Linux内核函数Hook技术：基于Ftrace的实现<\/h1>

1. 概述<\/h2>
Ftrace是Linux内核提供的一个用于跟踪内核函数的框架，但本文介绍了一种创新性的使用方法——利用Ftrace来实现Linux内核函数的Hook。这种方法允许通过可加载的GPL模块安装钩子，而无需重建内核。<\/p>

适用环境<\/h3>

架构：x86_64<\/li>

内核版本：3.19及以上<\/li> <\/ul>

2. Ftrace基础<\/h2>

Ftrace框架自2008年开始开发，具有以下功能特性：<\/p>

显示函数调用图<\/li>
跟踪函数调用的频率和持续时间<\/li>

按模板过滤特定函数<\/li> <\/ul>

实现原理：<\/p>

基于编译器选项-pg<\/code>和-mfentry<\/code><\/li>
在每个函数开头插入特殊跟踪函数调用(mcount()<\/code>或fentry()<\/code>)<\/li>

通过动态ftrace优化性能：未使用时用nop指令替换<\/li>
<\/ul>
3. Hook实现方法<\/h2>
3.1 数据结构<\/h3>
定义ftrace_hook<\/code>结构体来描述每个被Hook的函数：<\/p>
struct<\/span> ftrace_hook {
<\/span><\/span>    const<\/span> char<\/span> *<\/span>name;        \/\/ 被Hook函数名
<\/span><\/span><\/span><\/span>    void<\/span> *<\/span>function;          \/\/ 包装函数地址
<\/span><\/span><\/span><\/span>    void<\/span> *<\/span>original;          \/\/ 存储原始函数地址的指针
<\/span><\/span><\/span><\/span>    unsigned<\/span> long<\/span> address;   \/\/ 被Hook函数地址(实现细节)
<\/span><\/span><\/span><\/span>    struct<\/span> ftrace_ops ops;   \/\/ ftrace服务信息(实现细节)
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>使用宏简化Hook定义：<\/p>
#define HOOK(_name, _function, _original) \
<\/span><\/span><\/span>{ \
<\/span><\/span><\/span>    .name = (_name), \
<\/span><\/span><\/span>    .function = (_function), \
<\/span><\/span><\/span>    .original = (_original), \
<\/span><\/span><\/span>}
<\/span><\/span><\/span><\/span>
<\/span><\/span>static<\/span> struct<\/span> ftrace_hook hooked_functions[] =<\/span> {
<\/span><\/span>    HOOK("sys_clone"<\/span>, fh_sys_clone, &<\/span>real_sys_clone),
<\/span><\/span>    HOOK("sys_execve"<\/span>, fh_sys_execve, &<\/span>real_sys_execve),
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>3.2 包装函数示例<\/h3>
\/\/ 原始函数指针
<\/span><\/span><\/span><\/span>static<\/span> asmlinkage long<\/span> (*<\/span>real_sys_execve)(const<\/span> char<\/span> __user *<\/span>filename,
<\/span><\/span>                    const<\/span> char<\/span> __user *<\/span>const<\/span> __user *<\/span>argv,
<\/span><\/span>                    const<\/span> char<\/span> __user *<\/span>const<\/span> __user *<\/span>envp);
<\/span><\/span>
<\/span><\/span>\/\/ 包装函数
<\/span><\/span><\/span><\/span>static<\/span> asmlinkage long<\/span> fh_sys_execve<\/span>(const<\/span> char<\/span> __user *<\/span>filename,
<\/span><\/span>                    const<\/span> char<\/span> __user *<\/span>const<\/span> __user *<\/span>argv,
<\/span><\/span>                    const<\/span> char<\/span> __user *<\/span>const<\/span> __user *<\/span>envp)
<\/span><\/span>{
<\/span><\/span>    long<\/span> ret;
<\/span><\/span>    
<\/span><\/span>    pr_debug("execve() called: filename=%p argv=%p envp=%p<\/span>\n<\/span>"<\/span>,
<\/span><\/span>            filename, argv, envp);
<\/span><\/span>    
<\/span><\/span>    ret =<\/span> real_sys_execve(filename, argv, envp);
<\/span><\/span>    
<\/span><\/span>    pr_debug("execve() returns: %ld<\/span>\n<\/span>"<\/span>, ret);
<\/span><\/span>    return<\/span> ret;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>重要注意事项<\/strong>：<\/p>

