getting sys call table in linux kernel 4.15 on 64 bit

Question

So I have been trying to get the sys call table by brute forcing and the module keeps bringing up an error at a certain address "ffffffff81000018". The following is the code I have used:

#include<linux/kernel.h>
#include<linux/module.h>
#include<linux/dirent.h>
#include<linux/syscalls.h>
#include<linux/sysfs.h>
#include<linux/list.h>
#include<linux/proc_fs.h>
#include<linux/string.h>
#include<linux/uaccess.h>
#include<linux/fs.h>
#include<linux/unistd.h>
#include<linux/cred.h>


#if defined __x86_64__
    #define START_ADDRESS 0xffffffff81000000
    #define END_ADDRESS 0xffffffffa2000000
#endif

MODULE_LICENSE("GPL");

void **syscall_table;

void **find_syscall_table(void)
{

    void **sctable;
    void *i = (void *) START_ADDRESS;

    while ( i < (void *) END_ADDRESS )
    {
        sctable = (void *)i;

        if (sctable[__NR_close] == (void *)sys_close)
        {
            return sctable;
        }

        i += sizeof(void *);
    }

    return NULL;

}

int init_module(void)
{
    syscall_table = (void *)find_syscall_table();

    if (syscall_table != NULL)
        pr_info("Found sys_call_table at %p\n", syscall_table);
    return 0;
}

void cleanup_module(void)
{
    pr_info("Good bye kernel!!!!");
    return;
}

and the problem am get is the following

[ 1376.153652] BUG: unable to handle kernel paging request at ffffffff81000018
[ 1376.153660] IP: init_module+0x1b/0x50 [hide_file]
[ 1376.153662] PGD 1bc0e067 P4D 1bc0e067 PUD 1bc0f063 PMD 0 
[ 1376.153666] Oops: 0000 [#1] SMP PTI
[ 1376.153668] Modules linked in: hide_file(O+) fuse bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) binfmt_misc nls_ascii nls_cp437 vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core snd_soc_skl videodev snd_hda_codec_hdmi media intel_rapl snd_soc_skl_ipc snd_hda_ext_core x86_pkg_temp_thermal btusb intel_powerclamp snd_soc_sst_dsp coretemp snd_soc_sst_ipc btrtl btbcm snd_soc_acpi btintel snd_hda_codec_realtek snd_hda_codec_generic snd_soc_core bluetooth snd_compress kvm drbg ansi_cprng snd_hda_intel ecdh_generic i915 irqbypass snd_hda_codec snd_hda_core arc4 wmi_bmof rtsx_pci_ms intel_cstate snd_hwdep iwlmvm snd_pcm mac80211 iwlwifi intel_uncore thinkpad_acpi drm_kms_helper mei_me snd_timer memstick nvram cfg80211 efi_pstore intel_rapl_perf snd evdev
[ 1376.153706]  efivars sg drm soundcore mei joydev pcspkr serio_raw rfkill wmi shpchp intel_pch_thermal iTCO_wdt iTCO_vendor_support battery ac video i2c_algo_bit button tpm_crb efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic fscrypto ecb hid_generic usbhid hid sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc rtsx_pci_sdmmc mmc_core aesni_intel aes_x86_64 crypto_simd glue_helper cryptd rtsx_pci ahci mfd_core e1000e libahci xhci_pci ptp psmouse pps_core libata xhci_hcd i2c_i801 scsi_mod usbcore usb_common thermal
[ 1376.153737] CPU: 0 PID: 2244 Comm: insmod Tainted: G           O     4.15.0-kali2-amd64 #1 Debian 4.15.11-1kali1
[ 1376.153742] RIP: 0010:init_module+0x1b/0x50 [hide_file]
[ 1376.153743] RSP: 0018:ffffc0adc85cfcc8 EFLAGS: 00010246
[ 1376.153745] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 1376.153747] RDX: 000000000004e55a RSI: ffffffff81000000 RDI: ffffffffc0eea030
[ 1376.153749] RBP: ffffffffc0eea030 R08: ffff9965a2424b60 R09: ffffffffbcb0b288
[ 1376.153750] R10: ffffea3746bc08c0 R11: 0000000000000000 R12: ffff9965521f7a60
[ 1376.153752] R13: ffffffffc0eec018 R14: 0000000000000001 R15: ffff9964ff2474e0
[ 1376.153754] FS:  00007f2e082e8b80(0000) GS:ffff9965a2400000(0000) knlGS:0000000000000000
[ 1376.153755] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1376.153757] CR2: ffffffff81000018 CR3: 0000000154c84002 CR4: 00000000003606f0
[ 1376.153758] Call Trace:
[ 1376.153763]  do_one_initcall+0x4e/0x18d
[ 1376.153768]  ? free_unref_page_commit+0x95/0x110
[ 1376.153770]  ? _cond_resched+0x15/0x40
[ 1376.153773]  ? kmem_cache_alloc_trace+0x14b/0x1a0
[ 1376.153777]  ? do_init_module+0x22/0x201
[ 1376.153779]  do_init_module+0x5b/0x201
[ 1376.153783]  load_module.constprop.54+0x2725/0x2c70
[ 1376.153786]  ? vfs_read+0x113/0x130
[ 1376.153789]  ? SYSC_finit_module+0xe9/0x110
[ 1376.153792]  SYSC_finit_module+0xe9/0x110
[ 1376.153795]  do_syscall_64+0x6e/0x130
[ 1376.153798]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 1376.153801] RIP: 0033:0x7f2e07c178f9
[ 1376.153802] RSP: 002b:00007ffd4e622498 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1376.153804] RAX: ffffffffffffffda RBX: 00005629814157b0 RCX: 00007f2e07c178f9
[ 1376.153806] RDX: 0000000000000000 RSI: 000056297fbc9a78 RDI: 0000000000000003
[ 1376.153807] RBP: 000056297fbc9a78 R08: 0000000000000000 R09: 00007f2e07edd000
[ 1376.153809] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
[ 1376.153810] R13: 0000562981415760 R14: 0000000000000000 R15: 0000000000000000
[ 1376.153812] Code: c2 bc 75 ea f3 c3 31 c0 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 48 c7 c6 00 00 00 81 eb 0d 48 83 c6 08 48 81 fe 00 00 00 a2 74 19 <48> 81 7e 18 d0 c5 c2 bc 75 e9 48 85 f6 48 89 35 e1 22 00 00 75 
[ 1376.153844] RIP: init_module+0x1b/0x50 [hide_file] RSP: ffffc0adc85cfcc8
[ 1376.153845] CR2: ffffffff81000018
[ 1376.153847] ---[ end trace ec4600bb069abdd2 ]---

Could anyone please guide me on how to solve this problem so as to be able to hijack sys calls. Thanks.

Answer 1

Just use the kernel function kallsyms_lookup_name("sys_call_table") in "linux/kallsyms.h". That will return the address of the system call table as found in the /proc/kallsyms file. Don't worry if the address found in

/boot/System.map-`uname -r`

is different; you still found the sys_call_table.

Answer 2

This is not a "certain address". close syscall number is 3, thus the very first address you are testing is START_ADDRESS + 3 * sizeof(void *) and it equals precisely to the faulting address.

This then suggests that the params you used here are wrong to begin with.

The real question is why are you looking for a system call table, let alone in this manner. In vast majority of cases you don't want to overwrite any syscall entries.