From 0156fff9938aaab56c1671fde13667ef88b15d76 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Thu, 12 Oct 2023 15:03:34 +0800
Subject: [PATCH 1/5] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=86=85=E5=AD=98?=
 =?UTF-8?q?=E4=BF=AE=E6=94=B9=E6=8E=A2=E9=92=88=EF=BC=8C=E5=8C=85=E5=90=AB?=
 =?UTF-8?q?=E9=9A=90=E8=94=BD=E5=86=85=E6=A0=B8=E6=A8=A1=E5=9D=97=E8=AF=86?=
 =?UTF-8?q?=E5=88=AB=E5=92=8C=E5=AE=89=E5=85=A8=E5=BC=80=E5=85=B3=E7=9B=91?=
 =?UTF-8?q?=E6=8E=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kerneldriver/cases/Makefile                   |  28 +++
 .../secDetector_mc_kmodule_list.c             |  46 +++++
 .../secDetector_mc_kmodule_list.h             |  12 ++
 .../secDetector_memory_corruption.c           |  79 ++++++++
 kerneldriver/core/Makefile                    |   4 +
 .../core/analyze_unit/secDetector_analyze.c   |  25 +++
 .../analyze_unit/secDetector_save_check.c     | 176 ++++++++++++++++++
 .../analyze_unit/secDetector_save_check.h     |  15 ++
 .../core/collect_unit/secDetector_collect.c   |  48 +++++
 .../secDetector_function_switch.c             | 133 +++++++++++++
 .../secDetector_function_switch.h             |  12 ++
 .../core/hook_unit/secDetector_hook.c         |   4 +-
 .../core/hook_unit/secDetector_hook.h         |   4 +-
 .../core/response_unit/secDetector_response.c |  52 +++++-
 kerneldriver/core/secDetector_manager.c       |  46 ++++-
 kerneldriver/core/secDetector_workflow.c      |  29 ++-
 kerneldriver/include/secDetector_analyze.h    |   4 +
 .../include/secDetector_analyze_type.h        |  40 +++-
 kerneldriver/include/secDetector_collect.h    |   5 +
 .../include/secDetector_collect_type.h        |  35 +++-
 kerneldriver/include/secDetector_response.h   |  11 +-
 .../include/secDetector_response_type.h       |   8 +-
 kerneldriver/include/secDetector_workflow.h   |   2 +-
 .../include/secDetector_workflow_type.h       |  14 +-
 24 files changed, 801 insertions(+), 31 deletions(-)
 create mode 100644 kerneldriver/cases/Makefile
 create mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
 create mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
 create mode 100644 kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
 create mode 100644 kerneldriver/core/analyze_unit/secDetector_analyze.c
 create mode 100644 kerneldriver/core/analyze_unit/secDetector_save_check.c
 create mode 100644 kerneldriver/core/analyze_unit/secDetector_save_check.h
 create mode 100644 kerneldriver/core/collect_unit/secDetector_collect.c
 create mode 100644 kerneldriver/core/collect_unit/secDetector_function_switch.c
 create mode 100644 kerneldriver/core/collect_unit/secDetector_function_switch.h

diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
new file mode 100644
index 0000000..004b5da
--- /dev/null
+++ b/kerneldriver/cases/Makefile
@@ -0,0 +1,28 @@
+# make secDetector_core
+
+# obj-m := secDetector_cases.o
+# secDetector_cases-objs += memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
+
+#secDetector_cases-objs := secDetector_memory_corruption.o
+obj-m += secDetector_memory_corruption.o
+
+secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
+
+
+
+KERNEL_SRC ?= /lib/modules/$(shell uname -r)/build
+PWD := $(shell pwd)
+
+cflags-y += -I$(PWD)/../include
+cflags-y += -I$(KERNEL_SRC)/include/linux
+EXTRA_CFLAGS += -Wall -Werror
+ifndef KDIR
+KDIR=$(KERNEL_SRC)
+endif
+# export KBUILD_EXTRA_SYMBOLS
+
+all:
+	$(MAKE) -C $(KERNEL_SRC) M=$(PWD) modules KCPPFLAGS="${cflags-y}"
+
+clean:
+	rm -rf *.ko *.o .*.o.d .*.ko.cmd *.mod.c *.mod .*.cmd Modules.* *.symvers *.order .tmp* *.markers */*.ko */*.o */.*.o.d */.*.ko.cmd */*.mod.c */*.mod */.*.cmd */Modules.* */*.symvers
diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
new file mode 100644
index 0000000..d3b530f
--- /dev/null
+++ b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
@@ -0,0 +1,46 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-09-28
+ * Description: the main implement of the kmodule list corruption.
+ */
+#include <linux/module.h>
+#include <linux/list.h>
+#include <linux/spinlock.h>
+#include "secDetector_mc_kmodule_list.h"
+
+#define MODULE_LIST_MAXSIZE 0x10000
+
+// 3 ways for get kernel module list.
+// struct module->list
+// struct module->mkobj->kobj->entry
+// struct module->mkobj->kobj->kset
+
+void check_kmodule_list(void)
+{
+	struct module_kobject *mobj = NULL;
+	struct kobject *k = NULL;
+	struct module *m = NULL;
+	struct kset *module_kset = __this_module.mkobj.kobj.kset;
+
+	if (module_kset == NULL)
+	return;
+
+	spin_lock(&module_kset->list_lock);
+	list_for_each_entry(k, &module_kset->list, entry) {
+		if (k->name == NULL)
+			continue;
+		mobj = container_of(k, struct module_kobject, kobj);
+		if (mobj == NULL || mobj->mod == NULL || (unsigned long)mobj->mod->name < MODULE_LIST_MAXSIZE)
+			continue;
+
+		mutex_lock(&module_mutex);
+		m = find_module(k->name);
+		if (m == NULL)
+			pr_err("[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
+		mutex_unlock(&module_mutex);
+	}
+	spin_unlock(&module_kset->list_lock);
+	return;
+}
\ No newline at end of file
diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
new file mode 100644
index 0000000..737ca47
--- /dev/null
+++ b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-09-28
+ * Description: the kmodule list corruption head file.
+ */
+ #ifndef SECDETECTOR_MC_KMODULE_LIST_H
+ #define SECDETECTOR_MC_KMODULE_LIST_H
+ 
+void check_kmodule_list(void);
+ #endif
\ No newline at end of file
diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
new file mode 100644
index 0000000..d9ce901
--- /dev/null
+++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
@@ -0,0 +1,79 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-09-28
+ * Description: the main implement of memory corruption probe.
+ */
+#include <linux/module.h>
+#include <linux/printk.h>
+#include <linux/seq_file.h>
+#include "secDetector_manager.h"
+#include <secDetector_module_type.h>
+#include "secDetector_mc_kmodule_list.h"
+
+
+#define TIME_INTERVAL 10000
+DEFINE_MUTEX(case_mc_mutex);
+
+
+static void check_all_watching_memory(void)
+{
+	mutex_lock(&case_mc_mutex);
+	check_kmodule_list();
+	mutex_unlock(&case_mc_mutex);
+}
+
+static struct secDetector_collect collect_array[] = {
+	{
+		.collect_type = COLLECT_GLOBAL_FUNCTION_SWITCH,
+	},
+};
+
+
+static struct secDetector_workflow workflow_array[] = {
+	{
+		.workflow_type = WORKFLOW_CUSTOMIZATION,
+		.workflow_func.func = check_all_watching_memory,
+		.interval = TIME_INTERVAL,
+		.enabled = ATOMIC_INIT(true)
+	},
+	{
+		.workflow_type = WORKFLOW_PRESET,
+		.collect_array = collect_array,
+		.analyze_type = ANALYZE_PRESET_SAVE_CHECK,
+		.interval = TIME_INTERVAL,
+		.enabled = ATOMIC_INIT(true)
+	},
+};
+
+static struct secDetector_module mc_module = {
+	.name = "secDetector memory corruption module",
+	.enabled = ATOMIC_INIT(true),
+	.workflow_array = workflow_array,
+	.workflow_array_len = ARRAY_SIZE(workflow_array),
+};
+
+static int __init register_secDetector_mc(void)
+{
+	int ret;
+	ret = secDetector_module_register(&mc_module);
+	if (ret < 0)
+		pr_err("register event failed");
+
+	pr_debug("[secDetector case memory corruption] register success\n");
+	return ret;
+}
+
+static void __exit unregister_secDetector_mc(void)
+{
+	mutex_lock(&case_mc_mutex);
+	(void)secDetector_module_unregister(&mc_module);
+	mutex_unlock(&case_mc_mutex);
+
+	pr_debug("[secDetector case memory corruption] unregister success\n");
+}
+
+module_init(register_secDetector_mc);
+module_exit(unregister_secDetector_mc);
+MODULE_LICENSE("GPL");
\ No newline at end of file
diff --git a/kerneldriver/core/Makefile b/kerneldriver/core/Makefile
index 1a9b05b..d323ab5 100644
--- a/kerneldriver/core/Makefile
+++ b/kerneldriver/core/Makefile
@@ -4,6 +4,10 @@ obj-m := secDetector_core.o
 
