = 0; | |
| long offset = 0; | |
| if(sscanf(msg,"%d,0x%08x",&pid,&offset)!=2) return -EFAULT; | |
| printk("pid=%ld,offset=%p\n",pid,offset); | |
| struct task_struct* task = pid_task(find_vpid(pid),PIDTYPE_PID); | |
| printk("task=@0x%p\n",task); | |
| struct pt_regs* reg=task_pt_regs(task); | |
| printk("reg=@0x%p\n",reg); | |
| printk("EAX=%p EBX=%p ECX=%p EDX=%p EIP=%p\n",reg->ax,reg->bx,reg->cx,reg->dx,reg->ip); | |
| offset -= 0x20; | |
| long ptr = 0; | |
| struct mm_struct *oldmm; | |
| oldmm = current->mm; | |
| current->mm = task->mm; | |
| current->active_mm = current->mm; | |
| load_cr3(current->mm->pgd); | |
| get_user(ptr,(int*)offset); | |
| printk("RET=%p\n",ptr); | |
| ptr=offset+0x20; | |
| put_user(ptr,(int*)offset); | |
| copy_to_user(ptr,code,sizeof(code)); | |
| //reg->ip = offset; | |
| current->mm = oldmm; | |
| current->active_mm = current->mm; | |
| load_cr3(current->mm->pgd); | |
| return count; | |
| } | |
| static int __init myproc_init(void) | |
| { | |
| pfile = create_proc_entry("test", 0666, NULL); | |
| if (!pfile) { | |
| printk(KERN_ERR "Can't create /proc/test"); | |
| return -1; | |
| } | |
| pfile->read_proc = myproc_read; | |
| pfile->write_proc = myproc_write; | |
| return 0; | |
| } | |
| static void __exit myproc_exit(void) | |
| { | |
| remove_proc_entry("test", NULL); | |
| } | |
| module_init(myproc_init); | |
| module_exit(myproc_exit); | |
| MODULE_LICENSE("GPL"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment