Basic Ideas of Hacking Operating Systems

Sources:

  1. 15. 进程的地址空间 by jyy.

Address space hacking

Since the process is just a file (precisely, it is its informationm not itself, stored in some files to be accessed by user), a file is just some bytes in the memory. We can always manipulate the (content of the) process through the file manipulation.

By accessing the values in the files of a process, we can get or even change the value of some variables.

Moreover, since we can see the address space of every process, we can actually let one process to visit the address space of another process. Two such example applications are gdb and perf. These applications, in their essence, just use apis like pmap to view and manipulate the content of the address space of other processes.

Note that we can not only change variables, we actually can do whatever we want to the address space. For instance, we can insert some assembly codes to some section of that space.

There are multiple ways to do this address space hack. We can just use gdb, or use pmap-like apis, or just change values in the files, etc.

Meanwhile, we can change the value of the function pointers, i.e., change the function object that pointer points to, via this method. We can actually swap the function object to another function that we write. Technically, we can change the pointer to let it point to another address where our own code starts. Therefore, we can "hook" that function to let it do whatever we want!

For example, if there is a function to call some system calls, say timing api, we can hack it and change it to our own timing api which returns a faster timing, thus achieving a "speeding gear".

If there is a function wanting to call the graphic rendering syscalls, we can hook it and do some other rendering, like making some objects more obvious or do some object coloring.

If there is a function aiming to call some I/O syscalls, we can hack it as well. So that we can make the clik times 100x than the user inputs.

Process-kernel communication

Processes may need to get some values, say the current time, from the kernel. Since it involves the kernel, usually the process has to use a syscall.

However, kernel can put these commonly requested values into a physical memory, and processes can visit that memory! Through this way, we don't need to use any syscall!