回滚至2.2版本

Author: AndroidReverser-Test

README.md

@@ -24,5 +24,9 @@
 目前只在5.10以及5.15两个版本通过测试，理论上5.10以上版本都能正常使用。
 
 # 一些疑惑
-在内核使用uprobe_register函数注册uprobe挂载点的时候在一些特殊情况下会出现实际注册的函数偏移与传入的函数偏移不一致的问题，至于为什么会这样，
-我翻阅linux内核源码发现问题出现于[内存地址计算错误](https://elixir.bootlin.com/linux/v5.15.74/source/kernel/events/uprobes.c#L1004),从这里开始内存地址就出现了偏差，我推测是内存页计算有偏差，但是具体原因不清楚。
+~~在内核使用uprobe_register函数注册uprobe挂载点的时候在一些特殊情况下会出现实际注册的函数偏移与传入的函数偏移不一致的问题，至于为什么会这样， 我翻阅linux内核源码发现问题出现于内存地址计算错误,从这里开始内存地址就出现了偏差，我推测是内存页计算有偏差，但是具体原因不清楚。~~
+答案已经找到了，原来是我一开始就理解错了，传递给uprobe_register函数的偏移值压根就不是函数的文件偏移，而是要经过其他运算得到，简单来说就是函数地址减去所在内存段的基地址再加上该内存段内存区域的偏移量所得的值。
+计算示例如下：
+以下图片展示了一个so文件在maps文件中的区域段
+![计算示例](./pic/偏移计算.JPG)
+假如一个函数的地址为0x7626323000,那要hook这个函数那传给uprobe_register函数的偏移值应该为0x7626323000-0x7626322000+0x90000=0x91000.

kernel_trace.c

@@ -11,11 +11,10 @@
 #include <syscall.h>
 #include <asm/current.h>
 #include <hook.h>
-#include <linux/err.h>
 #include "kernel_trace.h"
 
 KPM_NAME("kernel_trace");
-KPM_VERSION("3.0.0");
+KPM_VERSION("2.2.0");
 KPM_LICENSE("GPL v2");
 KPM_AUTHOR("Test");
 KPM_DESCRIPTION("use uprobe trace some fun in kpm");
@@ -30,27 +29,26 @@ void (*rcu_read_unlock)(void) = 0;
 int (*trace_printk)(unsigned long ip, const char *fmt, ...) = 0;
 
 void *show_map_vma_addr;
-void *build_map_info_addr;
 
 
 char file_name[MAX_PATH_LEN];
 uid_t target_uid = -1;
 unsigned long fun_offsets[MAX_HOOK_NUM];
-unsigned long test_fun_addr;
 int hook_num = 0;
 struct rb_root fun_info_tree = RB_ROOT;
 static struct inode *inode;
 unsigned long module_base = 0;
 static struct uprobe_consumer trace_uc;
-static long long addr_fixer = 0;
 
 
 
 void before_show_map_vma(hook_fargs2_t *args, void *udata)
 {
+    struct seq_file* o_seq_file;
     struct vm_area_struct *ovma;
     unsigned long start, end;
 
+    o_seq_file = (struct seq_file*)args->arg0;
     ovma = (struct vm_area_struct*)args->arg1;
     start = ovma->vm_start;
     end = ovma->vm_end;
@@ -60,21 +58,6 @@ void before_show_map_vma(hook_fargs2_t *args, void *udata)
     }
 }
 
-void after_build_map_info(hook_fargs3_t *args, void *udata)
-{
-    struct map_info *tret = (struct map_info *)args->ret;
-    bool is_register = (bool)args->arg2;
-    unsigned long tvaddr = tret->vaddr;
-    long long fun_offset = (long long)args->arg1;
-
-    if(addr_fixer==0 && tvaddr!=test_fun_addr){
-        addr_fixer = test_fun_addr < tvaddr ? (-(tvaddr-test_fun_addr)) : (test_fun_addr-tvaddr);
-        logkd("+Test-Log+ addr_fixer:%lld\n",addr_fixer);
-        args->ret = ERR_PTR(-TRACE_FLAG);
-        return;
-    }
-}
-
 void before_mincore(hook_fargs3_t *args, void *udata){
     int trace_flag = (int)syscall_argn(args, 1);
     if(trace_flag<TRACE_FLAG || trace_flag>TRACE_FLAG+CLEAR_UPROBE){
@@ -103,15 +86,7 @@ void before_mincore(hook_fargs3_t *args, void *udata){
             goto error_out;
         }
 //        logkd("+Test-Log+ fun_name:%s,fun_offset:0x%llx\n",fun_name,fun_offset);
-        if(addr_fixer==0){
-            test_fun_addr = module_base+fun_offset;
-        }
-        int hret = uprobe_register(inode,fun_offset+addr_fixer,&trace_uc);
-
-        if(hret==-TRACE_FLAG){
-            hret = uprobe_register(inode,fun_offset+addr_fixer,&trace_uc);
-        }
-
+        int hret = uprobe_register(inode,fun_offset,&trace_uc);
         if(hret<0){
             logke("+Test-Log+ set uprobe error in 0x%llx\n",fun_offset);
             goto error_out;
@@ -125,14 +100,12 @@ void before_mincore(hook_fargs3_t *args, void *udata){
     if(trace_info==SET_MODULE_BASE){
         module_base = (unsigned long)syscall_argn(args, 0);
         logkd("+Test-Log+ set module_base:0x%llx\n",module_base);
-        addr_fixer = 0;
         goto success_out;
     }
 
     if(trace_info==SET_TARGET_UID){
         target_uid = (uid_t)syscall_argn(args, 0);
         logkd("+Test-Log+ set target_uid:%d\n",target_uid);
-        addr_fixer = 0;
         goto success_out;
     }
 
@@ -149,19 +122,17 @@ void before_mincore(hook_fargs3_t *args, void *udata){
         inode = igrab(path.dentry->d_inode);
         path_put(&path);
         logkd("+Test-Log+ success set file inode\n");
-        addr_fixer = 0;
         goto success_out;
     }
 
     if(trace_info==CLEAR_UPROBE){
         rcu_read_unlock();//解锁，不然内核会崩
         for (int i = 0; i < hook_num; ++i) {
-            uprobe_unregister(inode,fun_offsets[i]+addr_fixer,&trace_uc);
+            uprobe_unregister(inode,fun_offsets[i],&trace_uc);
         }
         hook_num = 0;
         destroy_entire_tree(&fun_info_tree);
         logkd("+Test-Log+ success clear all uprobes\n");
-        addr_fixer = 0;
         goto success_out;
     }
 
@@ -186,8 +157,13 @@ static int trace_handler(struct uprobe_consumer *self, struct mpt_regs *regs){
     if(uid==target_uid){
         fun_offset = regs->pc-module_base;
         tfun = search_key_value(&fun_info_tree,fun_offset);
-        if(likely(tfun)){
+        if(tfun){
             goto target_out;
+        }else{
+            tfun = search_key_value(&fun_info_tree,fun_offset- 0x1000);
+            if(likely(tfun)){
+                goto target_out;
+            }
         }
     }else{
         goto no_target_out;
@@ -227,7 +203,6 @@ static long kernel_trace_init(const char *args, const char *event, void *__user
     trace_printk = (typeof(trace_printk))kallsyms_lookup_name("__trace_printk");
 
     show_map_vma_addr = (void *)kallsyms_lookup_name("show_map_vma");
-    build_map_info_addr = (void *)kallsyms_lookup_name("build_map_info");
 
     logkd("+Test-Log+ mtask_pid_nr_ns:%llx\n",mtask_pid_nr_ns);
     logkd("+Test-Log+ uprobe_register:%llx\n",uprobe_register);
@@ -246,12 +221,11 @@ static long kernel_trace_init(const char *args, const char *event, void *__user
     logkd("+Test-Log+ trace_printk:%llx\n",trace_printk);
 
     logkd("+Test-Log+ show_map_vma_addr:%llx\n",show_map_vma_addr);
-    logkd("+Test-Log+ build_map_info_addr:%llx\n",build_map_info_addr);
 
     if(!(mtask_pid_nr_ns && uprobe_register && uprobe_unregister
     && kern_path && igrab && path_put && rcu_read_unlock
     && rb_erase && rb_insert_color && rb_first && trace_printk
-    && show_map_vma_addr && build_map_info_addr)){
+    && show_map_vma_addr)){
         logke("+Test-Log+ can not find some fun addr\n");
         return -1;
     }
@@ -270,11 +244,6 @@ static long kernel_trace_init(const char *args, const char *event, void *__user
         return -1;
     }
 
-     err = hook_wrap2(build_map_info_addr,NULL,after_build_map_info,0);
-    if(err){
-        logke("+Test-Log+ hook build_map_info error\n");
-        return -1;
-    }
 
     logkd("+Test-Log+ success init\n");
     return 0;
@@ -291,10 +260,9 @@ static long kernel_trace_exit(void *__user reserved)
 {
     inline_unhook_syscall(__NR_mincore, before_mincore, 0);
     unhook(show_map_vma_addr);
-    unhook(build_map_info_addr);
     rcu_read_unlock();//解锁，不然内核会崩
     for (int i = 0; i < hook_num; ++i) {
-        uprobe_unregister(inode,fun_offsets[i]+addr_fixer,&trace_uc);
+        uprobe_unregister(inode,fun_offsets[i],&trace_uc);
     }
     logkd("+Test-Log+ success clear all uprobes\n");
     destroy_entire_tree(&fun_info_tree);

kernel_trace.h

@@ -81,10 +81,4 @@ struct vm_area_struct {
     unsigned long vm_end;
 };
 
-struct map_info {
-    struct map_info *next;
-    struct mm_struct *mm;
-    unsigned long vaddr;
-};
-
 struct pid_namespace;