milabs / Khook
Licence: gpl-2.0
Linux Kernel hooking engine (x86)
Stars: ✭ 144
Programming Languages
c
50402 projects - #5 most used programming language
Labels
Projects that are alternatives of or similar to Khook
Anticuckoo
A tool to detect and crash Cuckoo Sandbox
Stars: ✭ 233 (+61.81%)
Mutual labels: hooking, x86
Corehook
A library that simplifies intercepting application function calls using managed code and the .NET Core runtime
Stars: ✭ 191 (+32.64%)
Mutual labels: hooking, x86
Subhook
Simple hooking library for C/C++ (x86 only, 32/64-bit, no dependencies)
Stars: ✭ 470 (+226.39%)
Mutual labels: hooking, x86
RenHook
An open-source x86 / x86-64 hooking library for Windows.
Stars: ✭ 80 (-44.44%)
Mutual labels: x86, hooking
natick
natickOS - A minimal, lightweight, research Linux Distribution
Stars: ✭ 33 (-77.08%)
Mutual labels: linux-kernel, x86
Teamviewer permissions hook v1
A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
Stars: ✭ 297 (+106.25%)
Mutual labels: hooking, x86
Urmem
[x86] Simple C++11 header-only cross-platform memhack library (hooks, patches, pointers, sig scan)
Stars: ✭ 76 (-47.22%)
Mutual labels: hooking, x86
Xray 16
Improved version of the X-Ray Engine, the game engine used in the world-famous S.T.A.L.K.E.R. game series by GSC Game World. Join OpenXRay! ;)
Stars: ✭ 1,806 (+1154.17%)
Mutual labels: x86
Gamemaniptutorial
A tutorial for manipulating the rendering of a game (generally to increase its quality) if you only have a binary available
Stars: ✭ 119 (-17.36%)
Mutual labels: hooking
V86
x86 virtualization in your browser, recompiling x86 to wasm on the fly
Stars: ✭ 12,765 (+8764.58%)
Mutual labels: x86
Raspberry Pi Os
Learning operating system development using Linux kernel and Raspberry Pi
Stars: ✭ 11,000 (+7538.89%)
Mutual labels: linux-kernel
Virtualcar
A virtual car. Because you wouldn't download a car, would you?
Stars: ✭ 114 (-20.83%)
Mutual labels: linux-kernel
0
KHOOK (خوک) - Linux Kernel hooking engine.
Usage
Include KHOOK engine:
#include "khook/engine.c"
Add the following line to the KBuild/Makefile:
ldflags-y += -T$(src)/khook/engine.lds (use LDFLAGS for old kernels)
Use khook_init() and khook_cleanup() to initalize and de-initialize hooking engine.
Examples
Hooking of generic kernel functions
An example of hooking a kernel function with known prototype (function is defined in linux/fs.h):
#include <linux/fs.h> // has inode_permission() proto
KHOOK(inode_permission);
static int khook_inode_permission(struct inode *inode, int mask)
{
int ret = 0;
ret = KHOOK_ORIGIN(inode_permission, inode, mask);
printk("%s(%p, %08x) = %d\n", __func__, inode, mask, ret);
return ret;
}
An example of hooking a kernel function with custom prototype (function is not defined in linux/binfmts.h):
#include <linux/binfmts.h> // has no load_elf_binary() proto
KHOOK_EXT(int, load_elf_binary, struct linux_binprm *);
static int khook_load_elf_binary(struct linux_binprm *bprm)
{
int ret = 0;
ret = KHOOK_ORIGIN(load_elf_binary, bprm);
printk("%s(%p) = %d (%s)\n", __func__, bprm, ret, bprm->filename);
return ret;
}
Starting from a6e7f394 it's possible to hook a function with big amount of arguments. This requires for KHOOK to make a local copy of N (hardcoded as 8) arguments which are passed through the stack before calling the handler function.
An example of hooking 12 argument function scsi_execute is shown below (see #5 for details):
#include <scsi/scsi_device.h>
KHOOK(scsi_execute);
static int khook_scsi_execute(struct scsi_device *sdev, const unsigned char *cmd, int data_direction, void *buffer, unsigned bufflen, unsigned char *sense, struct scsi_sense_hdr *sshdr, int timeout, int retries, u64 flags, req_flags_t rq_flags, int *resid)
{
int ret = 0;
ret = KHOOK_ORIGIN(scsi_execute, sdev, cmd, data_direction, buffer, bufflen, sense, sshdr, timeout, retries, flags, rq_flags, resid);
printk("%s(%lx, %lx, %lx, %lx, %lx, %lx, %lx, %lx, %lx, %lx, %lx, %lx) = %d\n", __func__, (long)sdev, (long)cmd, (long)data_direction, (long)buffer, (long)bufflen, (long)sense, (long)sshdr, (long)timeout, (long)retries, (long)flags, (long)rq_flags, (long)resid ,ret);
return ret;
}
Hooking of system calls (handler functions)
An example of hooking kill(2) system call handler (see #3 for the details):
// long sys_kill(pid_t pid, int sig)
KHOOK_EXT(long, sys_kill, long, long);
static long khook_sys_kill(long pid, long sig) {
printk("sys_kill -- %s pid %ld sig %ld\n", current->comm, pid, sig);
return KHOOK_ORIGIN(sys_kill, pid, sig);
}
// long sys_kill(const struct pt_regs *regs) -- modern kernels
KHOOK_EXT(long, __x64_sys_kill, const struct pt_regs *);
static long khook___x64_sys_kill(const struct pt_regs *regs) {
printk("sys_kill -- %s pid %ld sig %ld\n", current->comm, regs->di, regs->si);
return KHOOK_ORIGIN(__x64_sys_kill, regs);
}
Features
- x86 only
- 2.6.33+ kernels
- use of in-kernel length disassembler
How it works?
The diagram below illustrates the call to function X without hooking:
CALLER
| ...
| CALL X -(1)---> X
| ... <----. | ...
` RET | ` RET -.
`--------(2)-'
The diagram below illustrates the call to function X when KHOOK is used:
CALLER
| ...
| CALL X -(1)---> X
| ... <----. | JUMP -(2)----> STUB.hook
` RET | | ??? | INCR use_count
| | ... <----. | CALL handler -(3)------> HOOK.fn
| | ... | | DECR use_count <----. | ...
| ` RET -. | ` RET -. | | CALL origin -(4)-----> STUB.orig
| | | | | | ... <----. | N bytes of X
| | | | | ` RET -. | ` JMP X + N -.
`------------|----|-------(8)-' '-------(7)-' | |
| `-------------------------------------------|---------------------(5)-'
`-(6)--------------------------------------------'
License
This software is licensed under the GPL.
Author
2018, 2019, 2020
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].