Possible to hook sys_kill(pid, signal)?

[alichtman]

Just wanted to start out by saying this is an awesome project! Nice work!

---

I'm having a problem hooking sys_kill, and I was hoping you'd be able to help me out.

sys_kill is defined here in linux/syscalls.h.

I have been trying to hook this function for a while and can not get anything to compile. I was able to hook kill_pid, however, that did not hook the kill syscall.

// BUG: COMPILES BUT DOESN'T HOOK KILL.
KHOOK(kill_pid);
static int khook_kill_pid(struct pid *pid, int sig, int priv) {
	if (pid->numbers->nr == MAGIC_NUM) {
		return do_the_thing();
	} else {
		return KHOOK_ORIGIN(kill_pid, pid, sig, priv);
	}
}

Is there a way to hook the actual kill syscall? Or can it not be done since the syscall table is no longer exported, post-Kernel 2.6?

[milabs]

Hey, thank you for using KHOOK.

As for hooking system calls you have to hook sys_XXX symbols like sys_kill. See the example below:

KHOOK_EXT(long, sys_kill, long, long);
static long khook_sys_kill(long pid, long sig) {
        printk("sys_kill -- %s pid %ld sig %ld\n", current->comm, pid, sig);
        return KHOOK_ORIGIN(sys_kill, pid, sig);
}

Just use the right prototype for this sys_kill...

[alichtman]

Oh, whoops. My brain was not working correctly last night. Thanks for the help!

However, the example did not work for me. When I run $ kill <some_pid> in bash, this debug statement isn't printed.

I tried changing the first parameter to a pid_t type, and that did not solve the problem either.

I'm pretty sure that $ kill calls sys_kill(), but I'm not sure if that's true.

[milabs]

It's weird. I've tried to kill -9 1 and the dmesg shows me:
[ 4630.052329] sys_kill -- bash pid 1 sig 9

By the way, my kernel is 4.8.0-53-generic

[alichtman]

I'm working on 4.18.0-17-generic. Still not seeing the same behavior you're describing. Hmm.

[milabs]

OK, it makes sense then. From some point they changed syscalls notation and argument passing. So, now you have to look for __x64_sys_kill with long (*)(const struct pt_regs *) proto instead of sys_kill. The code may look like this (didn't test):

KHOOK_EXT(long, __x64_sys_kill, const struct pt_regs *);
static long khook___x64_sys_kill(const struct pt_regs *regs) {
        printk("sys_kill -- %s pid %ld sig %ld\n", current->comm, regs->di, regs->si);
        return KHOOK_ORIGIN(__x64_sys_kill, regs);
}

[alichtman]

Oh, alright, cool! I'll try this out when I have a minute.

[alichtman]

Worked perfectly. Thanks for the help!

[milabs]

Updated the README with this example. Thank you for the question.

[alichtman]

Can you explain where you found this new function signature?

KHOOK_EXT(long, __x64_sys_kill, const struct pt_regs *);
static long khook___x64_sys_kill(const struct pt_regs *regs)

I'm having trouble reproducing this with other syscalls.

For example, I have this hook for msgctl, and it's not being tripped.

KHOOK_EXT(long, __x64_ksys_msgctl, int, int, struct msqid_ds __user *);
static long khook___x64_ksys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf)

Here is a relevant LKML email: https://lore.kernel.org/lkml/tip-d5a00528b58cdb2c71206e18bd021e34c4eab878@git.kernel.org/

But I can't figure out where you found the prototype for the updated sys_kill function. As far as I can tell, it's not in the source code. But I also know that can't be right, so I'm a little stuck. Google has turned up nothing so far.

Edit: I found this: https://github.com/torvalds/linux/blob/618d919cae2fcaadc752f27ddac8b939da8b441a/arch/x86/include/asm/syscall_wrapper.h#L125

and updated my code to:

KHOOK_EXT(long, __x64_ksys_msgctl, const struct pt_regs *);
static long khook___x64_ksys_msgctl(const struct pt_regs * regs) {
	// int msqid, int cmd, struct msqid_ds __user *buf
	action_task* task;
	// Read first two arguments
	if (regs->di == -1 && regs->si == -1) {
		if (condition) { 
			printk(KERN_EMERG "sys_msgctl -- preparing...\n");
			...
			return 0;
		} else {
			printk(KERN_EMERG "sys_msgctl\n");
			task = (action_task*) regs->dx;
			...
			return 0;
		}
	} else {
		return KHOOK_ORIGIN(__x64_ksys_msgctl, regs);
	}
}

However, this still does not hook msgctl calls.

[milabs]

TLDR: __x64_ksys_msgctl -> __x64_sys_msgctl

https://elixir.bootlin.com/linux/latest/source/ipc/msg.c#L614

SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf)
{
	return ksys_msgctl(msqid, cmd, buf);
}

You could ether hook ksys_msgctl(int, int, struct msqid_ds *) as a kernel function (in case if it is exported as a ksym with name -- check by grepping /proc/kallsyms) or hook __x64_sys_msgctl/sys_msgctl as a system call handler.

[alichtman]

ksys_msgctl does appear in /proc/kallsyms, and I've made this change: __x64_ksys_msgctl -> __x64_sys_msgctl.

It's still not being hooked properly.

The syscall definition you pasted in was the reason I initially had sys_msgctl hooked like this:

KHOOK_EXT(long, __x64_ksys_msgctl, int, int, struct msqid_ds __user *);
static long khook___x64_ksys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf)

Should I change that ^ to __x64_sys_msgctl?

I feel like I’m missing some core understanding of what I’m doing. Do you have any recommendations for topics I should read up on?

[milabs]

Should I change that ^ to __x64_sys_msgctl?

YES (but I didn't test it)

[milabs]

This works well for me:

KHOOK_EXT(long, __x64_sys_msgctl, const struct pt_regs *);
static long khook___x64_sys_msgctl(const struct pt_regs *regs)
{
	printk("%s -- msqid:%ld cmd:%ld ptr:%p\n", current->comm, regs->di, regs->si, (void *)regs->dx);
	return KHOOK_ORIGIN(__x64_sys_msgctl, regs);
}

main.c

#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/msg.h>

int main(int argc, const char *argv[])
{
	msgctl(100, 200, (void *)300);
	return 0;
}

$ dmesg
[108112.452874] a.out -- msqid:100 cmd:200 ptr:000000008b1f8f3d