BSD ROOTKIT 设计--内核黑客指引书(第4章)

4内核对象挂钩
4.1 字符设备挂钩
    4.1.1 cdevp_list Tail Queue 和 cdev_priv
[url=javascript:;]结构体[/url]
    4.1.2 devmtx 互斥体
    4.1.3 示例
4.2 小结
4
[url=javascript:;]KERNEL[/url]
OBJECT HOOKING
[url=javascript:;]内核[/url]
对象挂钩
In the previous chapter we covered subverting the
[url=javascript:;]FreeBSD[/url]
kernel using simple data-state changes. The discussion centered around
modifying the data contained within the kernel queue data structures.
In addition to record keeping, many of these structures are also
directly  involved in control flow, as they maintain a limited number
of entry points into the kernel. Consequently, these can be hooked,
too, just like the entry points discussed in Chapter 2. This technique
is referred to as Kernel Object Hooking (KOH). To demonstrate it, let’s
hook a character device.
在前面的章节里，我们讲解了通过对数据状态进行简单的修改来颠覆FreeBSD内核的
方法。这个讨论围绕的是如何修改内核队列数据结构内部的数据。除了用于记录报告，很多的这些结构体也直接与流程控制有关，因为它们维护着数量有限的进入内
核的入口点。因此，它们也可以被挂钩，就像在第2章讨论的入口点。这个技术称之为内核对象挂钩(KOH)。做个示范，我们挂钩一个字符设备。
4.1 Hooking a Character Device
4.1 字符设备挂钩
Recall
from Chapter 1 that a character device is defined by its entries in a
character device switch table.1 As such, by modifying these entries,
you can modify the behavior of a character device. Before demonstrating
this
记得在第1章中提到，字符设备是通过它在字符设备转换表中的入口点定义的。同样，通过修改这些入口点，你可以修改一个字符设备的行为。但是，在演示这种
----------------
1 For the definition of a character device switch table, see Section 1.6.1.
1 至于字符设备转换表的定义，可查看章节1.6.1.
“attack,” however, some background information on character device management is necessary.
“攻击”前，需要了解一些字符设备管理的背景信息。
4.1.1 The cdevp_list Tail Queue and cdev_priv Structures
4.1.1 cdevp_list Tail Queue 和 cdev_priv 结构体
In
FreeBSD all active character devices are maintained on a private,
doublylinked tail queue named cdevp_list, which is defined in the file
/sys/fs/devfs/ devfs_devs.c as follows:
在FreeBSD中，所有的字符设备都维护在一个私有的称为cdevp_list的双向tail queue中。cdevp_list在文件/sys/fs/devfs/ devfs_devs.c中定义如下:
--------------------------------------------------------------------------------
static TAILQ_HEAD(,/*1*/ cdev_priv) cdevp_list =
TAILQ_HEAD_INITIALIZER(cdevp_list);
--------------------------------------------------------------------------------
As
you can see, cdevp_list is composed of /*1*/ cdev_priv structures. The
definition for struct cdev_priv can be found in the

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有