[nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t
nikolai
nikolai at fetissov.org
Thu Apr 10 11:23:51 EDT 2008
>
>> Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro]
>> http://rlz.cl/books/Books/BSD/blueprints.html
>>
>> I think the second one actually explains that module_t business.
>
> Yes, thank you. That one drops a big hint:
>
> The 'module_t mod' structure is just a pointer to the module structure.
> This structure is part of a linked list of currently loaded modules. It
> contains links to the other modules loaded, KLD ID number and other such
> useful information.
>
>
> I'd still like to be able to find where that linked list is defined.
>
> I guess I'll just keep reading Rootkits. Considering that hint, I'll
> guess it's addressed later when he starts hiding things.
Tim,
Just one suggestion if I may - try reading the kernel source (also).
That would probably give you more insight into how modules work
then a reference on how to rootkit them :)
As for the module list, I think here it is in
sys/kern/kern_module.c:
...
typedef TAILQ_HEAD(, module) modulelist_t;
struct module {
TAILQ_ENTRY(module) link; /* chain together all modules */
TAILQ_ENTRY(module) flink; /* all modules in a file */
struct linker_file *file; /* file which contains this module */
int refs; /* reference count */
int id; /* unique id number */
char *name; /* module name */
modeventhand_t handler; /* event handler */
void *arg; /* argument for handler */
modspecific_t data; /* module specific data */
};
...
Cheers,
--
Nikolai
More information about the talk
mailing list