Re: Ответ: KLD loading, liking
On Mon, Nov 17, 2008 at 09:43:44PM +0100, Ed Schouten wrote: * Aleksandr Litvinov [EMAIL PROTECTED] wrote: Hello, You can receive a little information about KLD from the book designing BSD rootkits. I don't own this book myself, but a colleague at Snow B.V. once showed it to me. I only looked through it a couple of minutes, but it seemed like a book nice to have. It also shows some techniques on how to hide KLD's. I have this book. It shows some techniques, but it doesn't explain many things. And for KLD loading it gives only easy examples without explaining how KLD-Loader works. It's not absolutely necessary to bye this book. There are some papers, which explain the topics of the book very well: 1. Fun and Games with FreeBSD Kernel Modules http://www.r4k.net/mod/fbsdfun.html 2. Attacking FreeBSD with Kernel Modules: http://packetstormsecurity.org/papers/unix/bsdkern.htm -- Ed Schouten [EMAIL PROTECTED] WWW: http://80386.nl/ -- Alexej Sokolov [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: KLD loading, liking
On Sun, Nov 16, 2008 at 11:09:00AM +0100, Ed Schouten wrote: * Alexej Sokolov [EMAIL PROTECTED] wrote: What exact does the macro MODULE_DEPEND ? The man page is to short, and I guess it tell no all things that the macro does. MODULE_DEPEND is used to say: this kernel module also depends on another module (i.e. the USB printer module depends on the USB code). Tools like kldload can then automatically load the missing modules. Not only that. The use of the MODULE_DEPEND macro allows one module to access the variables of modules on which it depends. But man page of MODULE_DEPEND doesn't tell anything about this functionality. Hence I am looking for any good documentation of KLD loader. But I didn't find anything. May be looking in the source code is the best solution. -- Ed Schouten [EMAIL PROTECTED] WWW: http://80386.nl/ -- Alexej Sokolov [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: KLD loading, liking
Alexej Sokolov [EMAIL PROTECTED] writes: Not only that. The use of the MODULE_DEPEND macro allows one module to access the variables of modules on which it depends. No. Any module X can access any public variable or function in the kernel or in any other module Y, but loading X will fail if Y is not already loaded. The only effect of MODULE_DEPEND is to tell the loader that Y must be loaded before X. DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Ответ: KLD loading, liking
2008/11/17, Alexej Sokolov [EMAIL PROTECTED]: On Sun, Nov 16, 2008 at 11:09:00AM +0100, Ed Schouten wrote: * Alexej Sokolov [EMAIL PROTECTED] wrote: What exact does the macro MODULE_DEPEND ? The man page is to short, and I guess it tell no all things that the macro does. MODULE_DEPEND is used to say: this kernel module also depends on another module (i.e. the USB printer module depends on the USB code). Tools like kldload can then automatically load the missing modules. Not only that. The use of the MODULE_DEPEND macro allows one module to access the variables of modules on which it depends. But man page of MODULE_DEPEND doesn't tell anything about this functionality. Hence I am looking for any good documentation of KLD loader. But I didn't find anything. May be looking in the source code is the best solution. -- Ed Schouten [EMAIL PROTECTED] WWW: http://80386.nl/ -- Alexej Sokolov [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] Hello, You can receive a little information about KLD from the book designing BSD rootkits. -- -- Good Luck. -- Litvinov Aleksandr. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: KLD loading, liking
On Mon, Nov 17, 2008 at 02:34:28PM +0100, Dag-Erling Smørgrav wrote: Alexej Sokolov [EMAIL PROTECTED] writes: Not only that. The use of the MODULE_DEPEND macro allows one module to access the variables of modules on which it depends. No. Any module X can access any public variable or function in the kernel or in any other module Y, but loading X will fail if Y is not already loaded. The only effect of MODULE_DEPEND is to tell the loader that Y must be loaded before X. No, Example: two modules kld.c and kld1.1: kld:http://pastebin.com/m67799565Makefile: http://pastebin.com/m5418e5a7 kld1: http://pastebin.com/d154e8474Makefile: http://pastebin.com/m79723138 In kld is public int var_from_kld declared. To access this variable from kld1 you have to uncomment macro MODULE_DEPEND My system: % uname -v FreeBSD 7.0-RELEASE-p5 #0: Tue Oct 7 19:05:20 CEST 2008 Tell me please if I do something wrong! Thanx DES -- Dag-Erling Smørgrav - [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] -- Alexandre Fiveg [EMAIL PROTECTED] Key fingerprint = 0B23 EB52 3944 E440 CFF3 C1F1 7D05 8D00 34F7 A6BD ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ответ: KLD loading, liking
* Aleksandr Litvinov [EMAIL PROTECTED] wrote: Hello, You can receive a little information about KLD from the book designing BSD rootkits. I don't own this book myself, but a colleague at Snow B.V. once showed it to me. I only looked through it a couple of minutes, but it seemed like a book nice to have. It also shows some techniques on how to hide KLD's. -- Ed Schouten [EMAIL PROTECTED] WWW: http://80386.nl/ pgpWDDjidvjLc.pgp Description: PGP signature
Re: KLD loading, liking
* Alexej Sokolov [EMAIL PROTECTED] wrote: sysinit_set -contain a structure with a pointer to function which will be called by loading of KLD When you place SYSINIT() lines in your code, you can request functions to be called when the code is loaded. There are also some macro's such as MTX_SYSINIT(), which is a friendly wrapper around SYSINIT() which initialises a mutex. modmetadata_set - what kind of information is there and which functions of linking/loading use it ? Each loadable kernel module contains a structure that contains the module name, but also a function pointer to the routine that contains the module's load/unload function. If this function returns an error, the kernel module will not be (un)loaded. Take a look at the simple kernel modules such as snp(4). What exact does the macro MODULE_DEPEND ? The man page is to short, and I guess it tell no all things that the macro does. MODULE_DEPEND is used to say: this kernel module also depends on another module (i.e. the USB printer module depends on the USB code). Tools like kldload can then automatically load the missing modules. -- Ed Schouten [EMAIL PROTECTED] WWW: http://80386.nl/ pgp6eFx0steJk.pgp Description: PGP signature
KLD loading, liking
Hello, i am looking for some infos (may be papers) about how KLD linker works. After kompiling the KLD contain two important sections: % readelf -S mymod.ko | grep set [ 7] set_sysinit_set PROGBITS0560 000560 04 00 A 0 0 4 [ 8] set_modmetadata_s PROGBITS0564 000564 08 00 A 0 0 4 . sysinit_set -contain a structure with a pointer to function which will be called by loading of KLD modmetadata_set - what kind of information is there and which functions of linking/loading use it ? What exact does the macro MODULE_DEPEND ? The man page is to short, and I guess it tell no all things that the macro does. Thanks ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
