• Hook技术

    1. Hook是什么        

            Hook挂钩是一种功能强大的编程技术,可以在不更改原始代码的情况下监视软件行为或扩展功能。 这个想法是拦截某些事件或系统调用,并使用它们来启动您自己的自定义代码。Hook的原理是利用自己创建的动态库相对于系统动态库有优先调用权,也就是在出现同名函数时优先使用自己定义或者封装的库函数,相当于屏蔽了系统自带的库函数。Hook在网络安全,数据采集和系统控制领域使用广泛。

            关于文件监控拦截,其实不管是Ring0的LKM开发(系统调用表)还是Ring3这种用户不需要考虑内核的操作思想都是类似的。在open等系统调用前进行劫持,根据用户的需求进行确定,是否继续调用真正的系统调用,是否进行其他操作。

            Ring0的内核驱动开发,需要汇编的知识,内核开发复杂难度大,所以本文采用ring3的hook技术(技术不到家T_T)。当然写驱动来进行文件监控更强(看了别人的资料有大佬写了驱动编译到内核实现文件监控模块,他们公司是这么做的)。别人的观点是不管ring0内核hook还是ring3用户hook都不那么完美(有静态编译,强制加载LD_PRELOAD为系统原有动态库等方法阻止),但人家有更好的方法。

            关于网络拦截的思路就是确定hook点在connect和accept这两个系统调用,只要hook了这两个系统调用,那么指定IP的来连接或者访问此IP都不能进行。

    2. hook动态库的组织

            Hook代码经make得到了动态库libmyfilter.so后,我们需要根据准备使用的范围来确定将新创建的动态库默认加载在哪。

            LD_PRELOAD是个环境变量,用于动态库的加载,动态库加载的优先级最高。一般情况下,动态库加载顺序为LD_PRELOAD>LD_LIBRARY_PATH>/etc/ld.so.cache>/lib>/usr/lib。程序中我们经常要调用一些外部库的函数,以open()和execve()为例,如果我们有个自定义这两函数,把它编译成动态库后,通过LD_PRELOAD加载,当程序中调用open函数时,调用的其实是我们自定义的函数(这个其实就是hook啦),下面以一个例子说明。

    2.1 基于CPP的尝试

    1. //hello.cpp
    2. #include 
    3. #include 
    4. #include 
    5. #include 
    6. #include 
    7. #include 
    8. using namespace std;
    9.  
    10. int main(int argc,char *argv[])
    11. {
    12. 	int  fd;
    13. 	char *args[] = {"", NULL};
    14.  
    15. 	if(execve("/bin/date",args,NULL) == -1)
    16. 	{
    17. 		perror ("execve");
    18. 		exit(EXIT_FAILURE);
    19. 	}
    20. 	
    21. 	if(fd=open("/home/ok/test/hookTest/hello.c",O_RDONLY)!=-1)
    22. 	{
    23. 		fprintf(stdout,"openfile successed!\n");
    24. 	}
    25. 	else
    26. 	{
    27. 		fprintf(stderr,"openfile error!\n");
    28. 	}
    29. 	close(fd);
    30. 	return 0;
    31. }

             通过编译和ldd查看,当前依赖的是libc.so.6这个库,通过strace可以查看hello运行时调用的系统调用过程,这里面包括了系统去找各个.so的查找顺序,从这里也可以看出优先级。strace是一个父进程,它会创建一个子进程,子进程就就是对应的应用程序。当然,也可以在程序里面使用ptrace系统调用跟踪函数调用过程。

            在.so加载过程中,open --read--mmap--close等是一套过程。

            open和openat都是打开文件的系统调用,其主要参数为pathname,为文件打开路径。当传给函数的路径名是绝对路径时,二者无区别.(openat()自动忽略第一个参数dirfd)。当传给函数的是相对路径时,如果openat()函数的第一个参数dirfd是常量AT_FDCWD时,则其后的第二个参数路径名以当前工作目录为基址;否则以dirfd指定的目录文件描述符为基址。目录文件描述符的取得通常分为两步,先用opendir()函数获得对应的DIR结构的目录指针,再使用int dirfd(DIR*)函数将其转换成目录描述符,此时就可以作为openat()函数的第一个参数使用。

    • mmap主要完成.so文件到进程空间的映射
    • stat的原型是int stat(const char *path, struct stat *buf);用于获取文件或目录相关的信息
    • fstat获取文件状态
    • pread 对文件随机读
    • mprotect系统调用 的作用是设置虚拟内存区域访问权限
    • munmap系统调用是删除指定地址范围的映射,并导致对该范围内地址的进一步引用会生成无效的内存引用。 当进程终止时,该区域也会自动取消映射。 另一方面,关闭文件描述符不会取消区域映射
    • unlink系统调用用于删除指定文件,无法删除目录
    1. ok@u20:~/test/hookTest$ g++ hello.cpp -o hello
    2. hello.cpp: In function ‘int main(int, char**)’:
    3. hello.cpp:12:18: warning: ISO C++ forbids converting a string constant to ‘char*’ [-Wwrite-strings]
    4.    12 |  char *args[] = {"", NULL};
    5.       |                  ^~
    6. ok@u20:~/test/hookTest$ ldd hello
    7. 	linux-vdso.so.1 (0x00007ffc9ade9000)
    8. 	libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007efc9ec88000)
    9. 	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efc9ea96000)
    10. 	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007efc9e947000)
    11. 	/lib64/ld-linux-x86-64.so.2 (0x00007efc9ee89000)
    12. 	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007efc9e92c000)
    13. ok@u20:~/test/hookTest$ strace
    14. strace            strace-log-merge  
    15. ok@u20:~/test/hookTest$ strace ./hello 
    16. execve("./hello", ["./hello"], 0x7ffe35fc5540 /* 53 vars */) = 0
    17. brk(NULL)                               = 0x56516b945000
    18. arch_prctl(0x3001 /* ARCH_??? */, 0x7fffef521c70) = -1 EINVAL (无效的参数)
    19. access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (没有那个文件或目录)
    20. openat(AT_FDCWD, "tls/haswell/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    21. openat(AT_FDCWD, "tls/haswell/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    22. openat(AT_FDCWD, "tls/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    23. openat(AT_FDCWD, "tls/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    24. openat(AT_FDCWD, "haswell/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    25. openat(AT_FDCWD, "haswell/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    26. openat(AT_FDCWD, "x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    27. openat(AT_FDCWD, "libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    28. openat(AT_FDCWD, "/usr/local/lib/tls/haswell/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    29. stat("/usr/local/lib/tls/haswell/x86_64", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    30. openat(AT_FDCWD, "/usr/local/lib/tls/haswell/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    31. stat("/usr/local/lib/tls/haswell", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    32. openat(AT_FDCWD, "/usr/local/lib/tls/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    33. stat("/usr/local/lib/tls/x86_64", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    34. openat(AT_FDCWD, "/usr/local/lib/tls/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    35. stat("/usr/local/lib/tls", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    36. openat(AT_FDCWD, "/usr/local/lib/haswell/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    37. stat("/usr/local/lib/haswell/x86_64", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    38. openat(AT_FDCWD, "/usr/local/lib/haswell/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    39. stat("/usr/local/lib/haswell", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    40. openat(AT_FDCWD, "/usr/local/lib/x86_64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    41. stat("/usr/local/lib/x86_64", 0x7fffef520ec0) = -1 ENOENT (没有那个文件或目录)
    42. openat(AT_FDCWD, "/usr/local/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    43. stat("/usr/local/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    44. openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    45. fstat(3, {st_mode=S_IFREG|0644, st_size=95136, ...}) = 0
    46. mmap(NULL, 95136, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f97d0ebc000
    47. close(3)                                = 0
    48. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
    49. read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`\341\t\0\0\0\0\0"..., 832) = 832
    50. fstat(3, {st_mode=S_IFREG|0644, st_size=1956992, ...}) = 0
    51. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f97d0eba000
    52. mmap(NULL, 1972224, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f97d0cd8000
    53. mprotect(0x7f97d0d6e000, 1290240, PROT_NONE) = 0
    54. mmap(0x7f97d0d6e000, 987136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x96000) = 0x7f97d0d6e000
    55. mmap(0x7f97d0e5f000, 299008, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x187000) = 0x7f97d0e5f000
    56. mmap(0x7f97d0ea9000, 57344, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d0000) = 0x7f97d0ea9000
    57. mmap(0x7f97d0eb7000, 10240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f97d0eb7000
    58. close(3)                                = 0
    59. openat(AT_FDCWD, "tls/haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    60. openat(AT_FDCWD, "tls/haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    61. openat(AT_FDCWD, "tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    62. openat(AT_FDCWD, "tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    63. openat(AT_FDCWD, "haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    64. openat(AT_FDCWD, "haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    65. openat(AT_FDCWD, "x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    66. openat(AT_FDCWD, "libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    67. openat(AT_FDCWD, "/usr/local/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    68. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    69. read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360A\2\0\0\0\0\0"..., 832) = 832
    70. pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    71. pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    72. pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    73. fstat(3, {st_mode=S_IFREG|0755, st_size=2029560, ...}) = 0
    74. pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    75. pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    76. pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    77. mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f97d0ae6000
    78. mmap(0x7f97d0b08000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7f97d0b08000
    79. mmap(0x7f97d0c80000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19a000) = 0x7f97d0c80000
    80. mmap(0x7f97d0cce000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f97d0cce000
    81. mmap(0x7f97d0cd4000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f97d0cd4000
    82. close(3)                                = 0
    83. openat(AT_FDCWD, "tls/haswell/x86_64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    84. openat(AT_FDCWD, "tls/haswell/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    85. openat(AT_FDCWD, "tls/x86_64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    86. openat(AT_FDCWD, "tls/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    87. openat(AT_FDCWD, "haswell/x86_64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    88. openat(AT_FDCWD, "haswell/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    89. openat(AT_FDCWD, "x86_64/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    90. openat(AT_FDCWD, "libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    91. openat(AT_FDCWD, "/usr/local/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    92. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
    93. read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\323\0\0\0\0\0\0"..., 832) = 832
    94. fstat(3, {st_mode=S_IFREG|0644, st_size=1369352, ...}) = 0
    95. mmap(NULL, 1368336, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f97d0997000
    96. mmap(0x7f97d09a4000, 684032, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x7f97d09a4000
    97. mmap(0x7f97d0a4b000, 626688, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb4000) = 0x7f97d0a4b000
    98. mmap(0x7f97d0ae4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14c000) = 0x7f97d0ae4000
    99. close(3)                                = 0
    100. openat(AT_FDCWD, "tls/haswell/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    101. openat(AT_FDCWD, "tls/haswell/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    102. openat(AT_FDCWD, "tls/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    103. openat(AT_FDCWD, "tls/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    104. openat(AT_FDCWD, "haswell/x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    105. openat(AT_FDCWD, "haswell/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    106. openat(AT_FDCWD, "x86_64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    107. openat(AT_FDCWD, "libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    108. openat(AT_FDCWD, "/usr/local/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    109. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
