Linux Kernel exploitation Tutorial.

Author: Lazenca

01.Development of Kernel Module/01.Hello world!/Makefile

@@ -0,0 +1,7 @@
+obj-m += sample.o
+
+all:
+	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
+
+clean:
+	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

01.Development of Kernel Module/01.Hello world!/sample.c

@@ -0,0 +1,11 @@
+#include <linux/module.h> /* Needed by all modules */
+#include <linux/kernel.h> /* Needed for KERN_INFO */
+
+int init_module(void) { 
+	printk(KERN_INFO "Hello world - Lazenca0x0.\n");
+	return 0;
+}
+
+void cleanup_module(void) { 
+	printk(KERN_INFO "Goodbye world - Lazenca0x0\n.");
+}

01.Development of Kernel Module/02.Character Device Drivers/Example [struct file_operations - .open]/Makefile

@@ -0,0 +1,7 @@
+obj-m := chardev.o
+
+all:
+	make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules
+clean:
+	make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
+

01.Development of Kernel Module/02.Character Device Drivers/Example [struct file_operations - .open]/chardev.c

@@ -0,0 +1,57 @@
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/fs.h>
+#include <linux/cdev.h>
+#include <linux/sched.h>
+#include <linux/device.h>
+#include <linux/slab.h>
+#include <asm/current.h>
+#include <linux/uaccess.h>
+
+#define DEVICE_NAME "chardev"
+#define DEVICE_FILE_NAME "chardev"
+#define MAJOR_NUM 100
+
+static int chardev_open(struct inode *inode, struct file *file)
+{
+    printk("chardev_open");
+    return 0;
+}
+
+struct file_operations chardev_fops = {
+    .open    = chardev_open,
+};
+
+static int chardev_init(void)
+{
+    int ret_val;
+    ret_val = register_chrdev(MAJOR_NUM, DEVICE_NAME, &chardev_fops);
+
+    if (ret_val < 0) {
+        printk(KERN_ALERT "%s failed with %d\n",
+	       "Sorry, registering the character device ", ret_val);
+	    return ret_val;
+    }
+
+    printk(KERN_INFO "%s The major device number is %d.\n",
+	   "Registeration is a success", MAJOR_NUM);
+    printk(KERN_INFO "If you want to talk to the device driver,\n");
+    printk(KERN_INFO "you'll have to create a device file. \n");
+    printk(KERN_INFO "We suggest you use:\n");
+    printk(KERN_INFO "mknod %s c %d 0\n", DEVICE_FILE_NAME, MAJOR_NUM);
+    printk(KERN_INFO "The device file name is important, because\n");
+    printk(KERN_INFO "the ioctl program assumes that's the\n");
+    printk(KERN_INFO "file you'll use.\n");
+
+    return 0;
+}
+
+static void chardev_exit(void)
+{
+    unregister_chrdev(MAJOR_NUM, DEVICE_NAME);
+}
+
+module_init(chardev_init);
+module_exit(chardev_exit);

01.Development of Kernel Module/02.Character Device Drivers/Example [struct file_operations .open, .release, .read, .write]/Makefile

@@ -0,0 +1,7 @@
+obj-m := chardev.o
+
+all:
+	make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules
+clean:
+	make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
+

01.Development of Kernel Module/02.Character Device Drivers/Example [struct file_operations .open, .release, .read, .write]/chardev.c

