CN114138691A - Kernel extension method, device and equipment based on callback mechanism - Google Patents
Kernel extension method, device and equipment based on callback mechanism Download PDFInfo
- Publication number
- CN114138691A CN114138691A CN202111308737.6A CN202111308737A CN114138691A CN 114138691 A CN114138691 A CN 114138691A CN 202111308737 A CN202111308737 A CN 202111308737A CN 114138691 A CN114138691 A CN 114138691A
- Authority
- CN
- China
- Prior art keywords
- callback
- kernel
- target
- function
- processing program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/10—Program control for peripheral devices
- G06F13/102—Program control for peripheral devices where the programme performs an interfacing function, e.g. device driver
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/10—Program control for peripheral devices
- G06F13/12—Program control for peripheral devices using hardware independent of the central processor, e.g. channel or peripheral processor
- G06F13/124—Program control for peripheral devices using hardware independent of the central processor, e.g. channel or peripheral processor where hardware is a sequential transfer control unit, e.g. microprocessor, peripheral processor or state-machine
- G06F13/126—Program control for peripheral devices using hardware independent of the central processor, e.g. channel or peripheral processor where hardware is a sequential transfer control unit, e.g. microprocessor, peripheral processor or state-machine and has means for transferring I/O instructions and statuses between control unit and main processor
Abstract
The application discloses a kernel extension method, a kernel extension device and kernel extension equipment based on a callback mechanism, which relate to the technical field of network security. The method comprises the following steps: constructing a kernel callback framework and an operation callback processing program by using an inline hook mode, wherein the operation callback processing program carries a target callback rule suitable for kernel extension; responding to an execution request of a system call, relocating the execution request to the operation callback processing program based on the kernel callback framework, wherein the system call is a system function call execution request corresponding to a target kernel function; and modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback processing program, and returning a system calling result after kernel extension.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a kernel extension method, device and apparatus based on a callback mechanism.
Background
The kernel is the core of the operating system and facilitates interaction between the operating system and the component, performing low-level tasks such as disk management, task management, and memory management. The kernel extension is equivalent to an application bundle for extending the native functions of the system by allowing third party software to be loaded directly into the operating system kernel, such as computer virus killing and protection, Legioner software blocking, sensitive data access auditing, user data leakage monitoring, and the like.
For the macOS system, the related art may use two known interfaces to perform kernel extension to add new functions to the operating system, the first is a kernel programming interface provided by the kernel authorization subsystem, which allows a third party to intercept a specific operation, and once the interception is successful, the intercepted operation may be further checked, approved or blocked, however, for some specific callback functions, this approach usually lacks critical context information for the input parameters, for example, for a process to create a callback handler, the input parameters lack command line parameters of the process, and it is difficult to implement interception of all normal operations, so that the functions of the kernel extension have limitations. The other is a callback interface provided by the mandatory access control framework, the callback interface has a finer-grained framework compared with the kernel authorization subsystem, almost every kind of conventional operation can be intercepted under the support of the fine-grained framework, and a third-party kernel processing program can check input parameters and approve or reject the input parameters according to custom rules. However, since it is difficult for the interface call of the third party software to acquire the official system license, there is a compatibility problem if the third party software enforces the interface call. Therefore, the two interfaces provided by the operating system have limitations in the application process, so that the flexibility of system calling is poor, and the requirement of a third-party platform on kernel extension is difficult to meet.
Disclosure of Invention
In view of this, the present application provides a kernel extension method, device and apparatus based on a callback mechanism, and mainly aims to solve the problems that in the prior art, two interfaces provided by an operating system have limitations in an application process, so that flexibility of system calling is poor, and requirements of a third party on kernel extension are difficult to meet.
According to a first aspect of the present application, a kernel extension method based on a callback mechanism is provided, which is applied to an operating system side, and the method includes:
constructing a kernel callback framework and an operation callback processing program by using an inline hook mode, wherein the operation callback processing program carries a target callback rule suitable for kernel extension;
responding to an execution request of a system call, relocating the execution request to the operation callback processing program based on the kernel callback framework, wherein the system call is a system function call execution request corresponding to a target kernel function;
and modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback processing program, and returning a system calling result after kernel extension.
Further, before the constructing the kernel callback framework and operating the callback handler by using the inline hook, the method further includes:
receiving a callback rule distributed by a cloud server, and acquiring a function set supported by a kernel in an operating system;
and screening out a target callback rule suitable for kernel extension from the callback rules according to the function set supported by the kernel.
Further, the callback rule is provided with service logic for extending the kernel, and the target callback rule suitable for kernel extension is screened from the callback rule according to the function set supported by the kernel, specifically including:
determining the function parameters executed by each kernel function calling process in the operating system according to the function set supported by the kernel;
judging whether the service logic for extending the kernel in the callback rule is embedded into the kernel function of the operating system or not by using the functional parameters executed in each kernel function calling process;
and if not, screening the callback mechanism into a target callback rule applicable to the kernel extension.
Further, the constructing a kernel callback framework and operating a callback handler by using an inline hook mode specifically includes:
defining a target kernel function needing to be hooked by using an inline hooking mode;
and embedding a target callback rule suitable for kernel extension aiming at the target kernel function, constructing a kernel callback framework and an operation callback processing program, wherein the target callback rule is used for hooking the target kernel function in the execution process of system call and repositioning the target kernel function to the operation callback processing program.