    110. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3405\0\0\0\0\0\0"..., 832) = 832
    111. fstat(3, {st_mode=S_IFREG|0644, st_size=104984, ...}) = 0
    112. mmap(NULL, 107592, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f97d097c000
    113. mmap(0x7f97d097f000, 73728, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f97d097f000
    114. mmap(0x7f97d0991000, 16384, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f97d0991000
    115. mmap(0x7f97d0995000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f97d0995000
    116. close(3)                                = 0
    117. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f97d097a000
    118. arch_prctl(ARCH_SET_FS, 0x7f97d097af40) = 0
    119. mprotect(0x7f97d0cce000, 16384, PROT_READ) = 0
    120. mprotect(0x7f97d0995000, 4096, PROT_READ) = 0
    121. mprotect(0x7f97d0ae4000, 4096, PROT_READ) = 0
    122. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f97d0978000
    123. mprotect(0x7f97d0ea9000, 45056, PROT_READ) = 0
    124. mprotect(0x56516b200000, 4096, PROT_READ) = 0
    125. mprotect(0x7f97d0f01000, 4096, PROT_READ) = 0
    126. munmap(0x7f97d0ebc000, 95136)           = 0
    127. brk(NULL)                               = 0x56516b945000
    128. brk(0x56516b966000)                     = 0x56516b966000
    129. execve("/bin/date", [""], NULL)         = 0
    130. brk(NULL)                               = 0x55e7d01b8000
    131. arch_prctl(0x3001 /* ARCH_??? */, 0x7ffc36455540) = -1 EINVAL (无效的参数)
    132. access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (没有那个文件或目录)
    133. openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    134. fstat(3, {st_mode=S_IFREG|0644, st_size=95136, ...}) = 0
    135. mmap(NULL, 95136, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f42e2842000
    136. close(3)                                = 0
    137. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    138. read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360A\2\0\0\0\0\0"..., 832) = 832
    139. pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    140. pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    141. pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    142. fstat(3, {st_mode=S_IFREG|0755, st_size=2029560, ...}) = 0
    143. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f42e2840000
    144. pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    145. pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    146. pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    147. mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f42e264e000
    148. mmap(0x7f42e2670000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7f42e2670000
    149. mmap(0x7f42e27e8000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19a000) = 0x7f42e27e8000
    150. mmap(0x7f42e2836000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f42e2836000
    151. mmap(0x7f42e283c000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f42e283c000
    152. close(3)                                = 0
    153. arch_prctl(ARCH_SET_FS, 0x7f42e2841580) = 0
    154. mprotect(0x7f42e2836000, 16384, PROT_READ) = 0
    155. mprotect(0x55e7cfd37000, 8192, PROT_READ) = 0
    156. mprotect(0x7f42e2887000, 4096, PROT_READ) = 0
    157. munmap(0x7f42e2842000, 95136)           = 0
    158. brk(NULL)                               = 0x55e7d01b8000
    159. brk(0x55e7d01d9000)                     = 0x55e7d01d9000
    160. openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
    161. fstat(3, {st_mode=S_IFREG|0644, st_size=573, ...}) = 0
    162. fstat(3, {st_mode=S_IFREG|0644, st_size=573, ...}) = 0
    163. read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0"..., 4096) = 573
    164. lseek(3, -348, SEEK_CUR)                = 225
    165. read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0"..., 4096) = 348
    166. close(3)                                = 0
    167. fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x1), ...}) = 0
    168. write(1, "Tue Sep  6 10:34:09 CST 2022\n", 29Tue Sep  6 10:34:09 CST 2022
    169. ) = 29
    170. close(1)                                = 0
    171. close(2)                                = 0
    172. exit_group(0)                           = ?
    173. +++ exited with 0 +++
    174. ok@u20:~/test/hookTest$

