I want to write the code in kernel space to find all open file handles in the system and the process id which holdes those handles.
In user space we can do it using the utility "lsof". Similarly, i want the same in kernel space.
What's so great about Linux Kernel is that it's open source. If you want to understand how to implement something that is similar to lsof why not inspecting its' source code (I suggest the following implementation, from Android 4.2.2 source tree, at it is simplified and easier to understand) or straceing it to understand how the magic happens?
If you'll do so, at some point you'll encounter the following line
openat(AT_FDCWD, "/proc/<PID>/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC)
Which will hint you that for each PID that is running, procfs is able to print information about all open file descriptors that this process holds. Therefore, this is where I would start my research and journey through the code.
Related
I want to copy an integer variable from user space to kernel space.
Can anyone give me a simple example how to do this?
I came to know that we can use get_user but i am unable to know how..
Check man pages of copy_to_user and copy_from_user.
Write a simple kernel module, with read/write operations, and register and char device for them, something like /dev/sample.
Do an application write/read, on fd opened by this application.
Now you need to implement the mechanism for transferring this data to kernel space and read back whatever returned.
- In write you do a copy_from_user, before this check passed buffer is valid or not.
- In read you do a copy_to_user.
Make sure error conditions are taken care of, and open call implementation should keep track of how many opens are there, if you want to implement multiple open, and this count should be decremented, when application calls a close on opened FD.
Do you follow ?
I am trying to learn some concepts about the VFS in the Linux Kernel and I can't seem to find which call(s) are made when creating a new file. I am specially interested in knowing how to know if the folder the file is going to be created in is a valid folder. Could some one point in the direction of the system call(s) to create a new file?
P.S. I'm using kernel 3.4
If you're talking about user space (which I assume because you asked about system calls), then one of the easiest ways to determine which calls are invoked is to use the strace utility.
Here, I'm using the touch utility to create a file.
$ rm foo; strace touch foo
Looking at the resulting output where foo is referenced we see:
open("foo", O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 3
This should give you some clues to dig down further.
Take a look at kernel sources: linux/fs/open.c. There is definition of sys_open() function (SYSCALL_DEFINE3(open,)...). AFAIK this function is called when you call open() from userspace.
I am playing around with the demo of IDA and I am trying to do some reverse engineering of a program to figure out the structure of one of its files that it uses. My final goal is to be able to read that file directly from my own program.
Using Process Monitor I was able to find the subroutine that calls kernel32_ReadFile. What I would like to know is how do I find out what the hFile variable is pointing to before it makes the call to ReadFile
I have been exploring around the menus while in debug mode and I have not found anywhere inside IDA where I can look up information about what file is associated with a file handle.
How do I map a handle to a real file?
This MSDN page describes ways to get the file name from a file handle:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366789(v=vs.85).aspx
Is that the information you were looking for? I'm not sure why you can't see the the file name directly in Process Monitor.
I would set a breakpoint on CreateFileA and CreateFileW and see what files are being opened. You can then match the returned HANDLE value to the subsequent ReadFile call.
I'm pretty new to linux, and I have a few questions about kernel module programming. I'm using ubuntu and C to make my .ko files. I'm trying to make a module that will execute program /b instead of /a whenever program /a is called. any tips?
also, even with printk (KERN_EMERG...), it won't print to the terminal. is there a setting i'm missing, or does ubuntu not do that?
Thanks a lot!
You may need to fiddle with the settings in /proc/sys/kernel/printk, which controls which levels are printed to the console. From proc(5):
/proc/sys/kernel/printk
The four values in this file are console_loglevel,
default_message_loglevel, minimum_console_level, and
default_console_loglevel. These values influence
printk() behavior when printing or logging error
messages. See syslog(2) for more info on the
different loglevels. Messages with a higher priority
than console_loglevel will be printed to the console.
Messages without an explicit priority will be printed
with priority default_message_level.
minimum_console_loglevel is the minimum (highest)
value to which console_loglevel can be set.
default_console_loglevel is the default value for
console_loglevel.
Note that, like nice(2) values, the lower values have higher priorities.
The easiest way to make an execve() for path /foo/a to execute /foo/b is to bind-mount /foo/b on top of /foo/a:
mount -obind /foo/b /foo/a
No kernel module is required.
Doing this same task with a kernel module would be significantly more work; the LSM interface may provide you with some assistance in figuring out when exactly your target is being executed. If you're looking for a starting point, do_execve() in fs/exec.c is where to start reading. Be sure to have ctags installed, run, and know how to use your editor's ctags integration, to make reading the code significantly easier.
Answer about printk:
It prints to the console, not the terminal. But what's the console?
You can find its TTY in /proc/cmdline. Normally it's tty0, which means the screen connected to the computer.
If you connect via SSH/TELNET, surely you won't see this.
If you're working in a graphical environment (Gnome/KDE), you may need something like alt-F1/F2 to switch to a text mode TTY.
You can also use the dmesg command to see the messages.
I'm trying gather measurements of cycle counts for a particular sys call (sys_clone) in the linux kernel. That said, my process won't be the only one calling it and I can't know my pid ahead of time; so I'll have to record every invocation of it for every pid.
The problem that I've got is that the only ways I can figure out how to output this data (debugfs, sysfs, procfs) involve statically sized buffers, which will be quickly overwritten with irrelevant data from other processes calling sys_clone.
So, does anyone know how to append an arbitrary number of lines to a user space accessible file in linux?
You can take the printk()/klogd approach, and use a circular buffer that is exported via /proc. A user-space process blocks on reading your /proc file, and once it reads something that is removed from the buffer. In fact, you could take a look whether klogd/syslogd can be modified to also read your /proc file, thus you wouldn't need to implement the userspace part.
If you are good with something simpler, just printk() your information in a normalized form with some prefix, and then just filter it out from your syslog using this prefix.
There are a few more possibilities (e.g. using netlink to send messages to userspace), but writing to a file from the kernel is not something I'd recommend.
You could stash the counts in the right task_struct, and make it visible through a per-process file in /proc/<pid>/.