 secDetector_core-objs += hook_unit/secDetector_hook_tracepoint.o
 secDetector_core-objs += hook_unit/secDetector_hook.o
+secDetector_core-objs += collect_unit/secDetector_collect.o
+secDetector_core-objs += collect_unit/secDetector_function_switch.o
+secDetector_core-objs += analyze_unit/secDetector_analyze.o
+secDetector_core-objs += analyze_unit/secDetector_save_check.o
 secDetector_core-objs += response_unit/secDetector_proc.o
 secDetector_core-objs += response_unit/secDetector_response.o
 secDetector_core-objs += response_unit/secDetector_ringbuffer.o
diff --git a/kerneldriver/core/analyze_unit/secDetector_analyze.c b/kerneldriver/core/analyze_unit/secDetector_analyze.c
new file mode 100644
index 0000000..4e0845e
--- /dev/null
+++ b/kerneldriver/core/analyze_unit/secDetector_analyze.c
@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-10-11
+ * Description: the analyze unit func.
+ */
+#include "secDetector_analyze.h"
+#include "secDetector_save_check.h"
+
+
+analyze_func_t analyze_units[NR_ANALYZE] = {
+	[ANALYZE_PRESET_SAVE_CHECK] = analyze_save_check,
+};
+
+void free_analyze_status_data(analyze_status_t *analyze_status_data)
+{
+	switch (analyze_status_data->data.data_type) {
+		case ANALYZE_STATUS_SAVE_CHECK:
+			free_analyze_status_data_sc(analyze_status_data);
+			break;
+		default:
+			break;
+	}
+}
\ No newline at end of file
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
new file mode 100644
index 0000000..d93f258
--- /dev/null
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
@@ -0,0 +1,176 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-10-11
+ * Description: the analyze unit of save check func.
+ */
+#include "secDetector_analyze.h"
+#include "secDetector_collect_type.h"
+#include "secDetector_response_type.h"
+#include <linux/crypto.h>
+#include <linux/hash.h>
+#include <linux/err.h>
+#include <crypto/sha2.h>
+//"[save_check]" + ": original:" + MAX_DIGITS +"; now: "+ MAX_DIGITS +".!\n" 33 + 2*MAX_DIGITS + 1
+#define REPORT_MORE_CHAR_LEN 80
+#define MAX_DIGITS 20
+
+static unsigned long long hash_to_long(void *data, int len)
+{
+	char hash[SHA256_DIGEST_SIZE];
+	int i;
+	unsigned long long ret = 0;
+
+	sha256(data, len, hash);
+	ret = *(unsigned long long *)hash;
+	for (i = 0; i < SHA256_DIGEST_SIZE; i += sizeof(unsigned long long)) {
+		ret = ret & (*(unsigned long long *)(hash + i));
+	}
+
+	return ret;
+}
+
+static int init_analyze_status_data_sc(analyze_status_t *analyze_status_data, int len)
+{
+	if (analyze_status_data == NULL) {
+		pr_err("invalid analyze_status_data!");
+		return 0;
+	}
+	analyze_status_data->sc_data.data = kmalloc(sizeof(unsigned long long) * len, GFP_KERNEL);
+	analyze_status_data->sc_data.len = len;
+	return 0;
+}
+
+
+void free_analyze_status_data_sc(analyze_status_t *analyze_status_data)
+{
+	if (analyze_status_data != NULL && analyze_status_data->sc_data.data != NULL)
+		kfree(analyze_status_data->sc_data.data);
+}
+
+static int analyze_save_check_init(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data)
+{
+	int data_index = 0;
+	struct collect_data *cd;
+	list_for_each_entry(cd, collect_data_list, list) {
+		if (cd->name == NULL)
+			continue;
+		data_index++;
+	}
+	init_analyze_status_data_sc(analyze_status_data, data_index);
+
+	data_index = 0;
+	list_for_each_entry(cd, collect_data_list, list) {
+		if (cd->name == NULL)
+			continue;
+		switch (cd->value_type) {
+			case COLLECT_VALUE_INT:
+				analyze_status_data->sc_data.data[data_index] = cd->value.int_value;
+				break;
+			case COLLECT_VALUE_REGION:
+				analyze_status_data->sc_data.data[data_index] = hash_to_long(cd->value.region_value.addr, cd->value.region_value.size);
+				break;
+			default:
+				break;
+		}
+		data_index ++;
+	}
+
+	analyze_status_data->sc_data.init_tag = 1;
+	return RESPONSE_OK;
+}
+
+
+
+static int analyze_save_check_normal(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data)
+{
+	int data_index = 0;
+	unsigned long long measure_value;
+	struct collect_data *cd;
+	char **response_arrays;
+	int response_array_index = 0;
+	char int_str[MAX_DIGITS];
+	uint32_t response_data_char_len = 0;
+	int ret = RESPONSE_OK;
+	int i;
+
+	list_for_each_entry(cd, collect_data_list, list) {
+		if (cd->name == NULL)
+			continue;
+		data_index++;
+	}
+	response_arrays = kmalloc(sizeof(char *) * data_index, GFP_KERNEL);
+	if (response_arrays == NULL) {
+		pr_err("kmalloc failed");
+		return -ENOMEM;
+	}
+
+	data_index = 0;
+	list_for_each_entry(cd, collect_data_list, list) {
+		if (cd->name == NULL)
+			continue;
+		switch (cd->value_type) {
+			case COLLECT_VALUE_INT:
+				measure_value = cd->value.int_value;
+				break;
+			case COLLECT_VALUE_REGION:
+				measure_value = hash_to_long(cd->value.region_value.addr, cd->value.region_value.size);
+				break;
+			default:
+				measure_value = 0;
+				break;
+		}
+		if (measure_value != analyze_status_data->sc_data.data[data_index]) {
+			response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
+			if (response_arrays[response_array_index] == NULL) {
+				pr_err("kmalloc failed");
+				return -ENOMEM;
+			}
+
+			strcpy(response_arrays[response_array_index], "[save_check]");