Further, before the modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program and returning the system call result after kernel extension, the method specifically includes:
and acquiring the registered operation callback processing program information in the kernel callback framework.
Further, if the registered operation callback processing program information includes a former operation callback processing program, the modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program, and returning the system call result after kernel extension specifically includes:
according to the former operation callback processing program, performing first filtering processing on the input parameters corresponding to the execution request by using the target callback rule;
and transmitting the filtered input parameters to the target kernel function so that the target kernel function executes corresponding internal functions and returns a system calling result after kernel extension.
Further, if the registered operation callback processing program information includes a post-operation callback processing program, modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback processing program, and returning a system call result after kernel extension, specifically including:
transmitting the input parameter corresponding to the execution request to the target kernel function so that the target kernel function executes the corresponding internal function;
and according to the post-operation callback processing program, performing second filtering processing on the returned data of the target kernel function by using the target callback rule, and returning a system calling result after kernel extension.
Further, if the registered operation callback processing program information includes a pre-operation callback processing program and a post-operation callback processing program, the modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program, and returning a system call result after kernel extension, specifically including:
according to the former operation callback processing program, performing first filtering processing on the input parameters corresponding to the execution request by using the target callback rule;
transferring the input parameters after the first filtering processing to the target kernel function so that the target kernel function executes corresponding internal functions;
and according to the post-operation callback processing program, performing second filtering processing on the returned data of the target kernel function by using the target callback rule, and returning a system calling result after kernel extension.
Further, the performing, according to the pre-operation callback processing program, the first filtering processing on the input parameter corresponding to the execution request by using the target callback rule specifically includes:
checking whether the input parameters corresponding to the execution request meet preset conditions or not by using the target callback rule according to the pre-operation callback processing program;
if not, rejecting the execution request and returning to the system function called by the system.
According to a second aspect of the present application, there is provided a kernel extension apparatus based on a callback mechanism, the apparatus including:
the device comprises a construction unit, a processing unit and a processing unit, wherein the construction unit is used for constructing a kernel callback framework and an operation callback processing program in an inline hook mode, and the operation callback processing program carries a target callback rule applicable to kernel extension;
the positioning unit is used for responding to an execution request of system call and relocating the execution request to the operation callback processing program based on the kernel callback framework;
and the modifying unit is used for modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program and returning a system calling result after kernel extension.
Further, the apparatus further comprises:
the receiving unit is used for receiving callback rules distributed by the cloud server and acquiring a function set supported by a kernel in the operating system before the kernel callback framework is constructed and the callback processing program is operated by using the inline hook;
and the screening unit is used for screening out a target callback rule suitable for kernel extension from the callback rules according to the function set supported by the kernel.
Further, the callback rule is provided with a service logic for extending the kernel, and the screening unit includes:
the determining module is used for determining the functional parameters executed by each kernel function calling process in the operating system according to the function set supported by the kernels;
the judging module is used for judging whether the service logic used for expanding the kernel in the callback rule is embedded into the kernel function of the operating system or not by utilizing the functional parameters executed in each kernel function calling process;
and the screening module is used for screening the callback mechanism into a target callback rule suitable for the kernel extension if the callback mechanism is not the target callback rule.
Further, the construction unit includes:
the definition module is used for defining a target kernel function needing hooking in an inline hooking mode;
and the construction module is used for embedding a target callback rule suitable for kernel extension into the target kernel function, constructing a kernel callback framework and an operation callback processing program, wherein the target callback rule is used for hooking the target kernel function in the execution process of system call and repositioning the target kernel function to the operation callback processing program.
Further, the apparatus further comprises:
and the obtaining unit is used for obtaining the registered operation callback processing program information in the kernel callback framework before the target kernel function corresponding to the execution request is modified by using the target callback rule in the operation callback processing program and the system calling result after kernel extension is returned.
Further, if the registered operation callback processing program information includes a former operation callback processing program, the modifying unit is specifically configured to perform, according to the former operation callback processing program, first filtering processing on the input parameter corresponding to the execution request by using the target callback rule;
the modification unit is specifically configured to transfer the filtered input parameters to the target kernel function, so that the target kernel function executes corresponding internal functions and returns a system call result after kernel extension.
Further, if the registered operation callback handler information includes a post-operation callback handler, the modifying unit is specifically configured to transfer the input parameter corresponding to the execution request to the target kernel function, so that the target kernel function executes a corresponding internal function;
and the modifying unit is specifically further configured to perform, according to the post-operation callback processing program, second filtering processing on the return data of the target kernel function by using the target callback rule, and return a system call result after kernel extension.
Further, if the registered operation callback processing program information includes a former operation callback processing program and a latter operation callback processing program, the modifying unit is specifically configured to perform, according to the former operation callback processing program, first filtering processing on the input parameter corresponding to the execution request by using the target callback rule;
the modification unit is specifically further configured to transfer the input parameter after the first filtering process to the target kernel function, so that the target kernel function executes a corresponding internal function;
and the modifying unit is specifically further configured to perform, according to the post-operation callback processing program, second filtering processing on the return data of the target kernel function by using the target callback rule, and return a system call result after kernel extension.
