Interception of a 64-bit Linux kernel function: 32/64-bit function pointer length?

Question

Interception of a 64-bit Linux kernel function: 32/64-bit function pointer length?

I am trying to reprogram the old-as-behemoth kernel interception (described in this Phrack question ).

The code to replace the call to a 32-bit function is as follows:

#define SYSMAPADDR 0x12345678
#define CODESIZE 7
static char acct_code[7] = "\xb8\x00\x00\x00\x00"/*movl $0, %eax*/
"\xff\xe0";/*jmp *%eax*/
*(long*)&acct_code[1] = (long)my_hijacking_function;
// here, use either set_pages_rw or trick CR0 to do this:
memcpy(SYSMAPADDR, acct_code, CODESIZE);

But the 64-bit address of the original function is 0xffffffff12345678 (the kernel is located in small memory).

So will the (long) new function pointer match only 4 \ x00 bytes of the movl command?

Btw, please link to Can I replace the Linux kernel function with a module? and Overriding functionality with modules in the Linux kernel , the hacker method described above is more flexible (it can intercept non-extern functions => there is no need to recompile the kernel).

+3

c assembly x86-64 linux-kernel

kagali-san 07 . '11 16:32

3

jmkeyes · Answer 1 · 2011-04-19T03:21:17+0000

2 x86 (32 64 ).

, , ( x86-64), M .

% r11 . AMD64 ABI Draft 0.99.5,% r11 - , .

movq $addr, %r11 , : . jmp *%r11 , % r11.

, . , , , , .

, M store/jump . .

Random832 · Answer 2 · 2011-04-16T19:01:07+0000

. , x86_64.

- 64 , movl - - 64- , . , , 48 B8 (imm64) (.. movq ..., %rax), , , . , 'x86-64' 'assembly' .

bdonlan · Answer 3 · 2011-03-07T18:19:14+0000

JMP rel32 (0xE9) 32- . 2 . , % eax ( ).

, kprobes API. . , , . , , API- , , . , - (LOCK- ..).

, ftrace - ftrace.

Interception of a 64-bit Linux kernel function: 32/64-bit function pointer length?

More articles: