Created
June 30, 2021 06:59
-
-
Save YangKeao/4f23bde7a0c1c472c7b575004006e6c4 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/init.h> | |
| #include <linux/fs.h> | |
| #include <linux/tracepoint.h> | |
| #include <asm/syscall.h> | |
| #include <linux/sched.h> | |
| #include <linux/fdtable.h> | |
| #include <linux/slab.h> | |
| #include <linux/delay.h> | |
| #include <linux/rculist.h> | |
| #define TRACEPOINT_PROBE(probe, args...) static void __attribute__((optimize("O0"))) probe(void *__data, args) | |
| TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long id); | |
| static struct tracepoint *tp_sys_exit; | |
| static void visit_tracepoint(struct tracepoint *tp, void *priv) | |
| { | |
| if (!strcmp(tp->name, "sys_exit")) { | |
| printk(KERN_INFO "Tracepoint Found\n"); | |
| tp_sys_exit = tp; | |
| } | |
| } | |
| static int __init iochaos_start(void) | |
| { | |
| printk(KERN_INFO "Loading iochaos module...\n"); | |
| for_each_kernel_tracepoint(visit_tracepoint, NULL); | |
| if(tp_sys_exit != NULL) { | |
| struct task_struct *iter; | |
| tracepoint_probe_register(tp_sys_exit, syscall_exit_probe, NULL); | |
| rcu_read_lock(); | |
| list_for_each_entry_rcu(iter, &init_task.tasks, tasks) { | |
| printk("PROCESS: name: %s pid: %d syscall_tracepoint: %ld user_dispatch: %ld \n",iter->comm, iter->pid, iter->thread_info.syscall_work & BIT(SYSCALL_WORK_BIT_SYSCALL_TRACEPOINT), iter->thread_info.syscall_work & BIT(SYSCALL_WORK_BIT_SYSCALL_USER_DISPATCH)); | |
| } | |
| rcu_read_unlock(); | |
| } | |
| return 0; | |
| } | |
| static void __exit iochaos_end(void) | |
| { | |
| printk(KERN_INFO "Unloading iochaos module\n"); | |
| if(tp_sys_exit != NULL) { | |
| tracepoint_probe_unregister(tp_sys_exit, syscall_exit_probe, NULL); | |
| } | |
| } | |
| module_init(iochaos_start); | |
| module_exit(iochaos_end); | |
| TRACEPOINT_PROBE(syscall_exit_probe, struct pt_regs *regs, long ret) | |
| { | |
| struct path* path; | |
| struct files_struct* files; | |
| struct file* opened_file; | |
| char *full_path; | |
| char* buf; | |
| int id = syscall_get_nr(current, regs); | |
| if ((id == __NR_openat || id == __NR_open) && ret > 0) { | |
| files = current->files; | |
| opened_file = files_lookup_fd_rcu(files, ret); | |
| if (opened_file == NULL) { | |
| goto exit; | |
| } | |
| buf = (char*)get_zeroed_page(GFP_KERNEL); | |
| if(buf == NULL) { | |
| printk(KERN_ERR "fail to allocate page"); | |
| goto exit_put_path; | |
| } | |
| path = &opened_file->f_path; | |
| if(path == NULL) { | |
| printk(KERN_INFO "path is NULL %d %ld", current->pid, ret); | |
| goto exit_free_page; | |
| } | |
| path_get(path); | |
| if(path->dentry == NULL) { | |
| printk(KERN_INFO "path->dentry is NULL %d %ld", current->pid, ret); | |
| goto exit_put_path; | |
| } | |
| full_path = d_path(path, buf, PAGE_SIZE); | |
| if (IS_ERR(full_path)) { | |
| printk(KERN_ERR "fail to get full_path"); | |
| goto exit_put_path; | |
| } | |
| if(full_path == NULL) { | |
| goto exit_put_path; | |
| } | |
| if (strstr(full_path, "test-chaos") != NULL) { | |
| printk(KERN_INFO "%s OPENAT(_, %s, _) -> %ld \n", current->comm, full_path, ret); | |
| msleep(10); | |
| } | |
| exit_put_path: | |
| path_put(path); | |
| exit_free_page: | |
| free_page((unsigned long)buf); | |
| exit: | |
| return; | |
| } | |
| } | |
| MODULE_LICENSE("GPL"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment