0. 引言
1. 内核ko timer定时器，检测sys_call_table adress变动
2. 通过/dev/kmem获取IDT adress
3. 比较原始的系统调用地址和当前内核态中的系统调用地址发现是否有sys_call_table hook行为

1. 在内核态劫持系统调用能以较小的代价控制整个系统，不必修太多东西
2. 应用层大多数函数是一个或多个系统调用不同形式的封装，更改系统调用意味着其上层所有的函数都会被欺骗

http://www.blackhat.com/presentations/bh-europe-09/Lineberry/BlackHat-Europe-2009-Lineberry-code-injection-via-dev-mem-slides.pdf

1. The module does a copy of the Syscall Table to save all syscalls pointers
2. After this first step, the module uses the kernel timer to check every X secondes the diff between the Syscall Table and the copy.
3. If a diff is found, the module creates a workqueue to execute the python script and restore the good syscall pointer. 

/*
**  Copyright (C) 2013 - Jonathan Salwan - http://twitter.com/JonathanSalwan
**
**  This program is free software: you can redistribute it and/or modify
**  it under the terms of the GNU General Public License as published by
**  the Free Software Foundation, either version 3 of the License, or
**  (at your option) any later version.
**
**  This program is distributed in the hope that it will be useful,
**  but WITHOUT ANY WARRANTY; without even the implied warranty of
**  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
**  GNU General Public License for more details.
**
**  You should have received a copy of the GNU General Public License
**  along with this program.  If not, see <http://www.gnu.org/licenses/>.
**
**  For more information about this module,
**  see : http://shell-storm.org/blog/Simple-Hook-detection-Linux-module/
**
*/#include <asm/uaccess.h>
#include <linux/kernel.h>
#include <linux/kthread.h>
#include <linux/module.h>
#include <linux/slab.h>
#include <linux/syscalls.h>
#include <linux/timer.h>
#include <linux/workqueue.h>#define PATH_PYTHON "/usr/bin/python2.7"
#define PATH_SCRIPT "/opt/scripts/hook_detected.py"#define TIME_SLEEP 30000 /* in msec */static struct timer_list timer_s;
static struct workqueue_struct *wq;
static unsigned int syscall_table_size;
static unsigned long *addr_syscall_table;
static unsigned long *dump_syscall_table;static int exec_python_script(unsigned int sys_num)
{char s_num[32];char *argv[] = {PATH_PYTHON, PATH_SCRIPT, s_num, NULL};static char *envp[] = {"HOME=/", "TERM=linux", "PATH=/sbin:/bin:/usr/sbin:/usr/bin", NULL};struct subprocess_info *sub_info;sprintf(s_num, "%d", sys_num);sub_info = call_usermodehelper_setup(argv[0], argv, envp, GFP_ATOMIC);if (sub_info == NULL)return -ENOMEM;call_usermodehelper_exec(sub_info, UMH_WAIT_PROC);return 0;
}static unsigned long *get_syscalls_table(void)
{unsigned long *start;/* hack :/ */for (start = (unsigned long *)0xc0000000; start < (unsigned long *)0xffffffff; start++)if (start[__NR_close] == (unsigned long)sys_close){return start;}return NULL;
}static unsigned int get_size_syscalls_table(void)
{unsigned int size = 0;while (addr_syscall_table[size++]);return size * sizeof(unsigned long *);
}static void check_diff_handler(struct work_struct *w)
{unsigned int sys_num = 0;while (addr_syscall_table[sys_num]){if (addr_syscall_table[sys_num] != dump_syscall_table[sys_num]){printk(KERN_INFO "hook_detection: Hook detected ! (syscall %d)\n", sys_num);write_cr0(read_cr0() & (~0x10000));addr_syscall_table[sys_num] = dump_syscall_table[sys_num];write_cr0(read_cr0() | 0x10000);exec_python_script(sys_num);printk(KERN_INFO "hook_detection: syscall %d is restored\n", sys_num);}sys_num++;}
}
static DECLARE_DELAYED_WORK(check_diff, check_diff_handler);static void timer_handler(unsigned long data)
{unsigned long onesec;onesec = msecs_to_jiffies(1000);queue_delayed_work(wq, &check_diff, onesec);if (mod_timer(&timer_s, jiffies + msecs_to_jiffies(TIME_SLEEP)))printk(KERN_INFO "hook_detection: Failed to set timer\n");
}static int __init hook_detection_init(void)
{addr_syscall_table = get_syscalls_table();if (!addr_syscall_table){printk(KERN_INFO "hook_detection: Failed - Address of syscalls table not found\n");return -ECANCELED;}syscall_table_size = get_size_syscalls_table();dump_syscall_table = kmalloc(syscall_table_size, GFP_KERNEL);if (!dump_syscall_table){printk(KERN_INFO "hook_detection: Failed - Not enough memory\n");return -ENOMEM;}memcpy(dump_syscall_table, addr_syscall_table, syscall_table_size);wq = create_singlethread_workqueue("hook_detection_wq");setup_timer(&timer_s, timer_handler, 0);if (mod_timer(&timer_s, jiffies + msecs_to_jiffies(TIME_SLEEP))){printk(KERN_INFO "hook_detection: Failed to set timer\n");return -ECANCELED;}printk(KERN_INFO "hook_detection: Init OK\n");return 0;
}static void __exit hook_detection_exit(void)
{if (wq)destroy_workqueue(wq);kfree(dump_syscall_table);del_timer(&timer_s);printk(KERN_INFO "hook_detection: Exit\n");
}module_init(hook_detection_init);
module_exit(hook_detection_exit);MODULE_AUTHOR("Jonathan Salwan");
MODULE_DESCRIPTION("Hook Detection");
MODULE_LICENSE("GPL");

http://shell-storm.org/blog/Simple-Hook-detection-Linux-module/hook_detection.c
http://shell-storm.org/blog/Simple-Hook-detection-Linux-module/

#include < stdio.h >
#include < sys/types.h >
#include < fcntl.h >
#include < stdlib.h >int kfd;struct{unsigned short limit;unsigned int base;} __attribute__ ((packed)) idtr;struct{unsigned short off1;unsigned short sel;unsigned char none, flags;unsigned short off2;} __attribute__ ((packed)) idt;int readkmem (unsigned char *mem, unsigned off, int bytes){if (lseek64 (kfd, (unsigned long long) off, SEEK_SET) != off){return -1;}if (read (kfd, mem, bytes) != bytes) {return -1;}}int main (void){unsigned long sct_off;unsigned long sct;unsigned char *p, code[255];int i;/* request IDT and fill struct */asm ("sidt %0":"=m" (idtr));if ((kfd = open ("/dev/kmem", O_RDONLY)) == -1){perror("open");exit(-1);}if (readkmem ((unsigned char *)&idt, idtr.base + 8 * 0x80, sizeof (idt)) == -1){printf("Failed to read from /dev/kmem\n");exit(-1);}sct_off = (idt.off2 < < 16) | idt.off1;if (readkmem (code, sct_off, 0x100) == -1){printf("Failed to read from /dev/kmem\n");exit(-1);}/* find the code sequence that calls SCT */sct = 0;for (i = 0; i < 255; i++){if (code[i] == 0xff && code[i+1] == 0x14 && code[i+2] == 0x85)sct = code[i+3] + (code[i+4] < < 8) + (code[i+5] < < 16) + (code[i+6] < < 24);}if (sct)printf ("sys_call_table: 0x%x\n", sct);close (kfd);}

http://www.rootkitanalytics.com/kernelland/IDT-dev-kmem-method.php
http://www.phpweblog.net/GaRY/archive/2007/06/17/get_sys_call_table_address.html

1. System.map: 该文件包含所有的符号地址，系统调用也包含在内
2. vmlinux-2.4.x: 系统初始化时首先被读入内存的内核映像文件

/boot/System.map-3.10.0-327.el7.x86_64

cat /proc/kallsyms 

从里面枚举sys_call_table的function point地址
/boot/System.map-3.10.0-327.el7.x86_64和
cat /proc/kallsyms | grep sys_fork
进行diff对比 cat System.map-4.4.0-53-generic | grep sys_fork

def hex2dec(string_num):return str(int(string_num.upper(), 16))def check_rookit(diff_func_table):last_func_address_gap = 0cur_func_address_gap = 0for item in diff_func_table:cur_func_address_gap = abs(int(hex2dec(item['cur_funcaddress'])) - int(hex2dec(item['ori_funcaddress'])))if last_func_address_gap != 0 and cur_func_address_gap != last_func_address_gap:return Trueelse:last_func_address_gap = cur_func_address_gapreturn False

http://www.xfocus.net/articles/200411/754.html
http://www.magicsite.cn/blog/Linux-Unix/Linux/Linux41576.html
http://blog.csdn.net/tommy_wxie/article/details/8039695