+			//应该有 workflow的名字
+			strncat(response_arrays[response_array_index], cd->name, strlen(cd->name));
+			strcat(response_arrays[response_array_index],": original:");
+			sprintf(int_str, "%llx", analyze_status_data->sc_data.data[data_index]);
+			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
+			strcat(response_arrays[response_array_index],"; now: ");
+			sprintf(int_str, "%llx", measure_value);
+			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
+			strcat(response_arrays[response_array_index],".!\n");
+
+			response_data_char_len += strlen(response_arrays[response_array_index]);
+			ret = RESPONSE_REPORT;
+			response_array_index ++;
+		}
+		data_index ++;
+	}
+
+	if (ret == RESPONSE_REPORT) {
+		response_data->report_data.len = response_data_char_len;
+		response_data->report_data.text = kmalloc(response_data_char_len + 1, GFP_KERNEL);
+		if (response_data->report_data.text == NULL) {
+			pr_err("kmalloc failed");
+			return -ENOMEM;
+		}
+		for (i = 0; i < response_array_index; i++) {
+			strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
+			kfree(response_arrays[i]);
+		}
+	}
+	kfree(response_arrays);
+
+	return ret;
+}
+
+int analyze_save_check(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data)
+{
+	if (analyze_status_data->sc_data.init_tag == 1) {
+		return analyze_save_check_normal(collect_data_list, analyze_status_data, response_data);
+	} else {
+		return analyze_save_check_init(collect_data_list, analyze_status_data, response_data);
+	}
+	return 0;
+}
+
+
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.h b/kerneldriver/core/analyze_unit/secDetector_save_check.h
new file mode 100644
index 0000000..50719a4
--- /dev/null
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.h
@@ -0,0 +1,15 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-10-11
+ * Description: the analyze unit of save check head.
+ */
+#ifndef SECDETECTOR_SAVE_CHECK_H
+#define SECDETECTOR_SAVE_CHECK_H
+#include "secDetector_analyze_type.h"
+#include "secDetector_collect_type.h"
+int analyze_save_check(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data);
+
+void free_analyze_status_data_sc(analyze_status_t *analyze_status_data);
+#endif
\ No newline at end of file
diff --git a/kerneldriver/core/collect_unit/secDetector_collect.c b/kerneldriver/core/collect_unit/secDetector_collect.c
new file mode 100644
index 0000000..58cac64
--- /dev/null
+++ b/kerneldriver/core/collect_unit/secDetector_collect.c
@@ -0,0 +1,48 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-10-08
+ * Description: the collect unit func.
+ */
+#include "secDetector_collect.h"
+#include "secDetector_function_switch.h"
+#include <linux/slab.h>
+#include <linux/string.h>
+
+collect_func_t collect_units[NR_COLLECT] = {
+	[COLLECT_GLOBAL_FUNCTION_SWITCH] = collect_function_switch,
+};
+
+
+struct collect_data *init_collect_data(const char *name)
+{
+	int nl;
+	struct collect_data *cd;
+	if (name == NULL)
+		return NULL;
+	cd = kmalloc(sizeof(struct collect_data), GFP_KERNEL);
+	if (cd == NULL) {
+		pr_err("kmalloc failed");
+		return NULL;
+	}
+
+	nl = strlen(name);
+	cd->name = kmalloc(nl + 1, GFP_KERNEL);
+	if (cd->name == NULL) {
+		pr_err("kmalloc failed");
+		return NULL;
+	}
+	strncpy(cd->name, name, nl);
+	cd->name[nl] = '\0';
+
+	return cd;
+}
+
+void free_collect_data(struct collect_data *cd)
+{
+	kfree(cd->name);
+	if (cd->value_type == COLLECT_VALUE_REGION)
+		kfree(cd->value.region_value.addr);
+	kfree(cd);
+}
\ No newline at end of file
diff --git a/kerneldriver/core/collect_unit/secDetector_function_switch.c b/kerneldriver/core/collect_unit/secDetector_function_switch.c
new file mode 100644
index 0000000..bd7b088
--- /dev/null
+++ b/kerneldriver/core/collect_unit/secDetector_function_switch.c
@@ -0,0 +1,133 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-10-08
+ * Description: the collect unit of function switch func.
+ */
+#include "secDetector_function_switch.h"
+#include "secDetector_collect.h"
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <asm/processor-flags.h>
+#if defined(__aarch64__)
+#include <asm/sysreg.h>
+#endif
+
+
+
+static void collect_SMEP_tag(struct list_head *ret_list)
+{
+	unsigned long long value;
+	#if defined(__x86_64__)
+	const char *name = "SMEP";
+	#else
+	const char *name = NULL;
+	#endif
+	struct collect_data *cd = init_collect_data(name);
+	if (cd == NULL)
+		return;
+
+	#if defined(__x86_64__)
+	asm volatile ("mov %%cr4, %0":"=r" (value));
+	value = (value & X86_CR4_SMEP)? 1 : 0;
+	#endif
+
+	cd->value_type = COLLECT_VALUE_INT;
+	cd->value.int_value = value;
+
+	list_add_tail(&cd->list, ret_list);
+}
+
+static void collect_SMAP_tag(struct list_head *ret_list)
+{
+	unsigned long long value;
+	#if defined(__x86_64__)
+	const char *name = "SMAP";
+	#else
+	const char *name = NULL;
+	#endif
+	struct collect_data *cd = init_collect_data(name);
+	if (cd == NULL)
+		return;
+
+	#if defined(__x86_64__)
+	asm volatile ("mov %%cr4, %0":"=r" (value));
+	value = (value & X86_CR4_SMAP)? 1 : 0;
+	#endif
+
+	cd->value_type = COLLECT_VALUE_INT;
+	cd->value.int_value = value;
+
+	list_add_tail(&cd->list, ret_list);
+}
+
+
