动态替换内核函数

需求：在某些情况下，系统需要升级，但是不能重启，此时需要动态替换内核函数，进行动态升级。

本功能是基于2.6.38版本进行开发。 patch：git@github.com:cooboos/kxchg.git

解决思想很简单，就是利用trap指令进行函数替换（目前只支持x86架构）。下面就代码进行分析：

+struct kxchg

+ struct list_head list; //链表

+ const char *symbol_name;//被替换的函数名

+ unsigned long addr; //被替换的函数地址

+ const char *symbol_name_rep;//替换函数的函数名

+ unsigned long addr_rep; //替换函数的函数地址

+ int ori_ins; //被替换的原始指令的第一个字节（目前只做了x86架构的支持，int3指令为）

+};

+/*

--- kernel/kxchg.c (revision 0)

+++ kernel/kxchg.c (revision 0)

@@ -0,0 +1,183 @@

+/*

+ * <hack.coo@gmail.com>, 2012

+ *

+ * Released under the terms of the GNU GPL v2.0

+ *

+ * version 1.0 for Linux-2.6.38

+ */

+/*

+ * trap int3 instruction

+ */

+#include <linux/kprobes.h>

+#include <linux/hash.h>

+#include <linux/init.h>

+#include <linux/slab.h>

+#include <linux/stddef.h>

+#include <linux/module.h>

+#include <linux/moduleloader.h>

+#include <linux/kallsyms.h>

+#include <linux/freezer.h>

+#include <linux/seq_file.h>

+#include <linux/debugfs.h>

+#include <linux/kdebug.h>

+#include <linux/kxchg.h>

+#include <linux/notifier.h>

+#include <linux/ptrace.h>

+unsigned long kallsyms_lookup_name(const char *name);

+extern void arch_trap_kxchg(struct kxchg *p);

+extern void arch_saveins(struct kxchg *p);

+extern int kxchg_notifier_process(struct notifier_block *self, unsigned long val, void *data);

+struct kxchg_list kxchg_head;

+struct kxchg_list kxchg_old;

+static int kxchg_addr(struct kxchg *p)

+ if (p && p->symbol_name && p->symbol_name_rep) {

+ p->addr = kallsyms_lookup_name(p->symbol_name);

+ if(!p->addr)

+ return 1;

+ p->addr_rep = kallsyms_lookup_name(p->symbol_name_rep);

+ if(!p->addr_rep)

+ return 1;

+ }

+ return 0;

+int get_kxchg(struct kxchg *kxchg)

+ int found = 0;

+ struct list_head *plist, *tmp;

+ struct kxchg *pkxchg = NULL;

+ //Fixme: rcu read lock

+ spin_lock(&kxchg_head.lock);

+ list_for_each_safe(plist, tmp, &kxchg_head.list) {

+ pkxchg = list_entry(plist, struct kxchg, list);

+ if(pkxchg->addr == kxchg->addr) {

+ /*

+ * this symbol already resitered

+ * one symbole is only registered once

+ */

+ found = 1;

+ list_del(&pkxchg->list);

+ }

+ spin_unlock(&kxchg_head.lock);

+ //Fixme:rcu read unlock

+ if (found) {

+ //Fixme: rcu write lock

+ spin_lock(&kxchg_old.lock);

+ list_add(&pkxchg->list, &kxchg_old.list);

+ spin_unlock(&kxchg_old.lock);

+ //Fixme: rcu write unlock

+ }

+ return 0;

+int kxchg_register(struct kxchg *ptr) //注册kxchg,

+ int ret;

+ /*

+ * address the original symbol

+ * and the replace symbol

+ */

+ ret = kxchg_addr(ptr); //获取被替换函数和替换函数的地址。

+ if(ret) {

+ printk("kxchg get addr error!\n");

+ return 1;

+ }

+ printk("symbol [%s] address [%lx] new replace symbol_add[%lx]\n",ptr->symbol_name, ptr->addr, ptr->addr_rep);

+ ret = get_kxchg(ptr);

