Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to add new features to the Linux kernel to hide the process address space memory from being stolen, and the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

First of all, let's see how to get the memory of other process address space. There is no doubt about ptrace. Other evil methods, such as using crash tools, exploiting system vulnerabilities, and inserting modules, are beyond the scope of this article.

Example above: test.c

# define handle_error (msg)\ do {perror (msg); exit (EXIT_FAILURE);} while (0) int main (void) {char * p; char const str [] = "Jeff Xie\ n"; p = malloc (sizeof (str)); if (! p) handle_error ("malloc"); printf ("p:0x%llx\ n", p) Memcpy (p, str, sizeof (str)); printf ("str:%s\ n", p); sleep (10000); return 0;}

Address: https://github.com/x-lugoo/hide-memory

In the above example, test.c simply malloc an area (heap area) and then save a string.

Terminal 1:

# gcc test.c #. / a.out p:0xd3d260 str:Jeff Xie

Terminal 2:

# ps-C a.out PID TTY TIME CMD 19145 pts/4 00:00:00 a.out # cat / proc/19145/maps 00400000-00401000 r-xp / home/jeff/a.out 00600000-00601000 Rmuri p / home/jeff/a.out 00601000-00602000 rw-p / home/jeff/a.out 00d3d000-00d5e000 rw-p [heap]

You can see that 0xd3d260 is in the heap area. Using readmem, you can simply and roughly read the backward ten bytes of the 0xd3d260 of process 19145 (a.out).

Terminal 2:

# readmem 19145 0xd3d260 10 Jeff Xie

The program readmem is implemented using the ptrace function. The code is as follows:

Https://github.com/x-lugoo/hide-memory/tree/main/ptrace

If process 19145 saves not an ordinary string, but the address of a millennium treasure left by an emperor, or the information in it is related to the lifeblood of the entire company, if it is acquired by someone with a low nice value, the consequences can be imagined.

Recently someone (predecessor) submitted a patch in the linux kernel community to solve this problem, and I simplified the whole patch a little bit.

Original patch:

Https://lore.kernel.org/linux-fsdevel/20201203062949.5484-1-rppt@kernel.org/T/#t

After being simplified by me:

Https://github.com/x-lugoo/hide-memory/blob/main/hidemem/0001-hidemem-Initialization-version.patc

The principle of this patch implementation:

Add a new system call memfd_hide, when the user uses this system call, it will return a fd, and then use mmap (. Fd...), map a piece of memory, this memory will be safe, others can not be obtained through ptrace.

-a/arch/x86/entry/syscalls/syscall_64.tbl + b/arch/x86/entry/syscalls/syscall_64.tbl @ @-362 common pidfd_getfd sys_pidfd_getfd 6 + 362 err 7 @ @ 438 common pidfd_getfd sys_pidfd_getfd 439 common faccessat2 sys_faccessat2 440 common process_madvise sys_process_madvise + 441 common memfd_hide sys_memfd_hide SYSCALL_DEFINE1 (memfd_hide, unsigned long, flags) {struct file * file; int fd, err Fd = get_unused_fd_flags (flags & O_CLOEXEC); file = hidemem_file_create (flags); fd_install (fd, file); return fd;}

When the user calls system call number 441, the system returns a fd, for example, the user layer calls:

# define _ NR_memfd_hide 441 static int memfd_secret (unsigned long flags) {return syscall (_ _ NR_memfd_hide, flags);} fd = memfd_secret (0)

Fd_install does the following to associate fd with the current process.

Struct fdtable * fdt; struct task_struct {... Struct files_struct * files;} fdt = current- > files- > fdt; fdt- > fd [fd] = file

Hidemem_file_create finally returns a struct file, but a very important action to do is to initialize a series of callback functions, allowing users to take appropriate actions when page fault occurs when calling mmap and memcpy, such as calling alloc_page (gfp) to request a piece of memory.

Fd = memfd_secret (0); p = mmap (NULL, 4096, prot, mode, fd, 0); memcpy (p, str, sizeof (str))

Follow the following green marks to sort out the function call relationship:

Static struct file * hidemem_file_create (unsigned long flags) {struct file * file = ERR_PTR (- ENOMEM); struct inode * inode; inode = alloc_anon_inode (hidemem_mnt- > mnt_sb); file = alloc_file_pseudo (inode, hidemem_mnt, "hidemem", O_RDWR, & hidemem_fops) Inode- > imapping-> a_ops = & hidemem_aops; static const struct file_operations hidemem_fops = {.release = hidemem_release, .mmap = hidemem_mmap,}; static int hidemem_mmap (struct file * file, struct vm_area_struct * vma) {vma- > vm_ops = & hidemem_vm_ops; vma- > vm_flags | = VM_LOCKED } static const struct vm_operations_struct hidemem_vm_ops = {.fault = hidemem_fault,}; static vm_fault_t hidemem_fault (struct vm_fault * vmf) {struct address_space * mapping = vmf- > vma- > vm_file- > fenestration mapping; vm_fault_t ret = 0; struct page * page; int err; page = find_get_page (mapping, offset) If (! page) {page = hidemem_alloc_page (vmf- > gfp_mask); err = add_to_page_cache (page, mapping, offset, vmf- > gfp_mask);} vmf- > page = page;} static struct page * hidemem_alloc_page (gfp_t gfp) {return alloc_page (gfp);}

Back to the question of how to hide the process space:

When other processes use the ptrace function to obtain the content of the specified process address space, they will call check_vma_flags (), and then add a conditional judgment. If this segment of vma (each column address range in / proc/pid/maps belongs to a vma) belongs to hidemem, an error is returned directly.

Static int check_vma_flags (struct vm_area_struct * vma, unsigned long gup_flags) {vm_flags_t vm_flags = vma- > vm_flags; @ @-923 struct vm_area_struct 6 + 925 vma 9 @ @ static int check_vma_flags (struct vm_area_struct * vma, unsigned long gup_flags) if (gup_flags & FOLL_ANON & &! vma_is_anonymous (vma)) return-EFAULT; + if (vma_is_hidemem (vma)) + return-EFAULT + if (write) {if (! (vm_flags & VM_WRITE)) {if (! (gup_flags & FOLL_FORCE)) static const struct vm_operations_struct hidemem_vm_ops = {.fault = hidemem_fault,}; bool vma_is_hidemem (struct vm_area_struct * vma) {return vma- > vm_ops = = & hidemem_vm_ops;}

After vma_is_hidemem (vma) judgment, if you use readmem to obtain the specified process memory segment using ptrace, you will directly report an error to achieve the purpose of hiding the page content behind the vma.

The above patch and test code are all in:

Https://github.com/x-lugoo/hide-memory

Original patch:

Https://lore.kernel.org/linux-fsdevel/20201203062949.5484-1-rppt@kernel.org/T/#t on how to add new functions in the Linux kernel to hide the process address space memory is not stolen to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.