函数签名必须完全一致<\/li>
参数顺序、类型、返回值和ABI说明符都不能改变<\/li>
对于系统调用，asmlinkage<\/code>修饰符特别重要<\/li>
<\/ul>
4. 实现步骤详解<\/h2>
4.1 获取函数地址<\/h3>
通过kallsyms<\/code>获取被Hook函数的地址：<\/p>
static<\/span> int<\/span> resolve_hook_address<\/span>(struct<\/span> ftrace_hook *<\/span>hook)
<\/span><\/span>{
<\/span><\/span>    hook-><\/span>address =<\/span> kallsyms_lookup_name(hook-><\/span>name);
<\/span><\/span>    if<\/span> (!<\/span>hook-><\/span>address) {
<\/span><\/span>        pr_debug("unresolved symbol: %s<\/span>\n<\/span>"<\/span>, hook-><\/span>name);
<\/span><\/span>        return<\/span> -<\/span>ENOENT;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    *<\/span>((unsigned<\/span> long<\/span>*<\/span>)hook-><\/span>original) =<\/span> hook-><\/span>address;
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 初始化Ftrace<\/h3>
初始化ftrace_ops<\/code>结构并设置关键标志：<\/p>
int<\/span> fh_install_hook<\/span>(struct<\/span> ftrace_hook *<\/span>hook)
<\/span><\/span>{
<\/span><\/span>    int<\/span> err;
<\/span><\/span>    
<\/span><\/span>    err =<\/span> resolve_hook_address(hook);
<\/span><\/span>    if<\/span> (err)
<\/span><\/span>        return<\/span> err;
<\/span><\/span>    
<\/span><\/span>    hook-><\/span>ops.func =<\/span> fh_ftrace_thunk;
<\/span><\/span>    hook-><\/span>ops.flags =<\/span> FTRACE_OPS_FL_SAVE_REGS |<\/span> FTRACE_OPS_FL_IPMODIFY;
<\/span><\/span>    
<\/span><\/span>    \/\/ 后续步骤...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键标志说明：<\/p>

FTRACE_OPS_FL_SAVE_REGS<\/code>: 保存和恢复处理器寄存器<\/li>
FTRACE_OPS_FL_IPMODIFY<\/code>: 允许修改指令指针寄存器<\/li>
<\/ul>
4.3 安装Hook<\/h3>
int<\/span> fh_install_hook<\/span>(struct<\/span> ftrace_hook *<\/span>hook)
<\/span><\/span>{
<\/span><\/span>    \/\/ 前面的初始化代码...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    err =<\/span> ftrace_set_filter_ip(&<\/span>hook-><\/span>ops, hook-><\/span>address, 0<\/span>, 0<\/span>);
<\/span><\/span>    if<\/span> (err) {
<\/span><\/span>        pr_debug("ftrace_set_filter_ip() failed: %d<\/span>\n<\/span>"<\/span>, err);
<\/span><\/span>        return<\/span> err;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    err =<\/span> register_ftrace_function(&<\/span>hook-><\/span>ops);
<\/span><\/span>    if<\/span> (err) {
<\/span><\/span>        pr_debug("register_ftrace_function() failed: %d<\/span>\n<\/span>"<\/span>, err);
<\/span><\/span>        ftrace_set_filter_ip(&<\/span>hook-><\/span>ops, hook-><\/span>address, 1<\/span>, 0<\/span>);
<\/span><\/span>        return<\/span> err;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.4 移除Hook<\/h3>
void<\/span> fh_remove_hook<\/span>(struct<\/span> ftrace_hook *<\/span>hook)
<\/span><\/span>{
<\/span><\/span>    int<\/span> err;
<\/span><\/span>    
<\/span><\/span>    err =<\/span> unregister_ftrace_function(&<\/span>hook-><\/span>ops);
<\/span><\/span>    if<\/span> (err)
<\/span><\/span>        pr_debug("unregister_ftrace_function() failed: %d<\/span>\n<\/span>"<\/span>, err);
<\/span><\/span>    
<\/span><\/span>    err =<\/span> ftrace_set_filter_ip(&<\/span>hook-><\/span>ops, hook-><\/span>address, 1<\/span>, 0<\/span>);
<\/span><\/span>    if<\/span> (err)
<\/span><\/span>        pr_debug("ftrace_set_filter_ip() failed: %d<\/span>\n<\/span>"<\/span>, err);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. Ftrace回调函数<\/h2>
5.1 基本实现<\/h3>
static<\/span> void<\/span> notrace fh_ftrace_thunk<\/span>(unsigned<\/span> long<\/span> ip, unsigned<\/span> long<\/span> parent_ip,
<\/span><\/span>                    struct<\/span> ftrace_ops *<\/span>ops, struct<\/span> pt_regs *<\/span>regs)
<\/span><\/span>{
<\/span><\/span>    struct<\/span> ftrace_hook *<\/span>hook =<\/span> container_of(ops, struct<\/span> ftrace_hook, ops);
<\/span><\/span>    regs-><\/span>ip =<\/span> (unsigned<\/span> long<\/span>)hook-><\/span>function;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