Further, the modifying unit is further configured to check, according to the pre-operation callback processing program, whether an input parameter corresponding to the execution request meets a preset condition by using the target callback rule;
and the modifying unit is also used for rejecting the execution request and returning to the system function called by the system if the system function called by the modifying unit is not the same as the system function called by the modifying unit.
According to a fourth aspect of the present application, there is provided a storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described callback mechanism-based kernel extension method.
According to a fifth aspect of the present application, there is provided a kernel extension device based on a callback mechanism, including a storage medium, a processor, and a computer program stored on the storage medium and capable of running on the processor, where the processor implements the kernel extension method based on the callback mechanism when executing the computer program.
By means of the technical scheme, according to the kernel extension method, the kernel callback framework and the operation callback processing program which are provided by the application and based on the callback mechanism, the kernel callback framework and the operation callback processing program are built in an inline hook mode, the target callback rule which is applicable to kernel extension is carried in the operation callback processing program, the target kernel function can be modified, the system calls the target kernel function corresponding to the execution request for the system function in response to the execution request of the system call, the execution request is relocated to the operation callback processing program based on the kernel callback framework, the target kernel function corresponding to the execution request is modified by the target callback rule in the operation callback processing program, and the system call result after kernel extension is returned. Compared with the mode of performing kernel extension by using two interfaces provided by an operating system in the existing mode, the method and the device modify the target kernel function by using the operation callback processing program registered in the kernel callback framework, can improve the flexibility of system call, and meet the requirement of a third-party platform on kernel extension.
The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart illustrating a kernel extension method based on a callback mechanism according to an embodiment of the present application;
fig. 2 is a flowchart illustrating another kernel extension method based on a callback mechanism according to an embodiment of the present application;
FIG. 3 is a block diagram illustrating an execution process of an unhook system call according to an embodiment of the present application;
FIG. 4 is a block diagram illustrating an execution process of another callback mechanism-based system call provided by an embodiment of the present application;
fig. 5 is a schematic structural diagram illustrating a kernel extension apparatus based on a callback mechanism according to an embodiment of the present application;
fig. 6 is a schematic structural diagram illustrating another kernel extension apparatus based on a callback mechanism according to an embodiment of the present application.
Detailed Description
The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
For the macOS system, the related art may use two known interfaces to perform kernel extension to add new functions to the operating system, the first is a kernel programming interface provided by the kernel authorization subsystem, which allows a third party to intercept a specific operation, and once the interception is successful, the intercepted operation may be further checked, approved or blocked, however, for some specific callback functions, this approach usually lacks critical context information for the input parameters, for example, for a process to create a callback handler, the input parameters lack command line parameters of the process, and it is difficult to implement interception of all normal operations, so that the functions of the kernel extension have limitations. The other is a callback interface provided by the mandatory access control framework, the callback interface has a finer-grained framework compared with the kernel authorization subsystem, almost every kind of conventional operation can be intercepted under the support of the fine-grained framework, and a third-party kernel processing program can check input parameters and approve or reject the input parameters according to custom rules. However, since it is difficult for the interface call of the third party software to acquire the official system license, there is a compatibility problem if the third party software enforces the interface call. Therefore, the two interfaces provided by the operating system have limitations in the application process, and the flexibility of system calling is poor, so that the requirement of a third party on kernel extension is difficult to meet.
In order to solve the above problems, the present application provides a kernel extension system based on a callback mechanism, which may include an operation platform end and a cloud service end, where the operation platform end may be specifically applied to a terminal device of a user, the operation platform end may receive a callback rule issued by the cloud service end, query a target callback rule suitable for kernel extension from the callback rule, and modify a target kernel function by using the target callback rule in an inline hook manner, so as to flexibly extend a kernel in the operation system, and simultaneously perform kernel monitoring better.
Specifically, this embodiment provides a kernel extension method based on a callback mechanism, and as shown in fig. 1, the method is applied to an operating system side, and includes the following steps:
101. and constructing a kernel callback framework and operating a callback processing program by using an inline hook mode.
The method of the inline hooking is to hook a target function, so that an instruction of a hooking point changes, a jump instruction is generally used to jump to an operation callback processing program, the operation callback processing program carries a target callback rule applicable to kernel extension, and the target callback rule is used to modify the target function, for example, the target function is monitored, and the target function is audited.
It can be understood that, here, the operation callback processing program is registered in the kernel callback framework, and the kernel callback framework may specifically determine a target kernel function to be intercepted by the inline hook, construct a jump instruction according to a function address of the target kernel function, write the jump instruction to the function address to be hooked, and jump the target kernel function to the operation callback processing program to execute a corresponding target callback rule when the target kernel function of the hook is called. For example, when an inline hook is performed for a process of calling a function B, an address of the function B needs to be found in a memory of a designated process, and then an initial address of the function B is modified to be a jump instruction, so that when the designated process calls the function B, a jump is first made to an operation callback processing program to execute a corresponding target callback rule.
The execution main body of the embodiment of the invention can be a kernel extension device based on a callback mechanism, can be applied to an operating system end, and a kernel callback framework and an operation callback processing program are constructed by using an inline hook mode, wherein the kernel callback framework can capture an execution request called by a system and process a target kernel function corresponding to the execution request according to a target callback rule.