    编写hook函数

    1. //hook.cpp
    2. #include 
    3. #include 
    4.  
    5. extern int __open(char *,int,int);
    6. //参数3:环境设备配置
    7. extern int execv(char *,char *[],char *envp[]);
    8. //打开文件
    9. int open(char * path,int flags,int mode)
    10. {
    11. 	//输出打开的文件名
    12. 	printf("open :%s\n",path);
    13. 	return __open(path,flags,mode);
    14. }
    15. //启动程序
    16. int execve(char * path,char* args[],char * envp[])
    17. {
    18. 	printf("execv :%s\n",path);
    19. 	return execv(path,args,envp);	
    20. }

    加载动态链接库后:   

    1.  g++ -fpic -c -ldl hook.cpp
    2.  g++ -shared -lc -o hook.so hook.o
    3.  export LD_PRELOAD=./hook.so   //加载库
    4.  export LD_PRELOAD=NULL;       //卸载库

     前后对比后发现,hello依赖的库发生了变化,多了./hook.so。

    export LD_PRELOAD = /home/ok/test/hook/libmyfilter.so,这一句要加在环境变量中,而环境变量有三种:shell环境变量,用户环境变量和系统环境变量。影响的范围是层层递进的,当我们执行这句命令就是在加载到当前shell中,若退出当前终端,动态库就不能生效了(通常需求的范围不会这么小),若我们需要在某个用户下达到hook的效果,那么就在当前用户的profile中添加这句。(当然不同架构,不同系统的文件名不同,但都不难找,就在用户目录中的某个隐藏文件),当我们需要在整个系统生效时,我们就需要在/etc/profile配置文件中加入这句(这是使用场景最多的)。重启电脑后就能看见效果:指定的目录的具有关键字文件不能打开(双击,cat都不能打开文件,但是vim可以,为什么呢,因为vim不是用open打开文件,需要我们再次确定hook点, 这里深入了解请百度strace),指定的IP不能访问也不能主动连接本机(浏览器,wget等均不能连接)。

     重新启动./hello后发现并没有起作用。我推测是不是因为是用的g++,而不是gcc造成的。

    本段是后补的

    实际上,使用g++也没关系,这里针对open的hook之所以没有成功,是因为execv系统调用和fork系统调用不同。fork生成子进程时会复制父进程的相关资源,子进程和父进程资源在fork后的初始时是一样的。但是execv却是覆盖了父进程的相关资源,父进程后面的代码不会执行。我们调整一下hello.cpp中open和execv的位置:

    1. #include 
    2. #include 
    3. #include 
    4. #include 
    5. #include 
    6.  
    7. int main(int argc,char *argv[])
    8. {
    9. 	int  fd;
    10. 	char *args[] = {"", NULL};
    11.  
    12. 	printf("I am here\n");
    13. 	
    14. 	if(fd=open("/home/ok/test/hookTest/hello.cpp",O_RDONLY)!=-1)
    15. 	{
    16. 		fprintf(stdout,"openfile successed!\n");
    17. 	}
    18. 	else
    19. 	{
    20. 		fprintf(stderr,"openfile error!\n");
    21. 	}
    22. 	close(fd);
    23. 	
    24. 	if(execve("/bin/date",args,NULL) == -1)
    25. 	{
    26. 		sleep(1);
    27. 		printf("here 1\n");
    28. 		perror ("execve");
    29. 		_exit(1);
    30. 	}
    31. 	
    32. 	return 0;
    33. }

     再写一个build.sh并赋予可运行权限:

    1. #! /bin/bash
    2.  
    3. g++ -shared -fPIC -o libhook.so hook.cpp
    4. g++ hello.cpp
    5. echo -e "**** start run ****\n"
    6. LD_PRELOAD=${PWD}/libhook.so ./a.out

     结果如下:

