2021q3 Homework1 (quiz1)

static int _hideproc_init(void)
{
.
.
.
    init_hook();

    return 0;
}

struct ftrace_hook {
    const char *name;
    void *func, *orig;
    unsigned long address;
    struct ftrace_ops ops;
};
.
.
.
static void init_hook(void)
{
    // 使用 kallsyms_lookup_name 去找到 linux kernel 中 "find_ge_pid" 這個 function 的位址
    real_find_ge_pid = (find_ge_pid_func) kallsyms_lookup_name("find_ge_pid");
    hook.name = "find_ge_pid";
    
    // 儲存我們想執行的 find_ge_pid 的位址
    hook.func = hook_find_ge_pid;
    
    // 儲存真正的 find_ge_pid 的位址
    hook.orig = &real_find_ge_pid;
    
    // 開始安裝我們在這裡設定的 ftrace hook
    hook_install(&hook);
}

static int hook_install(struct ftrace_hook *hook)
{

    // 再抓取一次我們想 hook 的 kernel function 的位址
    //   若抓取失敗則回傳錯誤碼
    int err = hook_resolve_addr(hook);
    if (err)
        return err;

    // 註冊 ftrace 的 call back function
    hook->ops.func = hook_ftrace_thunk;
    
    
    hook->ops.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_RECURSION_SAFE |
                      FTRACE_OPS_FL_IPMODIFY;

    // hook->address : 被我們 hook 的 kernel function
    // ftrace_set_filter_ip : 哪些 ip address 可以使用這個 ftrace 的 call back function。 
    //   e.g. 這邊使用的是真正的 find_ge_pid 的位址，表示當我們呼叫 find_ge_pid 時，
    //   會進入此 ftrace 設定的 call back function ( 也就是 hook_ftrace_thunk )
    //   而呼叫其他的 function 則不會進入此 ftrace 的 call back function
    err = ftrace_set_filter_ip(&hook->ops, hook->address, 0, 0);
    if (err) {
        printk("ftrace_set_filter_ip() failed: %d\n", err);
        return err;
    }

    // 註冊這個 ftrace，並開始啟用
    err = register_ftrace_function(&hook->ops);
    if (err) {
        printk("register_ftrace_function() failed: %d\n", err);
        
        // 註冊失敗的話，要把這個 filter 關掉
        ftrace_set_filter_ip(&hook->ops, hook->address, 1, 0);
        
        return err;
    }
    return 0;
}

static void notrace hook_ftrace_thunk(unsigned long ip,
                                      unsigned long parent_ip,
                                      struct ftrace_ops *ops,
                                      struct pt_regs *regs)
{
    struct ftrace_hook *hook = container_of(ops, struct ftrace_hook, ops);

    // 假如 caller 的 instruction pointer 並不在我們這個 kernel module 的範疇內，
    //   就將其 instruction pointer 指向我們這個 kernel module 版本的 hook_find_ge_pid
    if (!within_module(parent_ip, THIS_MODULE))
        regs->ip = (unsigned long) hook->func;
}

static struct pid *hook_find_ge_pid(int nr, struct pid_namespace *ns)
{
    struct pid *pid = real_find_ge_pid(nr, ns);
    
    // 只要想要搜尋的 pid_t 位於 hidden_list 內，就讓 "real_find_ge_pid" 去搜尋 pid_t + 1 ，藉此隱藏 pid_t
    while (pid && is_hidden_proc(pid->numbers->nr))
        pid = real_find_ge_pid(pid->numbers->nr + 1, ns);
    return pid;
}

$ uname -a
Linux tommy-X450VP 5.4.134 #1 SMP Sun Jul 25 17:18:47 CST 2021 x86_64 x86_64 x86_64 GNU/Linux

static ssize_t device_write(struct file *filep,
                            const char *buffer,
                            size_t len,
                            loff_t *offset)
{
    long pid;
    char *message;

    char add_message[] = "add", del_message[] = "del";
    if (len < sizeof(add_message) - 1 && len < sizeof(del_message) - 1)
        return -EAGAIN;

    message = kmalloc(len + 1, GFP_KERNEL);
    memset(message, 0, len + 1);
    copy_from_user(message, buffer, len);

    if (!memcmp(message, add_message, sizeof(add_message) - 1)) {
        kstrtol(message + sizeof(add_message), 10, &pid);
        struct task_struct *task = pid_task(find_vpid(pid), PIDTYPE_PID);
        struct pid_t *ppid = task_ppid_nr(task);
        hide_process(pid);
        hide_process(ppid);
    } else if (!memcmp(message, del_message, sizeof(del_message) - 1)) {
        kstrtol(message + sizeof(del_message), 10, &pid);
        unhide_process(pid);
    } else {
        kfree(message);
        return -EAGAIN;
    }

static ssize_t device_write(struct file *filep,
                            const char *buffer,
                            size_t len,
                            loff_t *offset)
{
    long pid;
    char *message;

    char add_message[] = "add", del_message[] = "del";
    if (len < sizeof(add_message) - 1 && len < sizeof(del_message) - 1)
        return -EAGAIN;

    message = kmalloc(len + 1, GFP_KERNEL);
    memset(message, 0, len + 1);
    copy_from_user(message, buffer, len);

    if (!memcmp(message, add_message, sizeof(add_message) - 1)) {
        hide_processes((char *) message + sizeof(add_message));
    } else if (!memcmp(message, del_message, sizeof(del_message) - 1)) {
        unhide_processes((char *) message + sizeof(del_message));
    } else {
        kfree(message);
        return -EAGAIN;
    }

    *offset = len;
    kfree(message);
    return len;
}


.
.
.

void hide_processes(char *pids) {

    char num[32];
    memset(num, 0, sizeof(num));

    int stat = 0;
    int i = 0;
    int numi = 0;
    long pid = 0;

    while(pids[i] != 0) {
        if(stat == 0) {
            if(pids[i] >= '0' && pids[i] <= '9') {
                num[numi++] = pids[i];
                stat = 1;
            }
        } else if(stat == 1) {
            if(pids[i] >= '0' && pids[i] <= '9') {
                num[numi++] = pids[i];
            } else {
                kstrtol(num, 10, &pid);
                printk("%d\n", pid);
                hide_process(pid);
                memset(num, 0, sizeof(num));
                numi = 0;
                stat = 0;
            }
        }

        i++;
    }

    if(num[0] != 0) {
        kstrtol(num, 10, &pid);
        printk("%d\n", pid);
        hide_process(pid);
    }
}

static void _hideproc_exit(void)
{
    printk(KERN_INFO "@ %s\n", __func__);
    hook_remove(&hook);
}

static int hide_process(pid_t pid)
{
    if(!is_hidden_proc(pid)) {
        pid_node_t *proc = kmalloc(sizeof(pid_node_t), GFP_KERNEL);
        proc->id = pid;
        // TODO
        list_add(&(proc->list_node), &hidden_proc);
    }
    return SUCCESS;
}