102. In response to an execution request for a system call, relocating the execution request to the operation callback handler based on the kernel callback framework.
The execution request of the system call is a target kernel function corresponding to the execution request of the system function call, and as various resources in the system are controlled by the operating system, service requests need to be provided to the operating system in a system call mode aiming at operations related to the resources, such as storage allocation, I/O operation, file management and the like, so as to ensure the stability and the safety of the system. The user process does not allow access to the kernel data under normal conditions, and can not use the kernel function, and only can operate the user data in the user space and call the user space function. However, in many cases, the user process needs to obtain system services, and in this case, a special interface provided by the system to the user is needed, and the special interface can specify that the user process enters a specific position of the kernel so that the user process can conveniently access the kernel. The system calls an interface which is equivalent to the interaction between the kernel and the user space program, transmits the request of the user process to the kernel, and returns the processing result to the user space after the kernel processes the request.
Generally, a system call is mainly related to several types in a kernel, one is control hardware, the system call is used as an abstract interface of hardware resources and a user space, such as read/write call used in reading and writing files, the other is setting a system state and reading kernel data, since the system call is the only communication means of the user space and the kernel, a user sets the system state, such as turning on/off a certain kernel service (setting a certain kernel variable), or reading the kernel data, the kernel data must be called through the system, and the other is process management, and the system call interface can be used for representing that a process in the system can run in a multi-task mode under a virtual memory environment.
Specifically, in the process of relocating the execution request to the operation callback processing program based on the kernel callback framework, the kernel callback framework is registered with the effective operation callback processing program, so that the execution request called by the system can be captured, the disassembly engine is used for obtaining the program entry point and/or exit point of the target core function corresponding to the execution request, and the program entry point and/or exit point is intercepted and then positioned to the operation callback processing program.
103. And modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback processing program, and returning a system calling result after kernel extension.
It can be understood that different target callback rules may implement different extended functions of the kernel, specifically, a target kernel function corresponding to the execution request may be modified according to the service logic in the target callback rule, and for the firewall function, a program entry point and/or an exit point for the target kernel function may be set in the target callback rule for filtering, for example, filtering for data entering and exiting the network, managing for behavior entering and exiting the access network, blocking some prohibited services, and the like; for the data encryption function, a program entry point and/or an exit point of the target kernel function may be set in the target callback rule for encryption, for example, traffic data required by the target kernel function is encrypted by using an encryption algorithm.
According to the kernel extension method based on the callback mechanism, a kernel callback frame and an operation callback processing program are built in an inline hook mode, a target callback rule suitable for kernel extension is carried in the operation callback processing program, modification of a target kernel function can be achieved, the system call is a target kernel function corresponding to the system function call execution request in response to the execution request of the system call, the execution request is relocated to the operation callback processing program based on the kernel callback frame, the target kernel function corresponding to the execution request is modified by the target callback rule in the operation callback processing program, and a system call result after kernel extension is returned. Compared with the mode of performing kernel extension by using two interfaces provided by an operating system in the existing mode, the method and the device modify the target kernel function by using the operation callback processing program registered in the kernel callback framework, can improve the flexibility of system call, and meet the requirement of a third-party platform on kernel extension.
Further, as a refinement and an extension of the specific implementation of the above embodiment, in order to fully describe the specific implementation process of the embodiment, the embodiment provides another kernel extension method based on a callback mechanism, as shown in fig. 2, the method includes:
201. and receiving a callback rule distributed by the cloud server, and acquiring a function set supported by a kernel in the operating system.
The callback rule is provided with service logic for expanding the kernel, an acquisition request of the callback rule can be triggered by an operating system at regular time, the cloud server executes dispatch of the callback rule according to the request, and the cloud server can dispatch the callback rule according to actual service requirements of the operating system, and the method is not limited in the process.
It can be understood that, in order to improve the effectiveness of the kernel extension of the operating system, the cloud server does not randomly dispatch the callback rule at any time, but needs to determine the dispatched callback rule according to a function set supported by the kernel in the operating system, where the function set represents the most basic functions of the operating system, and can also represent the extended functions of the operating system, and the callback rule which cannot be embedded into the operating system does not need to be dispatched to the operating system.
202. And screening out a target callback rule suitable for kernel extension from the callback rules according to the function set supported by the kernel.
Correspondingly, after receiving the callback rule, the operating system does not need to execute the extension operation on the function of the operating system, even if the extension operation is executed, the extension operation can conflict with the existing function, of course, the extension operation can be executed after the fact that the conflict does not exist is judged, and in order to guarantee the reliability of kernel extension in the operating system, a target callback rule suitable for kernel extension can be screened from the callback rule.
Specifically, according to a function set supported by a kernel, determining a function parameter executed by each kernel function calling process in an operating system, and judging whether a service logic for extending the kernel in a callback rule is embedded into the kernel function of the operating system or not by using the function parameter executed by each kernel function calling process, if not, screening the callback mechanism into a target callback rule suitable for kernel extension.