+ if(ret){

+ printk("old [%s] also exist\n",ptr->symbol_name);

+ return 1;

+ }

+ //Fixme: rcu write lock

+ spin_lock(&kxchg_head.lock);

+ list_add(&ptr->list, &kxchg_head.list); //将本次注册的替换函数加入链表

+ spin_unlock(&kxchg_head.lock);

+ //Fixme: rcu write unlock

+ /*

+ *save the instruction the original symbol address pointed to

+ */

+ printk("arch save ins...\n");

+ arch_saveins(ptr); //保存被替换指令的第一个字节

+ /*

+ *replace the instruction by 0xcc,x86 for example;

+ */

+ printk("arch trap kxchg...\n");

+ arch_trap_kxchg(ptr); //将被替换指令的第一个字节替换为trap指令

+ //sync_core();

+ return 0;

+int kxchg_unregister(struct kxchg *kxchg) //unregister kxchg

+ int found = 0;

+ struct list_head *pos, *n;

+ struct kxchg *pos_k;

+ spin_lock(&kxchg_head.lock);

+ list_for_each_safe(pos, n, &kxchg_head.list){

+ pos_k = list_entry(pos, struct kxchg, list);

+ if(pos_k && !memcmp(pos_k->symbol_name, kxchg->symbol_name, 128)) {

+ memcpy((void *)kxchg->addr_rep, (void *)kxchg->ori_ins, 1);

+ list_del(pos);

+ found = 1;

+ break;

+ }

+ spin_lock(&kxchg_head.lock);

+ if(!found) {

+ spin_lock(&kxchg_old.lock);

+ list_for_each_safe(pos, n, &kxchg_old.list){

+ pos_k = list_entry(pos, struct kxchg, list);

+ if(pos_k && !memcmp(pos_k->symbol_name, kxchg->symbol_name, 128)) {

+ memcpy((void *)kxchg->addr_rep, (void *)kxchg->ori_ins, 1);

+ list_del(pos);

+ break;

+ }

+ spin_unlock(&kxchg_old.lock);

+ }

+ return 0;

+struct notifier_block kxchg_notifier_block = { //注册事件通知函数

+ .notifier_call = kxchg_notifier_process,

+ .priority = 0x7fffffff

+};

+static int __init init_kxchg(void)

+ INIT_LIST_HEAD(&kxchg_head.list);

+ spin_lock_init(&kxchg_head.lock);

+ INIT_LIST_HEAD(&kxchg_old.list);

+ spin_lock_init(&kxchg_old.lock);

+ register_die_notifier(&kxchg_notifier_block);

+ return 0;

+module_init(init_kxchg);

+EXPORT_SYMBOL_GPL(kxchg_register);

+EXPORT_SYMBOL_GPL(kxchg_unregister);

Index: arch/x86/kernel/kxchg.c

===================================================================

--- arch/x86/kernel/kxchg.c (revision 0)

+++ arch/x86/kernel/kxchg.c (revision 0)

@@ -0,0 +1,98 @@

补充：移动开发 , 其他 ,

上一个：Su易做图ceView显示动画效果
下一个：cocos2d-x菜鸟实习生学习篇 win32项目移植到安卓

更多图片编程知识:

更多wap疑问解答：: 新人求助QPainter; 为什么程序都退出了还可以收到推送？如果大多设备都可以推送那运营商怎么办？; qt 4.7 sqlserver2000 存储过程调用; 关于ANDROID4.0.1编译问题！; Android FrameBuffer读屏幕30秒后mmap失败; 联通粗定位用java程序如何来请求和接受数据; 为什么QT运行Android平台的程序时，mouseMoveEvent事件响应的间隔时间很长？？？？？？？？？？; android与PC蓝牙通讯; 指定大小的label 内容可变，如果内容超出label的宽度，将未能显示的部分显示在另一个label上; Android调试; android如何通过wifi连接无线打印机; 运行程序，release目录下产生一个乱码文件夹; 分享个某机构最新安卓资料，自己验证了; service启动不起来，掉不了service connection; 求助：QT5.0 没有QPrinter吗