We here fake the uptime, returned by the ‘uptime’ command on 64bit x86 Linux machines.
Kernel symbols are easily accessible from /usr/src/linux/System.map
cat /usr/src/linux/System.map | grep uptime ffffffff811b1be0 t uptime_proc_open ffffffff811b1c00 t uptime_proc_show ffffffff81a1ad20 r uptime_proc_fops ffffffff81eeffc8 t proc_uptime_init ffffffff81f4d0c8 t __initcall_proc_uptime_init6
You can see there are many uptime, related functions. The one which
we will look at is uptime_proc_show, which is at the address 0xffffffff811b1c00.
The code which exports this function is in /usr/src/linux/fs/proc/uptime.c.
#include <linux/fs.h>
#include <linux/init.h>
#include <linux/proc_fs.h>
#include <linux/sched.h>
#include <linux/seq_file.h>
#include <linux/time.h>
#include <linux/kernel_stat.h>
#include <asm/cputime.h>
static int uptime_proc_show(struct seq_file *m, void *v)
{
struct timespec uptime;
struct timespec idle;
u64 idletime;
u64 nsec;
u32 rem;
int i;
idletime = 0;
for_each_possible_cpu(i)
idletime += (__force u64) kcpustat_cpu(i).cpustat[CPUTIME_IDLE];
do_posix_clock_monotonic_gettime(&uptime);
monotonic_to_bootbased(&uptime);
nsec = cputime64_to_jiffies64(idletime) * TICK_NSEC;
idle.tv_sec = div_u64_rem(nsec, NSEC_PER_SEC, &rem);
idle.tv_nsec = rem;
seq_printf(m, "%lu.%02lu %lu.%02lu\n",
(unsigned long) uptime.tv_sec,
(uptime.tv_nsec / (NSEC_PER_SEC / 100)),
(unsigned long) idle.tv_sec,
(idle.tv_nsec / (NSEC_PER_SEC / 100)));
return 0;
}
static int uptime_proc_open(struct inode *inode, struct file *file)
{
return single_open(file, uptime_proc_show, NULL);
}
static const struct file_operations uptime_proc_fops = {
.open = uptime_proc_open,
.read = seq_read,
.llseek = seq_lseek,
.release = single_release,
};
static int __init proc_uptime_init(void)
{
proc_create("uptime", 0, NULL, &uptime_proc_fops);
return 0;
}
module_init(proc_uptime_init);
We can see that the uptime is accessible from /proc/uptime
18738072.28 74817307.16
So if we hijack this uptime_proc_show function, we can then pass our fake uptime
values.
To do this we assemble, the following assembly, to jump to a function we create in
our module, in order to change the uptime values.
mov rax, {64bit address}
jmp rax
nop
nop
That assembly was added to the following patchme function.
Which in turn calls our patchee function, which handles the generation of fake uptime values.
void patchme(void *addr) {
long val = &patchee;
int i = 0;
unsigned char ops[] =
{ 0x48, 0xC7, 0xC0, 0x00, 0x1C, 0x1B, 0x81, 0xFF, 0xE0, 0x90, 0x90,0x90, 0x90 };
for (i = 0; i < 4; i++) {
ops[i + 3] = (unsigned char)((char *)(&val))[i];
printk("Addr: %x\n", ops[i + 3]);
}
unsigned char *c = (unsigned char *)addr;
for (i = 0; i < 13; i++) {
c[i] = ops[i];
}
}
static int patchee(struct seq_file *m, void *v) {
printk("In our module faking that uptime...\n");
seq_printf(m, "18738072.28 74817307.16\n");
return 0;
}
When uptime is called it will always return:
uptime 18:21:42 up 216 days, 21:01, 2 users, load average: 0.21, 0.42, 0.26
ToDo:
- Make uptime change with respect to the ‘real’ uptime, e.g. 1000x the real uptime
- Allow passing arguments to the module
Leave Comment
Error Please check your entries!