[nycbug-talk] Understanding sys/module.h , *module_t and *modeventhand_t

Tim A. techneck at goldenpath.org
Thu Apr 10 12:43:48 EDT 2008

>>> Dynamic Kernel Linker (KLD) Facility Programming Tutorial [Intro]
>>> http://rlz.cl/books/Books/BSD/blueprints.html
>>> I think the second one actually explains that module_t business.
>> Yes, thank you. That one drops a big hint:
>> The 'module_t mod' structure is just a pointer to the module structure.
>> This structure is part of a linked list of currently loaded modules. It
>> contains links to the other modules loaded, KLD ID number and other such
>> useful information.
>> I'd still like to be able to find where that linked list is defined.
>> I guess I'll just keep reading Rootkits. Considering that hint, I'll
>> guess it's addressed later when he starts hiding things.
> Tim,
> Just one suggestion if I may - try reading the kernel source (also).
> That would probably give you more insight into how modules work
> then a reference on how to rootkit them :)

Very true. But I've been walking around beating myself up with this 
"Design & Implementation" book for so long it's depressing.
Browsing sys/kern without any particular (or some obscure) purpose has 
thoroughly boggled my brain and put me to sleep on numerous occasions.

I *want* to understand it, but I think what I've been needing is a lower 
/ more defined point of entry.
"Rootkits" has been excellent for that. An exciting sort of taboo 
allure, with very well defined, fairly simple objectives with an 
intimate exposure to (what I'm guessing to be) some of the most 
significant aspects of the system internals.

> As for the module list, I think here it is in
> sys/kern/kern_module.c:
> ...
> typedef TAILQ_HEAD(, module) modulelist_t;
> struct module {
> 	TAILQ_ENTRY(module)	link;	/* chain together all modules */
> 	TAILQ_ENTRY(module)	flink;	/* all modules in a file */
> 	struct linker_file	*file;	/* file which contains this module */
> 	int			refs;	/* reference count */
> 	int 			id;	/* unique id number */
> 	char 			*name;	/* module name */
> 	modeventhand_t 		handler;	/* event handler */
> 	void 			*arg;	/* argument for handler */
> 	modspecific_t 		data;	/* module specific data */
> };
> ...

That is exactly what I was looking for.
Thank you, so much! I owe you dinner :)

I thought for sure it would have turned up in cscope by searching the 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20080410/d95bf25d/attachment.html>

More information about the talk mailing list