     但是使用ldd查看,发现并没有我们新编译的库哦。

     重新使用LD_PRELOAD后又出现了我们的库。但是并不影响运行。应该是前面已经export过了。

     使用strace发现这里确实使用了libhook.so中的open函数。

    1. ok@u20:~/test/hookTest$ strace ./a.out 
    2. execve("./a.out", ["./a.out"], 0x7fffcdab04d0 /* 54 vars */) = 0
    3. brk(NULL)                               = 0x55dd44cec000
    4. arch_prctl(0x3001 /* ARCH_??? */, 0x7ffc5ad18860) = -1 EINVAL (无效的参数)
    5. openat(AT_FDCWD, "./libhook.so", O_RDONLY|O_CLOEXEC) = 3
    6. read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\20\0\0\0\0\0\0"..., 832) = 832
    7. fstat(3, {st_mode=S_IFREG|0775, st_size=16344, ...}) = 0
    8. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd78c661000
    9. getcwd("/home/ok/test/hookTest", 128)   = 23
    10. mmap(NULL, 16448, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd78c65c000
    11. mmap(0x7fd78c65d000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7fd78c65d000
    12. mmap(0x7fd78c65e000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fd78c65e000
    13. mmap(0x7fd78c65f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fd78c65f000
    14. close(3)                                = 0
    15. access("/etc/ld.so.preload", R_OK)      = 0
    16. openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 3
    17. fstat(3, {st_mode=S_IFREG|0644, st_size=1, ...}) = 0
    18. mmap(NULL, 1, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x7fd78c68f000
    19. close(3)                                = 0
    20. munmap(0x7fd78c68f000, 1)               = 0
    21. openat(AT_FDCWD, "tls/haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    22. openat(AT_FDCWD, "tls/haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    23. openat(AT_FDCWD, "tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    24. openat(AT_FDCWD, "tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    25. openat(AT_FDCWD, "haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    26. openat(AT_FDCWD, "haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    27. openat(AT_FDCWD, "x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    28. openat(AT_FDCWD, "libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    29. openat(AT_FDCWD, "/usr/local/lib/tls/haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    30. stat("/usr/local/lib/tls/haswell/x86_64", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    31. openat(AT_FDCWD, "/usr/local/lib/tls/haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    32. stat("/usr/local/lib/tls/haswell", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    33. openat(AT_FDCWD, "/usr/local/lib/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    34. stat("/usr/local/lib/tls/x86_64", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    35. openat(AT_FDCWD, "/usr/local/lib/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    36. stat("/usr/local/lib/tls", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    37. openat(AT_FDCWD, "/usr/local/lib/haswell/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    38. stat("/usr/local/lib/haswell/x86_64", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    39. openat(AT_FDCWD, "/usr/local/lib/haswell/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    40. stat("/usr/local/lib/haswell", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    41. openat(AT_FDCWD, "/usr/local/lib/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    42. stat("/usr/local/lib/x86_64", 0x7ffc5ad17a90) = -1 ENOENT (没有那个文件或目录)
    43. openat(AT_FDCWD, "/usr/local/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (没有那个文件或目录)
    44. stat("/usr/local/lib", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    45. openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    46. fstat(3, {st_mode=S_IFREG|0644, st_size=95136, ...}) = 0
    47. mmap(NULL, 95136, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd78c644000
    48. close(3)                                = 0
    49. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    50. read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360A\2\0\0\0\0\0"..., 832) = 832
    51. pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    52. pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    53. pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    54. fstat(3, {st_mode=S_IFREG|0755, st_size=2029560, ...}) = 0
    55. pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    56. pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    57. pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    58. mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd78c452000
    59. mmap(0x7fd78c474000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7fd78c474000
    60. mmap(0x7fd78c5ec000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19a000) = 0x7fd78c5ec000