+static void collect_WP_tag(struct list_head *ret_list)
+{
+	unsigned long long value;
+	#if defined(__x86_64__)
+	const char *name = "WP";
+	#else
+	const char *name = NULL;
+	#endif
+	struct collect_data *cd = init_collect_data(name);
+	if (cd == NULL)
+		return;
+
+	#if defined(__x86_64__)
+	asm volatile ("mov %%cr0, %0":"=r" (value));
+	value = (value & X86_CR0_WP)? 1 : 0;
+	#endif
+
+	cd->value_type = COLLECT_VALUE_INT;
+	cd->value.int_value = value;
+
+	list_add_tail(&cd->list, ret_list);
+}
+
+static void collect_WXN_tag(struct list_head *ret_list)
+{
+	unsigned long long value;
+	#if defined(__aarch64__)
+	const char *name = "WXN";
+	#else
+	const char *name = NULL;
+	#endif
+	struct collect_data *cd = init_collect_data(name);
+	if (cd == NULL)
+		return;
+
+	#if defined(__aarch64__)
+	asm volatile ("mrs %0 sctlr_el1" : "=r" (value));
+	value = (value & (1UL << 19))? 1 : 0;
+	#endif
+
+	cd->value_type = COLLECT_VALUE_INT;
+	cd->value.int_value = value;
+
+	list_add_tail(&cd->list, ret_list);
+}
+
+
+
+void collect_function_switch(current_context_t cc, struct list_head *ret_list)
+{
+	collect_SMEP_tag(ret_list);
+	collect_SMAP_tag(ret_list);
+	collect_WP_tag(ret_list);
+	collect_WXN_tag(ret_list);
+}
+
+
+// 	#if defined(__i386__) || defined(__x86_64__)
+// 	asm volatile ("mov %%cr4, %0":"=r" (value));
+// 	value = (value & X86_CR4_SMEP)? 1 : 0;
+// 	#elif defined(__arm__)
+// 	asm volatile ("mcr p15, 0, %0, c0, c0, 0" : "=r" (value));
+// 	value = (value & (1UL << 29))? 1 : 0;
+// 	#elif defined(__aarch64__)
+// 	asm volatile ("mrs %0 sctlr_el1" : "=r" (value));
+// 	value = (value & (1UL << 29))? 1 : 0;
+// 	#endif
diff --git a/kerneldriver/core/collect_unit/secDetector_function_switch.h b/kerneldriver/core/collect_unit/secDetector_function_switch.h
new file mode 100644
index 0000000..364a32a
--- /dev/null
+++ b/kerneldriver/core/collect_unit/secDetector_function_switch.h
@@ -0,0 +1,12 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0
+ *
+ * Author: yieux
+ * create: 2023-10-08
+ * Description: the collect unit of function switch head.
+ */
+#ifndef SECDETECTOR_FUNCTION_SWITCH_H
+#define SECDETECTOR_FUNCTION_SWITCH_H
+#include "secDetector_collect_type.h"
+void collect_function_switch(current_context_t cc, struct list_head *ret_list);
+#endif
\ No newline at end of file
diff --git a/kerneldriver/core/hook_unit/secDetector_hook.c b/kerneldriver/core/hook_unit/secDetector_hook.c
index 39f7e28..af052b8 100644
--- a/kerneldriver/core/hook_unit/secDetector_hook.c
+++ b/kerneldriver/core/hook_unit/secDetector_hook.c
@@ -155,7 +155,7 @@ int insert_callback(struct secDetector_workflow *workflow)
 	for (i = 0; i < ARRAY_SIZE(hook_list_funcs); i++) {
 		list_func = &hook_list_funcs[i];
 		if (workflow->hook_type >= list_func->type_min &&
-		    workflow->hook_type <= list_func->type_max) {
+			workflow->hook_type <= list_func->type_max) {
 			if (list_func->exists(workflow))
 				return -EEXIST;
 			ret = list_func->insert(workflow);
@@ -177,7 +177,7 @@ int delete_callback(struct secDetector_workflow *workflow)
 	for (i = 0; i < ARRAY_SIZE(hook_list_funcs); i++) {
 		list_func = &hook_list_funcs[i];
 		if (workflow->hook_type >= list_func->type_min &&
-		    workflow->hook_type <= list_func->type_max) {
+			workflow->hook_type <= list_func->type_max) {
 			if (!list_func->exists(workflow))
 				return 0;
 			ret = list_func->delete (workflow);
diff --git a/kerneldriver/core/hook_unit/secDetector_hook.h b/kerneldriver/core/hook_unit/secDetector_hook.h
index 18ece67..7aba3c2 100644
--- a/kerneldriver/core/hook_unit/secDetector_hook.h
+++ b/kerneldriver/core/hook_unit/secDetector_hook.h
@@ -42,7 +42,7 @@ extern void init_secDetector_hook(void);
 		list_for_each_entry_rcu (workflow, &(callback_list), list) {   \
 			if (atomic_read(&workflow->enabled) &&                 \
 			    atomic_read(&workflow->module->enabled))           \
-				workflow->workflow_func.func(PARAMS(args));    \
+				workflow->workflow_func.func(workflow, PARAMS(args));    \
 		}                                                              \
 		mutex_unlock(&g_hook_list_array_mutex);                        \
 	} while (0)
@@ -55,7 +55,7 @@ extern void init_secDetector_hook(void);
 		list_for_each_entry_rcu (workflow, &(callback_list), list) {   \
 			if (atomic_read(&workflow->enabled) &&                 \
 			    atomic_read(&workflow->module->enabled))           \
-				workflow->workflow_func.func(PARAMS(args));    \
+				workflow->workflow_func.func(workflow, PARAMS(args));    \
 		}                                                              \
 		rcu_read_unlock();                                             \
 	} while (0)
diff --git a/kerneldriver/core/response_unit/secDetector_response.c b/kerneldriver/core/response_unit/secDetector_response.c
index f3d09b1..f525a89 100644
--- a/kerneldriver/core/response_unit/secDetector_response.c
+++ b/kerneldriver/core/response_unit/secDetector_response.c
@@ -7,11 +7,13 @@
  */
 #include <linux/printk.h>
 #include <linux/bpf.h>
+#include <linux/slab.h>
 #include "secDetector_response.h"
 #include "secDetector_proc.h"
 #include "secDetector_ringbuffer.h"
 
