目前,我想在Linux-3.13.1内核中挂钩x86-32 int3处理程序。
首先,我检查entry_32.S中的asm代码。
我发现相关代码如下:
ENTRY(int3)
RING0_INT_FRAME
ASM_CLAC
pushl_cfi $-1 # mark this as an int
SAVE_ALL
TRACE_IRQS_OFF
xorl %edx,%edx # zero error code
movl %esp,%eax # pt_regs pointer
call do_int3
jmp ret_from_exception
CFI_ENDPROC
END(int3)
然后,我编写了一个内核模块来挂钩这个ENTRY(int3),如下所示:
#define SAVE_ALL \
"pushl %%eax\n\t" \
"pushl %%ebp\n\t" \
"pushl %%edi\n\t" \
"pushl %%esi\n\t" \
"pushl %%edx\n\t" \
"pushl %%ecx\n\t" \
"pushl %%ebx\n\t" \
//get the addr from the system.map
unsigned long ret_from_exception=0xc1642fc0;
unsigned long do_int3=0xc1643c70;
__asm__ (
...
"go_here: \n\t"
"pushl $-1 \n\t"
SAVE_ALL
"xorl %%edx,%%edx \n\t"
"movl %%esp,%%eax \n\t"
"call *do_int3 \n\t"
"jmp *ret_from_exception \n\t"
:: );
}
不幸的是,内核模块无法正常工作。
[ 5359.750705] task: e9095a90 ti: e809a000 task.ti: e809a000
[ 5359.750709] EIP: 0060:[<c1645686>] EFLAGS: 00010046 CPU: 0
[ 5359.750717] EIP is at kprobe_exceptions_notify+0xf6/0x460
[ 5359.750720] EAX: 00000000 EBX: 0000007b ECX: 00000000 EDX: 0000007a
[ 5359.750723] ESI: e809bfc4 EDI: c1a4f100 EBP: e809bf58 ESP: e809bf30
[ 5359.750726] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 5359.750729] CR0: 8004003b CR2: b76806c0 CR3: 2a944000 CR4: 000007f0
[ 5359.750731] Stack:
[ 5359.750733] 00000000 ea0880b6 000004df c1a54400 0000007a c1a54400 f7b84400 c1909a88
[ 5359.750741] 00000000 c190c328 e809bf74 c1646be5 e809bf8c 00000002 e809bfc4 00000000
[ 5359.750748] 00000000 e809bf84 c1646c52 fffffffe 00000000 e809bfa0 c1646c8d e809bfc4
[ 5359.750755] Call Trace:
[ 5359.750763] [<c1646be5>] notifier_call_chain+0x45/0x60
[ 5359.750768] [<c1646c52>] atomic_notifier_call_chain+0x22/0x30
[ 5359.750773] [<c1646c8d>] notify_die+0x2d/0x30
[ 5359.750777] [<c1643cf4>] do_int3+0x84/0x100
我认为ENTRY(int3)asm转移可能不正确。
如何将宏RING0_INT_FRAM ASM_CLAC传输到ASM代码?