    61. mmap(0x7fd78c63a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7fd78c63a000
    62. mmap(0x7fd78c640000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd78c640000
    63. close(3)                                = 0
    64. mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd78c44f000
    65. arch_prctl(ARCH_SET_FS, 0x7fd78c44f740) = 0
    66. mprotect(0x7fd78c63a000, 16384, PROT_READ) = 0
    67. mprotect(0x7fd78c65f000, 4096, PROT_READ) = 0
    68. mprotect(0x55dd42d1d000, 4096, PROT_READ) = 0
    69. mprotect(0x7fd78c690000, 4096, PROT_READ) = 0
    70. munmap(0x7fd78c644000, 95136)           = 0
    71. fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x2), ...}) = 0
    72. brk(NULL)                               = 0x55dd44cec000
    73. brk(0x55dd44d0d000)                     = 0x55dd44d0d000
    74. write(1, "I am here\n", 10I am here
    75. )             = 10
    76. openat(AT_FDCWD, "/home/ok/test/hookTest/hello.cpp", O_RDONLY) = 3
    77. write(1, "openfile successed!\n", 20openfile successed!
    78. )   = 20
    79. close(1)                                = 0
    80. execve("/bin/date", [""], NULL)         = 0
    81. brk(NULL)                               = 0x55d4c834f000
    82. arch_prctl(0x3001 /* ARCH_??? */, 0x7ffe2aa48fa0) = -1 EINVAL (无效的参数)
    83. access("/etc/ld.so.preload", R_OK)      = 0
    84. openat(AT_FDCWD, "/etc/ld.so.preload", O_RDONLY|O_CLOEXEC) = 1
    85. fstat(1, {st_mode=S_IFREG|0644, st_size=1, ...}) = 0
    86. mmap(NULL, 1, PROT_READ|PROT_WRITE, MAP_PRIVATE, 1, 0) = 0x7f5b7cf44000
    87. close(1)                                = 0
    88. munmap(0x7f5b7cf44000, 1)               = 0
    89. openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 1
    90. fstat(1, {st_mode=S_IFREG|0644, st_size=95136, ...}) = 0
    91. mmap(NULL, 95136, PROT_READ, MAP_PRIVATE, 1, 0) = 0x7f5b7cf00000
    92. close(1)                                = 0
    93. openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 1
    94. read(1, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360A\2\0\0\0\0\0"..., 832) = 832
    95. pread64(1, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    96. pread64(1, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    97. pread64(1, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    98. fstat(1, {st_mode=S_IFREG|0755, st_size=2029560, ...}) = 0
    99. mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5b7cefe000
    100. pread64(1, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
    101. pread64(1, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
    102. pread64(1, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\237\333t\347\262\27\320l\223\27*\202C\370T\177"..., 68, 880) = 68
    103. mmap(NULL, 2037344, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 1, 0) = 0x7f5b7cd0c000
    104. mmap(0x7f5b7cd2e000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1, 0x22000) = 0x7f5b7cd2e000
    105. mmap(0x7f5b7cea6000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1, 0x19a000) = 0x7f5b7cea6000
    106. mmap(0x7f5b7cef4000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 1, 0x1e7000) = 0x7f5b7cef4000
    107. mmap(0x7f5b7cefa000, 13920, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5b7cefa000
    108. close(1)                                = 0
    109. arch_prctl(ARCH_SET_FS, 0x7f5b7ceff580) = 0
    110. mprotect(0x7f5b7cef4000, 16384, PROT_READ) = 0
    111. mprotect(0x55d4c6d88000, 8192, PROT_READ) = 0
    112. mprotect(0x7f5b7cf45000, 4096, PROT_READ) = 0
    113. munmap(0x7f5b7cf00000, 95136)           = 0
    114. brk(NULL)                               = 0x55d4c834f000
    115. brk(0x55d4c8370000)                     = 0x55d4c8370000
    116. openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 1
    117. fstat(1, {st_mode=S_IFREG|0644, st_size=573, ...}) = 0
    118. fstat(1, {st_mode=S_IFREG|0644, st_size=573, ...}) = 0
    119. read(1, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0"..., 4096) = 573
    120. lseek(1, -348, SEEK_CUR)                = 225
    121. read(1, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\3\0\0\0\0"..., 4096) = 348
    122. close(1)                                = 0
    123. fstat(1, 0x7ffe2aa48710)                = -1 EBADF (错误的文件描述符)
    124. write(1, "Tue Sep  6 16:33:54 CST 2022\n", 29) = -1 EBADF (错误的文件描述符)
    125. close(1)                                = -1 EBADF (错误的文件描述符)
    126. write(2, ": ", 2: )                       = 2
    127. write(2, "write error", 11write error)             = 11
    128. write(2, ": Bad file descriptor", 21: Bad file descriptor)   = 21
    129. write(2, "\n", 1
    130. )                       = 1
    131. exit_group(1)                           = ?
    132. +++ exited with 1 +++