203. And defining a target kernel function needing to be hooked by using an inline hooking mode.
In the operating system, the inline hook is equivalent to the operations of function hook, function injection, function hijack and the like, and can redirect and modify a target kernel function called on the operating system so as to meet the flexible extension of a third party on kernel application. The target kernel function to be hooked can be defined according to development requirements, for example, the kernel functions for creating and managing a plurality of partitions on the magnetic disk removable USB storage device are hooked, and since many functions are involved, a plurality of target kernel functions can be hooked at the same time.
204. And embedding a target callback rule suitable for the kernel extension aiming at the target kernel function, and constructing a kernel callback framework and operating a callback processing program.
Specifically, in the process of embedding the target callback rule into the target kernel function, after the target kernel function triggers an execution request of the system call, a program inlet and/or an program outlet of the target kernel function are/is intercepted, and then the target kernel function is modified according to a command in the target callback rule, wherein the modification operation can be insertion, addition, deletion and the like of a target action, for example, the command is inserted into and executed to a preset table, and the command is modified and executed to a preset chain.
205. And acquiring the registered operation callback processing program information in the kernel callback framework.
It can be understood that, since the target callback rule has different function points for the kernel extension and different instruction positions for the target kernel function that need to be modified, for the filtering function, filtering needs to be performed on the incoming parameters at the program inlet of the target kernel function, and for the encryption function, encryption needs to be performed on the outgoing parameters at the program outlet of the target kernel function. Generally, the callback handler needs to be registered and validated in the kernel callback framework to perform modification operation on the target kernel function, and by acquiring the registered operation callback handler information in the kernel callback framework, the modification operation on the target kernel function can be performed on the registered and validated operation callback handler information, and no operation is performed on the unregistered or registered and non-validated operation callback handler information.
206. And modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback processing program according to the registered operation callback processing program information, and returning a system calling result after kernel extension.
Where the operation callback handler includes at least a pre-operation callback handler for handling incoming parameters at the entry to the target kernel program and/or a post-operation callback handler for handling outgoing parameters at the exit from the target kernel program, both of which may be used singularly or in combination. The registered operation callback processing program information at least comprises the following conditions that only the former operation callback processing program is registered and takes effect in the kernel callback framework, only the latter operation callback processing program is registered and takes effect in the kernel callback framework, the former operation callback processing program and the latter operation callback processing program are simultaneously registered and take effect in the kernel callback framework, the former operation callback processing program and the latter operation callback processing program are simultaneously registered but do not take effect in the kernel callback framework, and the former operation callback processing program and the latter operation callback processing program are not registered and do not take effect.
As an implementation manner, if the registered operation callback processing program information includes a former operation callback processing program, specifically, according to the former operation callback processing program, a target callback rule is used to perform first filtering processing on an input parameter corresponding to an execution request, and then the filtered input parameter is transferred to the target kernel function, so that the target kernel function executes a corresponding internal function, and returns a system call result after kernel extension.
As another embodiment, if the registered operation callback processing program information includes a post-operation callback processing program, the input parameter corresponding to the execution request is transferred to the target kernel function, so that the target kernel function executes the corresponding internal function, and then according to the post-operation callback processing program, the target callback rule is used to perform second filtering processing on the return data of the target kernel function, and the return data returns to the system calling result after kernel extension.
As another embodiment, if the registered operation callback processing program information includes a pre-operation callback processing program and a post-operation callback processing program, according to the pre-operation callback processing program, using the target callback rule to perform first filtering processing on the input parameter corresponding to the execution request, then transferring the input parameter after the first filtering processing to the target kernel function, so that the target kernel function executes a corresponding internal function, according to the post-operation callback processing program, using the target callback rule to perform second filtering processing on the return data of the target kernel function, and returning the system call result after kernel extension.
It is to be understood that the first filtering process and the second filtering process may be specifically configured according to business logic in the target callback rule.
Further, in order to ensure the security of the system call, in the process of performing the first filtering processing on the input parameter corresponding to the execution request by using the target callback rule, according to the former operation callback processing program, the target callback rule is used to check whether the input parameter corresponding to the execution request meets the preset condition, if not, the execution request is rejected, and the system function called by the system is returned. The preset condition may be a condition for performing security check on the input parameter, for example, whether the input parameter includes a sensitive character, or a condition for performing permission check on the input parameter, for example, whether the input parameter has an identifier of a corresponding permission.
Specifically, in an actual application scenario, for an execution process of a system call that is not hooked, as shown in fig. 3, a function a is a system function, and a function B is a target kernel function, in response to an execution request of the system call, the function a calls the function B to execute some specific functions, the function B returns to the function a after completing its internal functions, and the function a continues to execute, whereas in the execution process of a system call based on a callback mechanism in the present application, as shown in fig. 4, the function a redirects the execution request to a pre-operation callback processing program in response to the execution request of the system call by using an inline hooking method, and checks an input parameter corresponding to the execution request according to the pre-operation callback processing program, as one case of a check result, the pre-operation callback processing program may directly reject the execution request and then continue to execute the function a as another case of the check result, the former callback operation processing program can transmit the execution request to the function B, the function B returns to the latter callback processing program after completing the internal function thereof, a new round of examination is executed on the returned data of the function B according to the latter callback processing program, the processing result is returned to the function A after the processing, and the function A continues to execute.
