blackbeast
有关监控系统输入的内核编程问题
我希望实现监控别人系统输入的功能,按照开源项目Sebek的说法可以直接hook sys_read
我就是这么做的
代码如下
asmlinkage ssize_t NewRead (unsigned int fd, char *buf, size_t count)
{
static unsigned int i = 0;
ssize_t nRes;
//----- run original sys_read....
nRes = pOldRead(fd, buf, count);
//----- check for error and interest
if(nRes < 1 )
{
goto OUT;
}
if(NULL!=pFile)
{
if(fd &&count>1)
{
memcpy(Buffer,buf,1023>count?count:1023);
Buffer[1023>count?count:1023]=0;
klib_fprintf(pFile,"%u :SysRead %u bytes: /"%s/" ./r/n",i,(unsigned long)count,Buffer);
i++;
}
}
OUT:
return nRes;
}
但是每次这个模块安装之后几秒钟必定挂掉
然后查看的输出信息很复杂
根本和用户输入无关
我想问
1 如何判断这个read函数调用的初始进程是谁
2 我的代码为什么会造成系统崩溃
第一次来这个论坛发贴
希望各位牛人多帮忙
btw klib_fprintf是我自己写的内核态写文件的函数代码
blackbeast
回复 #1 blackbeast 的帖子
再给大家贴一些我在日志文件中读到的信息片段 谁知道这些究竟是什么东西
如何过滤掉
71 :SysRead 129 bytes: "Name: hald-addon-keyb
State: S (sleeping)
SleepAVG: 78%
Tgid: 4139
Pid: 4139
PPid: 4125
TracerPid: 0
Uid: 107 107 107 107
Gid: 11" .
72 :SysRead 129 bytes: "Name: hald-addon-acpi
State: S (sleeping)
SleepAVG: 78%
Tgid: 4131
Pid: 4131
PPid: 4125
TracerPid: 0
Uid: 107 107 107 107
Gid: 11" .
73 :SysRead 129 bytes: "Name: hald-runner
State: S (sleeping)
SleepAVG: 47%
Tgid: 4125
Pid: 4125
PPid: 4124
TracerPid: 0
Uid: 0 0 0 0
Gid: 0 0 0 0
FDSize" .
74 :SysRead 129 bytes: "Name: hald
State: S (sleeping)
SleepAVG: 89%
Tgid: 4124
Pid: 4124
PPid: 1
TracerPid: 0
Uid: 107 107 107 107
Gid: 114 114 114 114
" .
75 :SysRead 129 bytes: "Name: dbus-daemon
State: S (sleeping)
SleepAVG: 60%
Tgid: 4108
Pid: 4108
PPid: 1
TracerPid: 0
Uid: 103 103 103 103
Gid: 106 106 1" .
76 :SysRead 129 bytes: "Name: klogd
State: S (sleeping)
SleepAVG: 78%
Tgid: 4087
Pid: 4087
PPid: 1
TracerPid: 0
Uid: 102 102 102 102
Gid: 103 103 103 103" .