Linux kernel module to check memory integrity
I'm writing a kernel module that checks the integrity of code segments for running tasks by controlling checksums. I ran into a few hurdles:
- How can I get the
module_list
variable if it isn't exported by the kernel (there is no such symbol inksyms
)? I can see all modules calling thelsmod
comm开发者_StackOverflowand, so how can I get it in my module? - While my module is running it shows that some code segments have been changed. It always happens with certain libraries. Why does it happen? I thought that code segments were constant.
- Is it feasible to control memory access for process data from a kernel module and how to do it?
Self-modifying code is fully supported. There is nothing wrong with it, and it is used for all kinds of things. Your assumption that code is constant is simply not correct. It may be, but it may not be.
One typical example is in SMP versus UP systems. On Pentium 4 class Xeon machines, for example, an unlocked increment can take 60 cycles fewer than a locked increment. The locked increment is needed only on SMP machines. To make the same code work on both UP and SMP machines without the overhead of a condition at run time, self-modifying code is typically used. In the place of the lock
instruction, an illegal opcode such as ud2
is used. The illegal instruction interrupt is caught and the ud2
is replaced by lock
on an SMP system and nop
on a UP system.
The kernel exports a module interface. Exported are:
__module_text_address __symbol_get symbol_put_addr use_module
module_layout module_put __module_put_and_exit module_refcount
register_module_notifier __symbol_put unregister_module_notifier module_get
You could also parse /proc/modules
if you really wanted to.
精彩评论