Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect which process(es) is(are) blocking procmon's unload #17

Closed
alexandernst opened this issue Oct 4, 2013 · 8 comments
Closed

Detect which process(es) is(are) blocking procmon's unload #17

alexandernst opened this issue Oct 4, 2013 · 8 comments
Assignees
@alexandernst
Labels
dependant enhancement
Milestone
0.1

Comments

@alexandernst
Copy link
Owner

When a hijacked syscall is called, it should store the PID of the process which called it, and when it's done, it should remove that PID.
This way we'll be able to tell which process(es) is(are) blocking procmon's unloading process.

EDIT: Depends on #31
@ghost ghost assigned alexandernst Oct 4, 2013
@alexandernst
Copy link
Owner Author

@milabs I firstly thought this was based on processes blocking the release, but it seems that's not 100% true. For example, if I turn on procmon (state=1) and then I open ksysguard (KDE's task manager) and then I close it, I still can't unload procmon until I open ksysguard once again.

Why could that be?

@milabs
Copy link
Contributor

milabs commented Nov 2, 2013

@alexandernst

Well, it's the result of the hooking technique. Let's look at how it's happend:

sys_call_table[__NR_read]
    -> hooked_sys_read
        -> sys_read_pre_hook_action
        -> ret = real_sys_read (can take a long time...)
        -> sys_read_post_hook_action

So, the problem is that when we unloading the module while real_sys_read is in kernel we get fault when it returns as there no module code in kernel. Now, we implement some logic so we'are looking for counters which tells us if there is a hook that is in kernel while unloading. OK, got it.

But the next problem is that we don't know exactly how to do with such processes that sleeps near infinite time in the kernel. We can wait a lot and unload the module, but it leads to accidental crashes. Not the best case :)

As I see it the possible solution is to create stubs like that:

sys_read_stub:
    call sys_read_pre_hook_action
    call real_sys_read
    call sys_read_post_hook_action
    RET

Now, when we need to unload the module, we modify such stubs to looks like that:

sys_read_stub:
    nop nop nop nop nop
    call real_sys_read
    nop nop nop nop nop
    RET

Now, we unloading but don't touch these stubs. I meant that we don't free allocated area (which has exec permissions).

The one problem here is that we eat some kernel's memory per load/unload cycle. But I can't see any other method to allow safely unloading the module.

What do you think?

@alexandernst
Copy link
Owner Author

@milabs But that will happen if we alloc N bytes of memory for that stub and then unload the module (not state=0 but rmmod procmon)? Won't that stub memory just disappear (thus causing a crash in the sleeping processes)?

@milabs
Copy link
Contributor

milabs commented Nov 2, 2013

@alexandernst As the stub resides in memory after unloading nothing bad happens when the real_sys_read returns, for ex.

@alexandernst
Copy link
Owner Author

@milabs Can you do a simple POC, please?

@milabs
Copy link
Contributor

milabs commented Nov 2, 2013

@alexandernst Not now... Create and assign an issue please?

@alexandernst
Copy link
Owner Author

@milabs Sure ;)

@alexandernst alexandernst mentioned this issue Nov 2, 2013
Closed
@milabs milabs mentioned this issue Dec 11, 2013
Closed
@alexandernst
Copy link
Owner Author

Closing this as I just implemented #31. This is not needed anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexandernst alexandernst

Labels
dependant enhancement
Projects
None yet
Milestone
0.1
Development

No branches or pull requests
2 participants
@alexandernst @milabs