From f6183af715640cc5e41358afdb578e6107b1563b Mon Sep 17 00:00:00 2001 From: Wilson Foo Yu Kang Date: Sun, 26 Jun 2022 05:55:51 +0000 Subject: [PATCH] Workaround for kallsyms_lookup_name which is no longer exported --- .../bitleaker-kernel-module.c | 75 ++++++++++++++++++- 1 file changed, 73 insertions(+), 2 deletions(-) diff --git a/bitleaker-kernel-module/bitleaker-kernel-module.c b/bitleaker-kernel-module/bitleaker-kernel-module.c index 1ba2ef6..ab8f08d 100644 --- a/bitleaker-kernel-module/bitleaker-kernel-module.c +++ b/bitleaker-kernel-module/bitleaker-kernel-module.c @@ -11,7 +11,9 @@ #include #include #include +#include #include +#include MODULE_LICENSE("GPL v2"); MODULE_AUTHOR("Seunghun Han"); @@ -21,6 +23,74 @@ MODULE_DESCRIPTION("Bitleaker kernel module"); #define RESERVED_START (0x80000) #define RESERVED_SIZE (64 * 1024) +//kallsyms_lookup_name workaround + +typedef unsigned long (*kln_p)(const char*); + +#define KPROBE_PRE_HANDLER(fname) static int __kprobes fname(struct kprobe *p, struct pt_regs *regs) + +long unsigned int kln_addr = 0; +unsigned long (*kln_pointer)(const char* name) = NULL; + +static struct kprobe kp0, kp1; + +KPROBE_PRE_HANDLER(handler_pre0) { + kln_addr = (--regs->ip); + + return 0; +} + +KPROBE_PRE_HANDLER(handler_pre1) { + return 0; +} + +static int do_register_kprobe(struct kprobe* kp, char* symbol_name, void* handler) { + int ret; + + kp->symbol_name = symbol_name; + kp->pre_handler = handler; + + ret = register_kprobe(kp); + if (ret < 0) { + pr_err("do_register_kprobe: failed to register for symbol %s, returning %d\n", symbol_name, ret); + return ret; + } + + pr_info("Planted krpobe for symbol %s at %p\n", symbol_name, kp->addr); + + return ret; +} + +// this is the function that I have modified, as the name suggests it returns a pointer to the extracted kallsyms_lookup_name function +kln_p get_kln_p(void) { + int status; + + status = do_register_kprobe(&kp0, "kallsyms_lookup_name", handler_pre0); + + if (status < 0) return NULL; + + status = do_register_kprobe(&kp1, "kallsyms_lookup_name", handler_pre1); + + if (status < 0) { + // cleaning initial krpobe + unregister_kprobe(&kp0); + return NULL; + } + + unregister_kprobe(&kp0); + unregister_kprobe(&kp1); + + pr_info("kallsyms_lookup_name address = 0x%lx\n", kln_addr); + + kln_pointer = (unsigned long (*)(const char* name)) kln_addr; + + return kln_pointer; +} + +#define kallsyms_lookup_name(name) (get_kln_p())(name); + +//end kallsyms_lookup_name workaround + typedef void *(*TEXT_POKE) (void *addr, const void *opcode, size_t len); TEXT_POKE g_fn_text_poke; @@ -34,7 +104,8 @@ unsigned long g_tpm_suspend_addr; */ void print_banner(void) { - printk(KERN_INFO "bitleaker: ▄▄▄▄ ██▓▄▄▄█████▓ ██▓ ▓█████ ▄▄▄ ██ ▄█▀▓█████ ██▀███ \n"); printk(KERN_INFO "bitleaker: ▓█████▄ ▓██▒▓ ██▒ ▓▒▓██▒ ▓█ ▀▒████▄ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒ \n"); + printk(KERN_INFO "bitleaker: ▄▄▄▄ ██▓▄▄▄█████▓ ██▓ ▓█████ ▄▄▄ ██ ▄█▀▓█████ ██▀███ \n"); + printk(KERN_INFO "bitleaker: ▓█████▄ ▓██▒▓ ██▒ ▓▒▓██▒ ▓█ ▀▒████▄ ██▄█▒ ▓█ ▀ ▓██ ▒ ██▒ \n"); printk(KERN_INFO "bitleaker: ▒██▒ ▄██▒██▒▒ ▓██░ ▒░▒██░ ▒███ ▒██ ▀█▄ ▓███▄░ ▒███ ▓██ ░▄█ ▒ \n"); printk(KERN_INFO "bitleaker: ▒██░█▀ ░██░░ ▓██▓ ░ ▒██░ ▒▓█ ▄░██▄▄▄▄██ ▓██ █▄ ▒▓█ ▄ ▒██▀▀█▄ \n"); printk(KERN_INFO "bitleaker: ░▓█ ▀█▓░██░ ▒██▒ ░ ░██████▒░▒████▒▓█ ▓██▒▒██▒ █▄░▒████▒░██▓ ▒██▒ \n"); @@ -57,7 +128,7 @@ static int dump_event_logs(void) char* start_buffer; int i; - buffer = (char*) ioremap_nocache(RESERVED_START, RESERVED_SIZE); + buffer = (char*) ioremap(RESERVED_START, RESERVED_SIZE); printk(KERN_INFO"bitleaker: \n"); printk(KERN_INFO"bitleaker: Dump event logs\n"); printk(KERN_INFO"bitleaker: Virtual address %p physical address %p\n", (void*)buffer, (void*)RESERVED_START);