As an actual application scenario of the kernel extension of the callback mechanism, the callback mechanism can be applied to a malicious driver firewall of an operating system, specifically, a loading request of a driver can be captured according to a kernel callback framework, by using a disassembly engine, the kernel callback framework obtains an entry point of the malicious driver, the loading of the malicious driver is blocked by using a former operation callback processing program, a return value of the loading request of the driver is obtained by using a latter operation callback processing program, and at this time, the loading of the malicious driver fails when the operating system receives the return value of the loading request of the driver.
Further, as a specific implementation of the method in fig. 1, an embodiment of the present application provides a kernel extension device based on a callback mechanism, and as shown in fig. 5, the kernel extension device includes: a building unit 31, a positioning unit 32, a modifying unit 33.
The constructing unit 31 may be configured to construct a kernel callback framework and an operation callback processing program in a manner of using an inline hook, where the operation callback processing program carries a target callback rule applicable to kernel extension;
a location unit 32, configured to, in response to an execution request of a system call, relocate the execution request to the operation callback handler based on the kernel callback framework;
the modifying unit 33 may be configured to modify the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program, and return a system call result after kernel extension.
The kernel extension device based on the callback mechanism provided by the embodiment of the invention constructs a kernel callback framework and an operation callback processing program in an inline hook mode, wherein the operation callback processing program carries a target callback rule suitable for kernel extension, can modify a target kernel function, responds to an execution request of system call, the system call is the target kernel function corresponding to the system function call execution request, further relocates the execution request to the operation callback processing program based on the kernel callback framework, modifies the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program, and returns a system call result after kernel extension. Compared with the mode of performing kernel extension by using two interfaces provided by an operating system in the existing mode, the method and the device modify the target kernel function by using the operation callback processing program registered in the kernel callback framework, can improve the flexibility of system call, and meet the requirement of a third-party platform on kernel extension.
In a specific application scenario, as shown in fig. 6, the apparatus further includes:
the receiving unit 34 may be configured to receive a callback rule distributed by the cloud server before the kernel callback framework is constructed and the callback processing program is operated in the manner of using the inline hook, and acquire a function set supported by a kernel in the operating system;
the screening unit 35 may be configured to screen a target callback rule applicable to the kernel extension from the callback rules according to the function set supported by the kernel.
In a specific application scenario, as shown in fig. 6, the callback rule is provided with a service logic for extending the kernel, and the screening unit 35 includes:
the determining module 351 may be configured to determine, according to the function set supported by the kernel, a function parameter executed by each kernel function calling process in the operating system;
a determining module 352, configured to determine, by using the function parameter executed by each kernel function calling process, whether a service logic for extending a kernel in the callback rule has been embedded into a kernel function of the operating system;
the screening module 353 may be configured to, if not, screen the callback mechanism as a target callback rule applicable to the kernel extension.
In a specific application scenario, as shown in fig. 6, the constructing unit 31 includes:
the defining module 311 may be configured to define a target kernel function that needs to be hooked by using an inline hook;
the building module 312 may be configured to embed a target callback rule applicable to kernel extension for the target kernel function, build a kernel callback framework and an operation callback processing program, where the target callback rule is used to hook the target kernel function in an execution process of system call and relocate the target kernel function to the operation callback processing program.
In a specific application scenario, as shown in fig. 6, the apparatus further includes:
the obtaining unit 36 may be configured to obtain the registered operation callback processing program information in the kernel callback framework before the target kernel function corresponding to the execution request is modified by using the target callback rule in the operation callback processing program and the system call result after kernel extension is returned.
In a specific application scenario, if the registered operation callback processing program information includes a pre-operation callback processing program, the modifying unit 33 may be specifically configured to perform, according to the pre-operation callback processing program, first filtering processing on the input parameter corresponding to the execution request by using the target callback rule;
the modifying unit 33 may be further configured to specifically transmit the filtered input parameter to the target kernel function, so that the target kernel function executes a corresponding internal function, and returns a system call result after kernel extension.
In a specific application scenario, if the registered operation callback processing program information includes a post-operation callback processing program, the modifying unit 33 may be specifically configured to transfer the input parameter corresponding to the execution request to the target kernel function, so that the target kernel function executes a corresponding internal function;
the modifying unit 33 may be further configured to perform, according to the post-operation callback processing program, second filtering processing on the return data of the target kernel function by using the target callback rule, and return a system call result after kernel extension.
In a specific application scenario, if the registered operation callback processing program information includes a pre-operation callback processing program and a post-operation callback processing program, the modifying unit 33 may be specifically configured to perform, according to the pre-operation callback processing program, first filtering processing on the input parameter corresponding to the execution request by using the target callback rule;
the modifying unit 33 may be further configured to specifically transfer the input parameter after the first filtering process to the target kernel function, so that the target kernel function executes a corresponding internal function;
the modifying unit 33 may be further configured to perform, according to the post-operation callback processing program, second filtering processing on the return data of the target kernel function by using the target callback rule, and return a system call result after kernel extension.
In a specific application scenario, the modifying unit 33 may be further configured to check, according to the pre-operation callback processing program, whether an input parameter corresponding to the execution request meets a preset condition by using the target callback rule;
the modifying unit 33 may be further configured to reject the execution request and return to the system function called by the system if the execution request is not rejected.
