--=-q1LfLdM4UO/PglxEILgl Content-Type: text/plain Content-Transfer-Encoding: 7bit
On Sun, 2002-05-05 at 22:10, Muli Ben-Yehuda wrote: > > Is there a way to monitor how much memory a kernel module uses? I can > > do it very crudely by watching top while rmmoding/insmoding. Is there > > any tool that I am unaware of (and did not find on TFW) that does it > > better? > > Not likely, but if you have that module's source, you can hack > something yourself(*). > > Explanation why not (which you might or might not already know): a > module is just a regular object file which gets linked into the kernel > at run time. The notion of "memory which the kernel module uses" is > not very well defined, since there are no clear boundaries between the > module and the kernel (on cannot differentiate between memory used by > the "base" kernel and memory used by the module). As Muli pointed out a module is simply an object file, which its unresolved symbols are linked at insmod time to the running kernel image. This is why a a module memory consumption is not trivialy available to lusers. However, since we are hackers and not mere mortals, the fact that a kernel module is nothing more then an object file can also be used to our advantage. For example, we can link it ageinst another object file, of our making, that will supply a symbol not found in the original module and use this to hijack the calls this binary module does to use and abuse as we see fit. Attached below is a Makefile and two C files that serve as a demo on how to do this. For this example, our binary module is khttpd.o (available from a /usr/src/linux near you) and the symbol in question is kmalloc. To use the example simply copy to the same directory the module khttpd.o from your system, define KERNEL_DIR to point to your kernel source directory (yes, I stole the Makefile from syscalltracker ;-) and type: 'make'. The result will be 4 new o files, from which only these 2 are of interest: hack.o and mykhttpd.o Now, insmod hack.o and mykhttpd.o, in this order. What you will get is a loaded module which has the same code as the orignal khttpd.o, but everytime the original khttpd.o calls kmalloc() this one will call my_kmalloc() function which is defined in foo.c The supplied function will print to the system log a message of following format: "M: X Y" for every call khttpd.o makes to kmalloc(), where X is the size requested and Y are the flags parameters past to it. Note that this will ONLY be done for direct calls from khttpd.o to kmalloc. If khttpd.o calls some other in kernel function F() that calls kmalloc() this call will not be hijacked, but you can easily hijack the symbol for the F() function in the same manner as well. Happy Hacking, Gilad. You owe the Internet Oracle a Linux kernel module virus based on the concept presented therein ;-) -- Gilad Ben-Yossef <[EMAIL PROTECTED]> http://benyossef.com "Hail Eris! All Hail Discordia!" --=-q1LfLdM4UO/PglxEILgl Content-Disposition: attachment; filename=hack.tar.bz2 Content-Type: application/x-bzip; name=hack.tar.bz2 Content-Transfer-Encoding: base64 QlpoOTFBWSZTWSYCfF4AA1x/wsywACBe//+ff7/f7f/v/3oAAMgAAAhQBDvamGmxrRWlASUKZGmF T8lPQbIU9TEPSeRpNAGmmxRieho0MofqEOaYjIyaZNAMhoyGTIAAAZGmRoGEMgSmkEmk9Goj9FP1 PU9U8UPU0GhoD1ABkyPU0AAAOaYjIyaZNAMhoyGTIAAAZGmRoGEMgSRE0NAaSabVT9RtSN6po9Ew IyabSA0Bp6g2o0A0+4f7j4i3bbNKYVOkDCwAMxuZpoFnAWeDvGNcwK0GgMhJ3ZWhQO35fil+klzw KwgxJmdA7qjkmMs05A14Kzpy9fhfi+r0MVOAa2Rhh38xFFMxsMGIfULrGuK5IVaV7Lf+M3y6agox oyLw3heiO5UpnV+4MlY/3xckDGQGhnfAN2HiEjOzFp1SS4vjVCY4+uyxleZk2mXi7DU8TpsFh1dJ Rzc/pUWrLb3CtQefXx2HSFWU2Vbec4HqZXZPMlHBVGmlD8iKgzDmUNP9QyEzb8AkjWoNwPHrwgxF TRSa3b8I4Ri8TM/TGe0343zWpGpaxWm2OcyvS7apXCKhp42IkoRCxJMoveoJQd004ORH0vxcGHoi zokPsmk2CNMWd8mFRWNH7BOOUIRivOCDuAvXvW7qIhDwSd2dQD0WR9DnbkET6nUlgI+DhONSUlJT CHJsFLQoKH9cwqm9CVEAoEBgd2hEJAO1CB54gIK68u0o0WhJULdrZmkyXC3MMxpJ4eFovpaAzzow nB7vwmtb8I1yIrmd99DSAGYTEf1ReB6hLtEfGxFYTWKKmiskvMrvUvwYMi7uE0fSiJswB8eU6Ym0 uSc6gyijMG6DouDFr7Xhkat6+imAXASTqk4ERZm3DAkdoRqEzdqRb7KLGCiwAxZrPPhlGDQjCCTu uptFcESqrYlIJiM1PljyI8vycTAyDsIYoQgGZcNCkeXI+e8/ZfR0/KFgOjLgS4UUFrTdqi/mXJEm yB/VSyS/eNymF3MB1K1Y4koz7uygTSYfv3edIJ35ESZ97ItY2HXCNEg/NV3Iagutu9NsPgEHLwgv 9RzOVQB10hUWVLiYBqLI0UQ2nBF2TTzC7TG82hq25MjNOSFFYP6YSk7NNsKQuuuouAHtqR/rP4+U /oFaoCXZnoaXkqESIuKLL2qa7+pJNww9+tTYvuMQCsHzqsOfi9UkGzkJuMkbhdWLeqEnSXzfn7KZ ZWM5ZuhU0LMX6AxpmcC0TTssSDTrpVUMSYbY0KNurtWbuf4OVwikGKHCKgo4j7DvSJ1qoCtgDic7 DLmHDrKTDDtkZtobQzWy3q7Z48RBkKLXPVs330WQB4cvlVLQLKRBx7ILDu0rCNy0G7MbFaMwYknS 0bc0fuemCNDQ3ZTa0H74wwYBabN8Z8CcoLk7A4xrFs37IquJi5ZqFRi20LQqpgkGoSyJymHsCABf jIsLvcKhtDkAIhzAcyOGGRegmHmuDo7yEv/F3JFOFCQJgJ8XgA== --=-q1LfLdM4UO/PglxEILgl-- ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