notrace<\/code>说明符防止递归跟踪<\/li>
修改pt_regs<\/code>结构中的ip<\/code>(指令指针)寄存器实现跳转<\/li>
对于x86_64外的架构，可能需要修改其他寄存器(如PC)<\/li>
<\/ul>
5.2 防止递归调用<\/h3>
改进版回调，避免递归：<\/p>
static<\/span> void<\/span> notrace fh_ftrace_thunk<\/span>(unsigned<\/span> long<\/span> ip, unsigned<\/span> long<\/span> parent_ip,
<\/span><\/span>                    struct<\/span> ftrace_ops *<\/span>ops, struct<\/span> pt_regs *<\/span>regs)
<\/span><\/span>{
<\/span><\/span>    struct<\/span> ftrace_hook *<\/span>hook =<\/span> container_of(ops, struct<\/span> ftrace_hook, ops);
<\/span><\/span>    
<\/span><\/span>    \/* 跳过来自当前模块的函数调用 *\/<\/span>
<\/span><\/span>    if<\/span> (!<\/span>within_module(parent_ip, THIS_MODULE))
<\/span><\/span>        regs-><\/span>ip =<\/span> (unsigned<\/span> long<\/span>)hook-><\/span>function;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>优点：<\/p>

低开销：只需几个比较和减法操作<\/li>
非全局性：与抢占兼容，可跟踪中断处理程序<\/li>
无函数限制：支持任意数量的跟踪函数激活(包括递归)<\/li>
<\/ol>
6. Hook过程详解<\/h2>
以execve()<\/code>系统调用为例的完整Hook流程：<\/p>

用户进程执行SYSCALL<\/code>指令切换到内核模式<\/li>
低级处理程序entry_SYSCALL_64()<\/code>接管控制权<\/li>
控制权转移到do_syscall_64()<\/code>函数<\/li>
通过系统调用表调用sys_execve()<\/code>处理程序<\/li>
Ftrace框架调用注册的回调函数<\/li>
回调函数检查parent_ip<\/code>并决定是否Hook<\/li>
修改pt_regs<\/code>中的%rip<\/code>寄存器，将控制权转移到包装函数<\/li>
包装函数执行自定义逻辑后调用原始函数<\/li>
原始函数执行完成后控制权返回包装函数<\/li>
包装函数返回结果给内核<\/li>
内核通过IRET<\/code>指令返回用户模式<\/li>
<\/ol>
7. 注意事项<\/h2>

函数签名一致性<\/strong>：包装函数必须与被Hook函数具有完全相同的签名<\/li>
递归处理<\/strong>：必须正确处理递归调用情况<\/li>
上下文限制<\/strong>：包装函数继承原始函数的执行上下文限制<\/li>
模块边界检查<\/strong>：防止模块内部调用被错误Hook<\/li>
并发安全<\/strong>：确保Hook操作在多核环境下的安全性<\/li>
<\/ol>
8. 总结<\/h2>
基于Ftrace的Linux内核函数Hook技术提供了一种无需重建内核的灵活方法，具有以下特点：<\/p>


优点<\/strong>：<\/p>

不需要重建内核<\/li>
相对较低的性能开销<\/li>
支持多种内核函数类型<\/li>
良好的递归处理能力<\/li>
<\/ul>
<\/li>

限制<\/strong>：<\/p>

仅支持x86_64架构<\/li>
需要内核版本3.19+<\/li>
必须是GPL兼容的模块<\/li>
<\/ul>
<\/li>
<\/ul>
这种方法特别适合需要监控或修改内核行为的场景，如安全监控、性能分析等。<\/p>

Linux内核函数Hook技术：基于Ftrace的实现<\/h1>

1. 概述<\/h2> Ftrace是Linux内核提供的一个用于跟踪内核函数的框架，但本文介绍了一种创新性的使用方法——利用Ftrace来实现Linux内核函数的Hook。这种方法允许通过可加载的GPL模块安装钩子，而无需重建内核。<\/p>

3. Hook实现方法<\/h2>

4. 实现步骤详解<\/h2>

5. Ftrace回调函数<\/h2>

1. 概述<\/h2>
Ftrace是Linux内核提供的一个用于跟踪内核函数的框架，但本文介绍了一种创新性的使用方法——利用Ftrace来实现Linux内核函数的Hook。这种方法允许通过可加载的GPL模块安装钩子，而无需重建内核。<\/p>