It should be noted that other corresponding descriptions of the functional units related to the kernel extension device based on the callback mechanism, which is provided in this embodiment and can be applied to the operating system side, may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1-2 and the virtual device embodiment shown in fig. 5-6, in order to achieve the above object, an embodiment of the present application further provides a client entity device, which may specifically be a computer, a smart phone, a tablet computer, a smart watch, or a network device, where the entity device includes a storage medium and a processor; a storage medium for storing a computer program; a processor for executing a computer program to implement the kernel extension method based on the callback mechanism as shown in fig. 1-2.
Optionally, the above entity devices may further include a user interface, a network interface, a camera, a Radio Frequency (RF) circuit, a sensor, an audio circuit, a WI-FI module, and the like. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
Those skilled in the art will appreciate that the entity device structure of the kernel extension based on the callback mechanism provided in the present embodiment does not constitute a limitation to the entity device, and may include more or fewer components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program for managing hardware and software resources of the actual device for store search information processing, and supports the operation of the information processing program and other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and communication with other hardware and software in the information processing entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. Compared with the prior art, the method and the device have the advantages that the target kernel function is modified by the operation callback processing program registered in the kernel callback framework, so that the flexibility of system calling can be improved, and the requirement of a third-party platform on kernel extension is met.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (12)
1. A kernel extension method based on a callback mechanism is applied to an operating system end and is characterized by comprising the following steps:
constructing a kernel callback framework and an operation callback processing program by using an inline hook mode, wherein the operation callback processing program carries a target callback rule suitable for kernel extension;
responding to an execution request of a system call, relocating the execution request to the operation callback processing program based on the kernel callback framework, wherein the system call is a system function call execution request corresponding to a target kernel function;
and modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback processing program, and returning a system calling result after kernel extension.
2. The method of claim 1, wherein prior to said building a kernel callback framework and operating a callback handler by using inline hooks, the method further comprises:
receiving a callback rule distributed by a cloud server, and acquiring a function set supported by a kernel in an operating system;
and screening out a target callback rule suitable for kernel extension from the callback rules according to the function set supported by the kernel.
3. The method according to claim 2, wherein the callback rule is provided with service logic for extending a kernel, and the selecting a target callback rule applicable to kernel extension from the callback rules according to the function set supported by the kernel specifically comprises:
determining the function parameters executed by each kernel function calling process in the operating system according to the function set supported by the kernel;
judging whether the service logic for extending the kernel in the callback rule is embedded into the kernel function of the operating system or not by using the functional parameters executed in each kernel function calling process;
and if not, screening the callback mechanism into a target callback rule applicable to the kernel extension.
4. The method according to claim 1, wherein the constructing of the kernel callback framework and the operation callback handler by using an inline hook specifically comprises:
defining a target kernel function needing to be hooked by using an inline hooking mode;
and embedding a target callback rule suitable for kernel extension aiming at the target kernel function, constructing a kernel callback framework and an operation callback processing program, wherein the target callback rule is used for hooking the target kernel function in the execution process of system call and repositioning the target kernel function to the operation callback processing program.
5. The method according to claim 1, wherein before the modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program and returning the system call result after kernel extension, the method specifically comprises:
and acquiring the registered operation callback processing program information in the kernel callback framework.
6. The method according to claim 5, wherein if the registered operation callback handler information includes a former operation callback handler, the modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback handler, and returning the system call result after kernel extension, specifically includes:
according to the former operation callback processing program, performing first filtering processing on the input parameters corresponding to the execution request by using the target callback rule;
and transmitting the filtered input parameters to the target kernel function so that the target kernel function executes corresponding internal functions and returns a system calling result after kernel extension.
7. The method according to claim 5, wherein if the registered operation callback handler information includes a post-operation callback handler, the modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback handler, and returning a system call result after kernel extension, specifically includes:
transmitting the input parameter corresponding to the execution request to the target kernel function so that the target kernel function executes the corresponding internal function;
and according to the post-operation callback processing program, performing second filtering processing on the returned data of the target kernel function by using the target callback rule, and returning a system calling result after kernel extension.
8. The method according to any one of claims 5 to 7, wherein if the registered operation callback handler information includes a pre-operation callback handler and a post-operation callback handler, the modifying the target kernel function corresponding to the execution request by using a target callback rule in the operation callback handler, and returning a system call result after kernel extension, specifically includes:
according to the former operation callback processing program, performing first filtering processing on the input parameters corresponding to the execution request by using the target callback rule;
transferring the input parameters after the first filtering processing to the target kernel function so that the target kernel function executes corresponding internal functions;
and according to the post-operation callback processing program, performing second filtering processing on the returned data of the target kernel function by using the target callback rule, and returning a system calling result after kernel extension.
9. The method according to claim 8, wherein the performing, according to the pre-operation callback handler, a first filtering process on the input parameter corresponding to the execution request using the target callback rule specifically includes:
checking whether the input parameters corresponding to the execution request meet preset conditions or not by using the target callback rule according to the pre-operation callback processing program;
if not, rejecting the execution request and returning to the system function called by the system.