-static const response_func_t response_units[NR_RESPONSE] = {
+response_func_t response_units[NR_RESPONSE] = {
+	[RESPONSE_OK] = secDetector_ok,
 	[RESPONSE_REPORT] = secdetector_report,
 };
 
@@ -25,15 +27,20 @@ void notrace secdetector_respond(unsigned int response_type,
 }
 EXPORT_SYMBOL_GPL(secdetector_respond);
 
+void notrace secDetector_ok(response_data_t *data)
+{
+	return;
+}
+
 void notrace secdetector_report(response_data_t *log)
 {
 	int ret;
 
-	if (!log || !log->report_data || !log->report_data->text)
+	if (!log || !log->report_data.text)
 		return;
 
-	ret = secDetector_ringbuf_output(log->report_data->text,
-					 log->report_data->len,
+	ret = secDetector_ringbuf_output(log->report_data.text,
+					 log->report_data.len,
 					 BPF_RB_FORCE_WAKEUP);
 	if (ret != 0)
 		pr_warn("write ringbuf failed\n");
@@ -43,11 +50,44 @@ EXPORT_SYMBOL_GPL(secdetector_report);
 void notrace secDetector_proc_report(response_data_t *log)
 {
 	int ret;
-	if (!log || !log->report_data || !log->report_data->text)
+	if (!log || !log->report_data.text)
 		return;
 
-	ret = write_log(log->report_data->text, log->report_data->len);
+	ret = write_log(log->report_data.text, log->report_data.len);
 	if (ret != 0)
 		pr_warn("write_log failed");
 }
 EXPORT_SYMBOL_GPL(secDetector_proc_report);
+
+
+
+
+void free_response_data_no_rd(uint32_t repsonse_id, response_data_t *rd)
+{
+	if (rd == NULL)
+		return;
+	switch (repsonse_id) {
+		case RESPONSE_REPORT:
+			if (rd->report_data.len != 0 && rd->report_data.text != NULL)
+				kfree(rd->report_data.text);
+			break;
+		default:
+			break;
+	}
+}
+
+void free_response_data(uint32_t repsonse_id, response_data_t *rd)
+{
+	if (rd == NULL)
+		return;
+	switch (repsonse_id) {
+		case RESPONSE_REPORT:
+			if (rd->report_data.len != 0 && rd->report_data.text != NULL) {
+				kfree(rd->report_data.text);
+				kfree(rd);
+			}
+			break;
+		default:
+			break;
+	}
+}
diff --git a/kerneldriver/core/secDetector_manager.c b/kerneldriver/core/secDetector_manager.c
index ba91533..0969c0b 100644
--- a/kerneldriver/core/secDetector_manager.c
+++ b/kerneldriver/core/secDetector_manager.c
@@ -35,7 +35,7 @@ void secDetector_module_unregister(struct secDetector_module *module)
 	}
 
 	for (i = 0, wf = module->workflow_array; i < module->workflow_array_len;
-	     i++, wf++) {
+		 i++, wf++) {
 		if (wf == NULL) {
 			goto error;
 		}
@@ -44,6 +44,11 @@ void secDetector_module_unregister(struct secDetector_module *module)
 			pr_err("[secDetector] delete callback failed\n");
 			goto error;
 		}
+		// workflow在被卸载的时候，需要释放analyze status等申请的内存,特别是使用默认的response list。
+		free_analyze_status_data(&wf->analyze_status);
+		if (wf->response_array_len == 0) {
+			kfree(wf->response_array);
+		}
 	}
 
 error:
@@ -55,6 +60,40 @@ error:
 }
 EXPORT_SYMBOL_GPL(secDetector_module_unregister);
 
+static void secDetector_collect_analyze_response_unit_padding(struct secDetector_workflow *wf)
+{
+	int i;
+	struct secDetector_collect *sc = wf->collect_array;
+	struct secDetector_response *sr = wf->response_array;
+	
+	for (i = 0; i < wf->collect_array_len; i++) {
+		if (sc[i].collect_type < COLLECT_CUSTOMIZATION)
+			sc[i].collect_func = collect_units[sc[i].collect_type];
+	}
+
+	if (wf->analyze_type < ANALYZE_CUSTOMIZATION) {
+		wf->analyze_func = analyze_units[wf->analyze_type];
+	}
+
+	if (wf->response_array_len == 0) {// 使用默认response list
+		sr = kmalloc(sizeof(struct secDetector_response) * NR_RESPONSE, GFP_KERNEL);
+		if (sr == NULL) {
+			pr_err("kmalloc failed");
+			return;
+		}
+		for (i = 0; i < NR_RESPONSE; i++) {
+			sr[i].response_type = i;
+			sr[i].response_func = response_units[i];
+		}
+	} else {// 自定义response list
+		for (i = 0; i < wf->response_array_len; i++) {
+			if (sr[i].response_type < RESPONSE_CUSTOMIZATION)
+			sr[i].response_func = response_units[sr[i].response_type];
+		}
+	}
+
+}
+
 int secDetector_module_register(struct secDetector_module *module)
 {
 	struct secDetector_workflow *wf = NULL;
@@ -76,14 +115,15 @@ int secDetector_module_register(struct secDetector_module *module)
 
 	mutex_lock(&g_hook_list_array_mutex);
 	for (i = 0, wf = module->workflow_array; i < module->workflow_array_len;
-	     i++, wf++) {
+		 i++, wf++) {
 		if (wf == NULL) {
 			ret = -EINVAL;
 			goto error;
 		}
 		wf->module = module;
 		if (wf->workflow_type == WORKFLOW_PRESET) {
-			wf->workflow_func.func = preset_workflow;
+			wf->workflow_func.func_wf = preset_workflow;
+			secDetector_collect_analyze_response_unit_padding(wf);
 		}
 
 		ret = insert_callback(wf);
diff --git a/kerneldriver/core/secDetector_workflow.c b/kerneldriver/core/secDetector_workflow.c
index 0eff1f6..630a5b0 100644
--- a/kerneldriver/core/secDetector_workflow.c
+++ b/kerneldriver/core/secDetector_workflow.c
@@ -6,7 +6,34 @@
  * Description: detector workflow manager
  */
 #include "secDetector_workflow_type.h"
+#include "secDetector_collect.h"
+#include "secDetector_response.h"
 
-void preset_workflow(void)
+static void free_collect_data_list(struct list_head *head)
 {
+	struct collect_data *node, *next;
+	list_for_each_entry_safe(node, next, head, list) {
+		list_del(&node->list);
+		free_collect_data(node);
+	}
+}
+
+void preset_workflow(secDetector_workflow_t *wf)
+{
+	LIST_HEAD(collect_data_list);
+	int i;
+	uint32_t repsonse_id;
+	struct secDetector_collect *sc = wf->collect_array;
+
+	response_data_t rd;
+	
+	for (i = 0; i < wf->collect_array_len; i++, sc++) {
+		sc->collect_func(NULL, &collect_data_list);
+	}
+
+	repsonse_id = wf->analyze_func(&collect_data_list, &(wf->analyze_status), &rd);
+
+	wf->response_array[repsonse_id].response_func(&rd);
+	free_collect_data_list(&collect_data_list);
+	free_response_data_no_rd(repsonse_id, &rd);
 }
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_analyze.h b/kerneldriver/include/secDetector_analyze.h
index c4e6fc6..cd1472d 100644
--- a/kerneldriver/include/secDetector_analyze.h
+++ b/kerneldriver/include/secDetector_analyze.h
@@ -8,4 +8,8 @@
 #ifndef SECDETECTOR_ANALYZE_H
 #define SECDETECTOR_ANALYZE_H
 #include "secDetector_analyze_type.h"
+
+extern analyze_func_t analyze_units[NR_ANALYZE];
+
+void free_analyze_status_data(analyze_status_t *as);
 #endif
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_analyze_type.h b/kerneldriver/include/secDetector_analyze_type.h
index a3930d9..3d7a0a5 100644
--- a/kerneldriver/include/secDetector_analyze_type.h
+++ b/kerneldriver/include/secDetector_analyze_type.h
@@ -7,6 +7,8 @@
  */
 #ifndef SECDETECTOR_ANALYZE_TYPE_H
 #define SECDETECTOR_ANALYZE_TYPE_H
+#include <linux/list.h>
+#include "secDetector_response_type.h"
 
 enum ANALYZE_TYPE {
 	ANALYZE_RECORD,
@@ -15,10 +17,40 @@ enum ANALYZE_TYPE {
 	ANALYZE_PRESET_FREQUENCY_RANGE,
 	ANALYZE_PRESET_END = ANALYZE_PRESET_FREQUENCY_RANGE,
 	ANALYZE_CUSTOMIZATION,
+	NR_ANALYZE,
 };
 
-typedef union analyze_func {
-	void (*func)(void);
-	void (*analyze_record_func)(void);
-} analyze_func_t;
+enum ANALYZE_STATUS_DATA_TYPE {
+	ANALYZE_STATUS_BASIE,
+	ANALYZE_STATUS_SAVE_CHECK,
+};
+
+struct analyze_basic_data {
+	uint32_t data_type;
+	void *data;
+	uint32_t len;
+};
+
+struct save_check_data {
+	uint32_t data_type;
+	unsigned long long *data;
+	uint32_t len;
+	uint32_t init_tag;
+
+};
+
+typedef union analyze_status {
+	struct analyze_basic_data data;
+	struct save_check_data sc_data;
+} analyze_status_t;
+
+// 暂时没有对多类型支持需求
+// typedef union analyze_func {
+// 	void (*null_func)(void);
+// 	int (*func)(struct list_head *, analyze_status_t *);
+// 	void (*analyze_record_func)(void);
+// 	int (*save_check_func)(struct list_head *, analyze_status_t *);
+// } analyze_func_t;
+
+typedef int (*analyze_func_t)(struct list_head *, analyze_status_t *, response_data_t *);
 #endif
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_collect.h b/kerneldriver/include/secDetector_collect.h
index d5da041..0e45d6d 100644
--- a/kerneldriver/include/secDetector_collect.h
+++ b/kerneldriver/include/secDetector_collect.h
@@ -8,4 +8,9 @@
 #ifndef SECDETECTOR_COLLECT_H
 #define SECDETECTOR_COLLECT_H
 #include "secDetector_collect_type.h"
+
+extern collect_func_t collect_units[NR_COLLECT];
+
+struct collect_data *init_collect_data(const char *name);
+void free_collect_data(struct collect_data *cd);
 #endif
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_collect_type.h b/kerneldriver/include/secDetector_collect_type.h
index fc5a03e..4819016 100644
--- a/kerneldriver/include/secDetector_collect_type.h
+++ b/kerneldriver/include/secDetector_collect_type.h
@@ -17,21 +17,48 @@ enum COLLECT_TYPE {
 	COLLECT_GLOBAL_START,
 	COLLECT_GLOBAL_PROCESS = COLLECT_GLOBAL_START,
 	COLLECT_GLOBAL_FILE,
+	COLLECT_GLOBAL_FUNCTION_SWITCH,
 	COLLECT_GLOBAL_RESOURCE,
 	COLLECT_GLOBAL_END = COLLECT_GLOBAL_RESOURCE,
 	COLLECT_CUSTOMIZATION,
+	NR_COLLECT,
 };
 