    2.2 基于C的尝试

     hello.c

    1. #include 
    2. #include 
    3. #include 
    4. #include 
    5.  
    6. int main(int argc,char *argv[])
    7. {
    8. 	int  fd;
    9. 	execve("/bin/date","",NULL);
    10. 	if(fd=open("/home/ok/hookTest/test/hello.c",O_RDONLY)!=-1)
    11. 	{
    12. 		fprintf(stdout,"openfile successed!\n");
    13. 	}
    14. 	else
    15. 	{
    16. 		fprintf(stderr,"openfile error!\n");
    17. 	}
    18. 	close(fd);
    19. 	return 0;
    20. }

     hack.c

    1. extern int __open(char *,int,int);
    2. //参数3:环境设备配置
    3. extern int execv(char *,char *[],char *envp[]);
    4. //打开文件
    5. int open(char * path,int flags,int mode)
    6. {
    7. 	//输出打开的文件名
    8. 	printf("open :%s\n",path);
    9. 	return __open(path,flags,mode);
    10. }
    11. //启动程序
    12. int execve(char * path,char* args[],char * envp[])
    13. {
    14. 	printf("execv :%s\n",path);
    15. 	return execv(path,args,envp);

     这次发现起作用了。

            我猜测应该是open这个函数其实是libc.so提供的函数,应该是gcc编译成的库,而前面基于c++的尝试用的是g++编译形成的动态库,这两者虽然函数名相同,但是g++的open并没有起作用。(这一段猜错了,不用看这一段了

    危险的hook技术

            hook是十分危险的技术,因为它已经在系统层面作用,控制不好会反噬其主,我也写了一个open的动态库,结果中间不小心产生了无限递归(open中不能再用open),导致系统开机就进不去了。我后面也写死了几个系统了,所以每次测试之前都要快照!!
    我们假设某位不法人士将上面的程序改成任何目录和文件都是exit,那么你重启系统,系统就死掉了,这是无法挽回的后果!将网络拦截程序写成任意IP都不能访问,注入到你的电脑中,如果你不了解hook技术。那么你无论如何也找不出原因,不管如何调试你将无法上网!

    让普通用户拥有root权限

    1. //rootkit.c
    2. #include 
    3. #include 
    4. #include 
    5.  
    6. uid_t geteuid(void){return 0;}
    7. uid_t getuid(void){return 0;}
    8. uid_t getgid(void){return 0;}

     加载进去前:

     加载后:

    参考链接:

    https://blog.csdn.net/m0_37806112/article/details/80560235

    https://blog.csdn.net/weixin_45646368/article/details/111403378

    Linux应用调试之使用strace命令跟踪系统调用_陈 洪 伟的博客-CSDN博客_strace 查看系统调用

    https://www.csdn.net/tags/MtzakgzsNTAyMjItYmxvZwO0O0OO0O0O.html

  • 相关阅读:
    openstack 环境配置及基础组件安装
    .NET混合开发解决方案7 WinForm程序中通过NuGet管理器引用集成WebView2控件
    java面试题(spring框架篇)(黑马 )
    八股文第十九天
    LeetCode 0542. 01 矩阵
    看好多人都在劝退学计算机,可是张雪峰又 推荐过计算机,所以计算机到底是什么样 的?
    12.数据结构之梯度下降查找抛物线的极值
    流行的 Web 框架安全性比较
    GoogleTest部署实践--测试用例代码
    openGauss学习笔记-95 openGauss 数据库管理-访问外部数据库-postgres_fdw
  • 原文地址:https://blog.csdn.net/jinking01/article/details/126718873