10. A kernel extension apparatus based on a callback mechanism, comprising:
the device comprises a construction unit, a processing unit and a processing unit, wherein the construction unit is used for constructing a kernel callback framework and an operation callback processing program in an inline hook mode, and the operation callback processing program carries a target callback rule applicable to kernel extension;
the positioning unit is used for responding to an execution request of system call and relocating the execution request to the operation callback processing program based on the kernel callback framework;
and the modifying unit is used for modifying the target kernel function corresponding to the execution request by using the target callback rule in the operation callback processing program and returning a system calling result after kernel extension.
11. A storage medium having stored thereon a computer program, wherein the program, when executed by a processor, implements the callback mechanism based kernel extension method of any of claims 1 to 9.
12. A kernel extension device based on a callback mechanism, comprising a storage medium, a processor and a computer program stored on the storage medium and operable on the processor, wherein the processor implements the kernel extension method based on the callback mechanism according to any one of claims 1 to 9 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111308737.6A CN114138691A (en) | 2021-11-05 | 2021-11-05 | Kernel extension method, device and equipment based on callback mechanism |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111308737.6A CN114138691A (en) | 2021-11-05 | 2021-11-05 | Kernel extension method, device and equipment based on callback mechanism |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114138691A true CN114138691A (en) | 2022-03-04 |
Family
ID=80393028
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111308737.6A Pending CN114138691A (en) | 2021-11-05 | 2021-11-05 | Kernel extension method, device and equipment based on callback mechanism |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114138691A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
| US20080301440A1 (en) * | 2007-05-29 | 2008-12-04 | Plouffe Jr Wilfred E | Updateable Secure Kernel Extensions |
| CN104598809A (en) * | 2015-02-13 | 2015-05-06 | 北京奇虎科技有限公司 | Program monitoring method and defending method thereof, as well as relevant device |
| CN110286957A (en) * | 2019-05-29 | 2019-09-27 | 郑州威科姆科技股份有限公司 | A method of it is applied using Ocx extension webkit kernel |
| CN111919198A (en) * | 2018-04-06 | 2020-11-10 | 北京嘀嘀无限科技发展有限公司 | Kernel function callback method and system |
-
2021
- 2021-11-05 CN CN202111308737.6A patent/CN114138691A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080016339A1 (en) * | 2006-06-29 | 2008-01-17 | Jayant Shukla | Application Sandbox to Detect, Remove, and Prevent Malware |
| US20080301440A1 (en) * | 2007-05-29 | 2008-12-04 | Plouffe Jr Wilfred E | Updateable Secure Kernel Extensions |
| CN104598809A (en) * | 2015-02-13 | 2015-05-06 | 北京奇虎科技有限公司 | Program monitoring method and defending method thereof, as well as relevant device |
| CN111919198A (en) * | 2018-04-06 | 2020-11-10 | 北京嘀嘀无限科技发展有限公司 | Kernel function callback method and system |
| CN110286957A (en) * | 2019-05-29 | 2019-09-27 | 郑州威科姆科技股份有限公司 | A method of it is applied using Ocx extension webkit kernel |
Non-Patent Citations (1)
| Title |
|---|
| 兰德尔E.布莱恩特,大卫R.奥哈拉伦: "《深入理解计算机系统(原书第3版)》", 机械工业出版社, pages: 138 - 141 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3123311B1 (en) | Malicious code protection for computer systems based on process modification | |
| US8271608B2 (en) | System and method for a mobile cross-platform software system | |
| CN109831419A (en) | The determination method and device of shell program authority | |
| US10402563B2 (en) | Automated classification of exploits based on runtime environmental features | |
| WO2019072008A1 (en) | Security scanning method and apparatus for mini program, and electronic device | |
| CN110059477B (en) | Attack detection method and device | |
| CN104572197B (en) | A kind for the treatment of method and apparatus of startup item | |
| CN111428241A (en) | Multi-security access policy control method and computing device | |
| CN109815700A (en) | Processing method and processing device, storage medium, the computer equipment of application program | |
| CN112231198B (en) | Malicious process debugging method and device, electronic equipment and medium | |
| US10929536B2 (en) | Detecting malware based on address ranges | |
| US10929148B2 (en) | Executing services in containers | |
| CN104573495B (en) | A kind for the treatment of method and apparatus of startup item | |
| CN112966094A (en) | Transaction data processing method, device and system | |
| CN107766094B (en) | Method, device and equipment for controlling mutual starting of application programs | |
| CN110865848B (en) | Component interception method and terminal equipment | |
| CN109784041B (en) | Event processing method and device, storage medium and electronic device | |
| JP2011145945A (en) | Malware detecting device and malware detecting method | |
| CN107368738B (en) | Root prevention method and Root prevention device for intelligent equipment | |
| CN111428240A (en) | Method and device for detecting illegal access of memory of software | |
| CN114138691A (en) | Kernel extension method, device and equipment based on callback mechanism | |
| CN113836529A (en) | Process detection method, device, storage medium and computer equipment | |
| CN109800580B (en) | Permission control method and device of system process, storage medium and computer equipment | |
| CN111026609B (en) | Information auditing method, system, equipment and computer readable storage medium | |
| CN104572199B (en) | The method and apparatus that a kind of No starting item starts |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |