当前内核驱动修改器只有读取没有写入代码功能 #1
Description
我给你加上来了 代码如下:
// 合并连续 iov 块并写入远程进程(泪心驱动 tear_write_safe第二种读取方法 汇编+硬件+RCU锁)
static long handle_process_vm_writev(TearGame2026HookDriver* driver, int pid,
const iovec* local_iov, unsigned long liovcnt,
const iovec* remote_iov, unsigned long riovcnt) {
(void)riovcnt;
if (unlikely(!local_iov || !remote_iov || liovcnt == 0 || liovcnt != riovcnt)) {
errno = EINVAL;
return -1;
}
if (unlikely(pid != g_last_pid)) {
pthread_mutex_lock(&g_init_lock);
if (pid != g_last_pid) {
g_last_pid = pid;
driver->tear_set_pid(pid);
LOGI("Driver attached to pid %d (writev)", pid);
}
pthread_mutex_unlock(&g_init_lock);
}
const size_t page_size = sysconf(_SC_PAGESIZE);
long total_written = 0;
uintptr_t merge_remote_addr = 0;
const uint8_t* merge_local_buf = nullptr;
size_t merge_len = 0;
bool has_pending = false;
for (unsigned long i = 0; i < liovcnt; ++i) {
const size_t len = local_iov[i].iov_len;
if (unlikely(len == 0)) continue;
const uint8_t* local_buf = reinterpret_cast<const uint8_t*>(local_iov[i].iov_base);
const uintptr_t remote_addr = reinterpret_cast<uintptr_t>(remote_iov[i].iov_base);
if (has_pending &&
remote_addr == (merge_remote_addr + merge_len) &&
local_buf == (merge_local_buf + merge_len) &&
(merge_len + len) <= page_size) {
merge_len += len;
continue;
}
if (likely(has_pending)) {
if (driver->tear_write_safe(merge_remote_addr, merge_local_buf, merge_len))
total_written += static_cast<long>(merge_len);
}
merge_remote_addr = remote_addr;
merge_local_buf = local_buf;
merge_len = len;
has_pending = true;
}
if (likely(has_pending)) {
if (driver->tear_write_safe(merge_remote_addr, merge_local_buf, merge_len))
total_written += static_cast<long>(merge_len);
}
return total_written;
}
//具体代码
const bool is_readv = (number == __NR_process_vm_readv);
const bool is_writev = (number == __NR_process_vm_writev);
if (likely(!is_readv && !is_writev)) {
// ... 透传其他 syscall ...
}
// ... 解析 pid, local_iov, liovcnt, remote_iov, riovcnt, flags ...
if (unlikely(!g_driver || !g_driver->isDriverLoaded())) {
errno = ENODEV;
return -1;
}
if (is_writev) {
return handle_process_vm_writev(g_driver, pid, local_iov, liovcnt, remote_iov, riovcnt);
}
// ========== 下面是 process_vm_readv 读逻辑 ==========
泪心已退网 勿念 @TearDriver QQ2254013571