@@ -0,0 +1,165 @@
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/fs.h>
+#include <linux/cdev.h>
+#include <linux/sched.h>
+#include <linux/device.h>
+#include <linux/slab.h>
+#include <asm/current.h>
+#include <linux/uaccess.h>
+
+MODULE_LICENSE("Dual BSD/GPL");
+
+#define DRIVER_NAME "chardev"
+#define BUFFER_SIZE 256
+	
+static const unsigned int MINOR_BASE = 0;
+static const unsigned int MINOR_NUM  = 2;
+static unsigned int chardev_major;
+static struct cdev chardev_cdev;
+static struct class *chardev_class = NULL;
+
+static int     chardev_open(struct inode *, struct file *);
+static int     chardev_release(struct inode *, struct file *);
+static ssize_t chardev_read(struct file *, char *, size_t, loff_t *);
+static ssize_t chardev_write(struct file *, const char *, size_t, loff_t *);
+
+struct file_operations chardev_fops = {
+	.open    = chardev_open,
+	.release = chardev_release,
+	.read    = chardev_read,
+	.write   = chardev_write,
+};
+
+struct data {
+	unsigned char buffer[BUFFER_SIZE];
+};
+
+static int chardev_init(void)
+{
+	int alloc_ret = 0;
+	int cdev_err = 0;
+	int minor;
+	dev_t dev;
+
+	printk("The chardev_init() function has been called.");
+	
+	alloc_ret = alloc_chrdev_region(&dev, MINOR_BASE, MINOR_NUM, DRIVER_NAME);
+	if (alloc_ret != 0) {
+		printk(KERN_ERR  "alloc_chrdev_region = %d\n", alloc_ret);
+		return -1;
+	}
+	//Get the major number value in dev.
+	chardev_major = MAJOR(dev);
+	dev = MKDEV(chardev_major, MINOR_BASE);
+
+	//initialize a cdev structure
+	cdev_init(&chardev_cdev, &chardev_fops);
+	chardev_cdev.owner = THIS_MODULE;
+
+	//add a char device to the system
+	cdev_err = cdev_add(&chardev_cdev, dev, MINOR_NUM);
+	if (cdev_err != 0) {
+		printk(KERN_ERR  "cdev_add = %d\n", alloc_ret);
+		unregister_chrdev_region(dev, MINOR_NUM);
+		return -1;
+	}
+
+	chardev_class = class_create(THIS_MODULE, "chardev");
+	if (IS_ERR(chardev_class)) {
+		printk(KERN_ERR  "class_create\n");
+		cdev_del(&chardev_cdev);
+		unregister_chrdev_region(dev, MINOR_NUM);
+		return -1;
+	}
+
+	for (minor = MINOR_BASE; minor < MINOR_BASE + MINOR_NUM; minor++) {
+		device_create(chardev_class, NULL, MKDEV(chardev_major, minor), NULL, "chardev%d", minor);
+	}
+
+	return 0;
+}
+
+static void chardev_exit(void)
+{
+	int minor;	
+	dev_t dev = MKDEV(chardev_major, MINOR_BASE);
+	
+	printk("The chardev_exit() function has been called.");
+	
+	for (minor = MINOR_BASE; minor < MINOR_BASE + MINOR_NUM; minor++) {
+		device_destroy(chardev_class, MKDEV(chardev_major, minor));
+	}
+
+	class_destroy(chardev_class);
+	cdev_del(&chardev_cdev);
+	unregister_chrdev_region(dev, MINOR_NUM);
+}
+
+static int chardev_open(struct inode *inode, struct file *file)
+{
+	char *str = "helloworld";
+	int ret;
+
+	struct data *p = kmalloc(sizeof(struct data), GFP_KERNEL);
+
+	printk("The chardev_open() function has been called.");
+	
+	if (p == NULL) {
+		printk(KERN_ERR  "kmalloc - Null");
+		return -ENOMEM;
+	}
+
+	ret = strlcpy(p->buffer, str, sizeof(p->buffer));
+	if(ret > strlen(str)){
+		printk(KERN_ERR "strlcpy - too long (%d)",ret);
+	}
+
+	file->private_data = p;
+	return 0;
+}
+
+static int chardev_release(struct inode *inode, struct file *file)
+{
+	printk("The chardev_release() function has been called.");
+	if (file->private_data) {
+		kfree(file->private_data);
+		file->private_data = NULL;
+	}
+	return 0;
+}
+
+static ssize_t chardev_write(struct file *filp, const char __user *buf, size_t count, loff_t *f_pos)
+{
+	struct data *p = filp->private_data;
+
+	printk("The chardev_write() function has been called.");	
+	printk("Before calling the copy_to_user() function : %p, %s",p->buffer,p->buffer);
+	if (copy_from_user(p->buffer, buf, count) != 0) {
+		return -EFAULT;
+	}
+	printk("After calling the copy_to_user() function : %p, %s",p->buffer,p->buffer);
+	return count;
+}
+
+static ssize_t chardev_read(struct file *filp, char __user *buf, size_t count, loff_t *f_pos)
+{
+	struct data *p = filp->private_data;
+
+	printk("The chardev_read() function has been called.");
+	
+	if(count > BUFFER_SIZE){
+		count = BUFFER_SIZE;
+	}
+
+	if (copy_to_user(buf, p->buffer, count) != 0) {
+		return -EFAULT;
+	}
+
+	return count;
+}
+
+module_init(chardev_init);
+module_exit(chardev_exit);

01.Development of Kernel Module/02.Character Device Drivers/Example [struct file_operations .open, .release, .read, .write]/test

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+ 
+int main()
+{
+    static char buff[256];
+    int fd0_A, fd0_B, fd1_A;
+ 
+    if ((fd0_A = open("/dev/chardev0", O_RDWR)) < 0) perror("open");
+    if ((fd0_B = open("/dev/chardev0", O_RDWR)) < 0) perror("open");
+    if ((fd1_A = open("/dev/chardev1", O_RDWR)) < 0) perror("open");
+ 
+    if (write(fd0_A, "0_A", 4) < 0) perror("write");
+    if (write(fd0_B, "0_B", 4) < 0) perror("write");
+    if (write(fd1_A, "1_A", 4) < 0) perror("write");
+ 
+    if (read(fd0_A, buff, 4) < 0) perror("read");
+    printf("%s\n", buff);
+    if (read(fd0_B, buff, 4) < 0) perror("read");
+    printf("%s\n", buff);
+    if (read(fd1_A, buff, 4) < 0) perror("read");
+    printf("%s\n", buff);
+     
+    if (close(fd0_A) != 0) perror("close");
+    if (close(fd0_B) != 0) perror("close");
+    if (close(fd1_A) != 0) perror("close");
+ 
+    return 0;
+}

01.Development of Kernel Module/02.Character Device Drivers/Example [struct file_operations .open, .release, .read, .write]/test.c

@@ -0,0 +1,14 @@
+obj-m := chardev.o
+MY_CFLAGS += -g -DDEBUG
+ccflags-y += ${MY_CFLAGS}
+CC += ${MY_CFLAGS}
+
+all:
+	make -C /lib/modules/4.18.0/build M=$(shell pwd) modules
+
+debug:
+	make -C /lib/modules/4.18.0/build M=$(PWD) modules EXTRA_CFLAGS="$(MY_CFLAGS)"
+
+clean:
+	make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
+