yulong-hids-archived ubuntu16.04.4 加载syshook

ubuntu16.04.4 加载syshook_execve后crash

Open yeahx opened this issue 6 years ago • 0 comments
在 agent insmod 引起的
Apr 12 19:25:59 test kernel: [  148.067042] Start found sys_call_table.
Apr 12 19:25:59 test kernel: [  148.068545] Found the sys_call_table!!! __NR_close[3] sys_close[ffffffff81210e40]
Apr 12 19:25:59 test kernel: [  148.068545]  __NR_execve[59] sct[__NR_execve][0xffffffff8184f320]
Apr 12 19:25:59 test kernel: [  148.068602] syshook: create netlink success.
Apr 12 19:25:59 test kernel: [  148.070779] Loading module monitor_execve, sys_call_table at ffffffff81a00200
Apr 12 19:26:01 test kernel: [  150.712893] BUG: unable to handle kernel paging request at fffffffdc3bd36a0
Apr 12 19:26:01 test kernel: [  150.712964] IP: [<ffffffffc06a5881>] monitor_stub_execve_hook+0x21/0x28 [syshook_execve]
Apr 12 19:26:01 test kernel: [  150.713034] PGD 1e0f067 PUD 0
Apr 12 19:26:01 test kernel: [  150.713067] Oops: 0000 [#1] SMP
Apr 12 19:26:01 test kernel: [  150.713100] Modules linked in: syshook_execve(OE) xt_nat xt_tcpudp ipt_MASQUERADE nf_nat_masquerade_ipv4 xfrm_user xfrm_algo iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 xt_addrtype iptable_filter ip_tables xt_conntrack x_tables nf_nat nf_conntrack br_netfilter bridge stp llc aufs nfnetlink_queue nfnetlink_log nfnetlink tcp_diag bluetooth inet_diag vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 snd_ac97_codec gameport snd_rawmidi snd_seq_device ac97_bus snd_pcm snd_timer snd coretemp soundcore joydev input_leds serio_raw parport_pc 8250_fintek parport i2c_piix4 shpchp vmw_vmci mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx ttm drm_kms_helper syscopyarea psmouse sysfillrect sysimgblt fb_sys_fops drm mptspi mptscsih ahci libahci e1000 mptbase scsi_transport_spi pata_acpi fjes
Apr 12 19:26:01 test kernel: [  150.714242] CPU: 0 PID: 1762 Comm: bash Tainted: G           OE   4.4.0-116-generic #140-Ubuntu
Apr 12 19:26:01 test kernel: [  150.714317] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2014
Apr 12 19:26:01 test kernel: [  150.714401] task: ffff8800303d4600 ti: ffff880039d80000 task.ti: ffff880039d80000
Apr 12 19:26:01 test kernel: [  150.714512] RIP: 0010:[<ffffffffc06a5881>]  [<ffffffffc06a5881>] monitor_stub_execve_hook+0x21/0x28 [syshook_execve]
Apr 12 19:26:01 test kernel: [  150.714703] RSP: 0018:ffff880039d83f50  EFLAGS: 00010246
Apr 12 19:26:01 test kernel: [  150.714751] RAX: ffffffffc06a5860 RBX: 0000000001e0edc8 RCX: 0000000000000598
Apr 12 19:26:01 test kernel: [  150.714804] RDX: 0000000001dea008 RSI: 0000000001e0ee48 RDI: 0000000001e0edc8
Apr 12 19:26:01 test kernel: [  150.714857] RBP: 0000000000000001 R08: 00007ffd9af80a90 R09: 0000000000000000
Apr 12 19:26:01 test kernel: [  150.714910] R10: 0000000000000598 R11: 0000000000000206 R12: 0000000001e0edc8
Apr 12 19:26:01 test kernel: [  150.714963] R13: 0000000001e0ee48 R14: 0000000001dea008 R15: 0000000001e0ed68
Apr 12 19:26:01 test kernel: [  150.715017] FS:  00007f98fcd8c700(0000) GS:ffff88003c600000(0000) knlGS:0000000000000000
Apr 12 19:26:01 test kernel: [  150.716734] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 12 19:26:01 test kernel: [  150.718464] CR2: fffffffdc3bd36a0 CR3: 000000003a000000 CR4: 0000000000360670
Apr 12 19:26:01 test kernel: [  150.720287] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 12 19:26:01 test kernel: [  150.722047] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Apr 12 19:26:01 test kernel: [  150.723165] Stack:
Apr 12 19:26:01 test kernel: [  150.724100]  ffffffff8184efc8 00000000fc2c9fc5 00007f98fc37d0cc 0000000000000001
Apr 12 19:26:01 test kernel: [  150.725069]  00007f98fcd8e9d8 00007f98fcd8d030 00007f98fc3863c0 0000000000000206
Apr 12 19:26:01 test kernel: [  150.726000]  0000000000000598 0000000000000000 00007ffd9af80a90 ffffffffffffffda
Apr 12 19:26:01 test kernel: [  150.726965] Call Trace:
Apr 12 19:26:01 test kernel: [  150.727879]  [<ffffffff8184efc8>] ? entry_SYSCALL_64_fastpath+0x1c/0xbb
Apr 12 19:26:01 test kernel: [  150.728816] Code: e8 ae bd ae c0 e9 7b ff ff ff 53 57 56 52 51 50 41 50 41 51 41 52 41 53 e8 ad f8 ff ff 41 5b 41 5a 41 59 41 58 58 59 5a 5e 5f 5b <ff> 24 c5 a0 73 6a c0 55 48 8b 3d 08 1b 00 00 48 89 e5 e8 78 d2
Apr 12 19:26:01 test kernel: [  150.731763] RIP  [<ffffffffc06a5881>] monitor_stub_execve_hook+0x21/0x28 [syshook_execve]
Apr 12 19:26:01 test kernel: [  150.732700]  RSP <ffff880039d83f50>
Apr 12 19:26:01 test kernel: [  150.733621] CR2: fffffffdc3bd36a0
Apr 12 19:26:01 test kernel: [  150.734541] ---[ end trace 7e834cbd3143b047 ]---
Apr 12 '18 03:04 yeahx
yulong-hids-archived yulong-hids-archived copied to clipboard

ubuntu16.04.4 加载syshook_execve后crash

yulong-hids-archived
yulong-hids-archived copied to clipboard
