Re: [LI] Hiding LKM's -- Beta-test

Wed, 19 Jan 2000 23:50:51 -0800 

On Thu, Jan 20, 2000 at 12:12:11PM +0530, Vimal Mathew wrote:
> Hi,
> 
>       I patched the SGI kernel debugger into my kernel today morning and
> found the assembly equivalent of the foll. C lines

You don't need a kernel debugger to do this. Just load vmlinux into
gdb and disassemble the function.

> 
>         /* Initialize the module.  */
>         atomic_set(&mod->uc.usecount,1);
>         if (mod->init && mod->init() != 0) {
>                 atomic_set(&mod->uc.usecount,0);
>                 error = -EBUSY;
>                 goto err0;
>         }
> to be
> 
> sys_init_module+0x433:                movl    $01,0x10(%ebx)
> sys_init_module+0x43a:                movl    0x2c(%ebx),%edx
> sys_init_module+0x43d:                testl   %edx,%edx
> sys_init_module+0x43f:                je      sys_init_module+0x458
> sys_init_module+0x441:                call    *%edx
> sys_init_module+0x443:                testl   %eax,%eax
> sys_init_module+0x445:                je      sys_init_module+0x458
> sys_init_module+0x447:                movl    $0x0,0x10(%ebx)
> sys_init_module+0x44e:                movl    $0xfffffff0,0xffffffac(%ebp)
> sys_init_module+0x455:                jmp     sys_init_module+0x4be
> 
> "mod" seems to be stored in %ebx for quite some time (I think from its
> first occurence in sys_init_module, even). I dont know why.
> 

Here is a guess - %ebx is a callee saved register. Read the calling 
convention at:

http://www.linuxdoc.org/HOWTO/Assembly-HOWTO-5.html

If you put mod in %ebx, it is guaranteed to be there even after the call.
So the instruction at sys_init_module+0x447 can use it without reloading
it.

It looks like the hack can be defeated simply by inserting a couple of
lines of dummy code in sys_init_module.

> And, about my original question, if I take my module out of the module link-
> list, will it cause any problems? Till now, my modules have only been 
> replacing other system-calls (such as "getdents"). Would the kernel try
> to reuse my kernel-memory (garbage-collection?) if I dont belong to the
> module-list?

There is no such thing as garbage collection in C or UNIX kernels. At best,
you can see reference counting. But no mark and sweep style garbage
collection. 

The kernel memory won't be freed unless you explicitly do it.

        -Arun

--------------------------------------------------------------------
The Linux India Mailing List Archives are now available.  Please search
the archive at http://lists.linux-india.org/ before posting your question
to avoid repetition and save bandwidth.

Reply via email to