-union collect_func {
-	void (*func)(void);
-	void (*COLLECT_record_func)(void);
+enum COLLECT_VALUE_TYPE {
+	COLLECT_VALUE_INT,
+	COLLECT_VALUE_REGION,
 };
 
+struct mem_region {
+	void *addr;
+	uint32_t size;
+};
+union collect_value_type {
+	unsigned long long int_value;
+	struct mem_region region_value;
+};
+
+struct collect_data {
+	struct list_head list;
+	struct rcu_head rcu;
+	char *name;
+	int value_type;
+	union collect_value_type value;
+};
+
+typedef void* current_context_t;
+typedef void (*collect_func_t)(current_context_t, struct list_head *);
+
 struct secDetector_collect {
 	struct list_head list;
 	struct rcu_head rcu;
 	unsigned int collect_type;
-	union collect_func collect_func;
+	collect_func_t collect_func;
 };
 
+/*可以考虑把 type这个字段作为一个id，用来标识collect unit，
+从而避免同一个hook点下的不同的workflow的相同 collect unit重复执行。
+但是那样需要增加支持多自定义unit的id的分配，管理，查询工作，也很繁琐，
+当前未感知到明确的性能提升,所以并未实施。
+*/
 #endif
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_response.h b/kerneldriver/include/secDetector_response.h
index e214e2f..4f29a67 100644
--- a/kerneldriver/include/secDetector_response.h
+++ b/kerneldriver/include/secDetector_response.h
@@ -9,7 +9,9 @@
 #define SECDETECTOR_RESPONSE_H
 #include "secDetector_response_type.h"
 
-struct secdetector_response {
+extern response_func_t response_units[NR_RESPONSE];
+
+struct secDetector_response {
 	struct list_head list;
 	struct rcu_head rcu;
 	unsigned int response_type;
@@ -18,8 +20,13 @@ struct secdetector_response {
 
 extern void notrace secdetector_respond(unsigned int response_type,
 					response_data_t *data);
-extern void notrace secdetector_report(response_data_t *data);
+extern void notrace secdetector_report(response_data_t *log);
+
+void notrace secDetector_ok(response_data_t *data);
 
 // support max 4095 bytes,
 extern void notrace secDetector_proc_report(response_data_t *log);
+
+void free_response_data_no_rd(uint32_t repsonse_id, response_data_t *rd);
+void free_response_data(uint32_t repsonse_id, response_data_t *rd);
 #endif
diff --git a/kerneldriver/include/secDetector_response_type.h b/kerneldriver/include/secDetector_response_type.h
index 013e03a..ad9c8b9 100644
--- a/kerneldriver/include/secDetector_response_type.h
+++ b/kerneldriver/include/secDetector_response_type.h
@@ -9,19 +9,21 @@
 #define SECDETECTOR_REPORT_TYPE_H
 #include <linux/types.h>
 
-enum {
+enum RESPONSE_TYPE {
+	RESPONSE_OK,
 	RESPONSE_REPORT,
 	RESPONSE_REJECT,
+	RESPONSE_CUSTOMIZATION,
 	NR_RESPONSE,
 };
 
 struct response_report_data {
-	const char *text;
+	char *text;
 	size_t len;
 };
 
 typedef union response_data {
-	struct response_report_data *report_data;
+	struct response_report_data report_data; //这里定义为指针有点多余
 } response_data_t;
 
 typedef void (*response_func_t)(response_data_t *data);
diff --git a/kerneldriver/include/secDetector_workflow.h b/kerneldriver/include/secDetector_workflow.h
index d5b0541..8bf972d 100644
--- a/kerneldriver/include/secDetector_workflow.h
+++ b/kerneldriver/include/secDetector_workflow.h
@@ -12,5 +12,5 @@
 #include "secDetector_response.h"
 #include "secDetector_workflow_type.h"
 
-void preset_workflow(void);
+void preset_workflow(secDetector_workflow_t *wf);
 #endif
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_workflow_type.h b/kerneldriver/include/secDetector_workflow_type.h
index 405c9ce..ec0f445 100644
--- a/kerneldriver/include/secDetector_workflow_type.h
+++ b/kerneldriver/include/secDetector_workflow_type.h
@@ -19,11 +19,15 @@ enum WORKFLOW_TYPE {
 	WORKFLOW_CUSTOMIZATION,
 	WORKFLOW_PRESET,
 };
-
+struct secDetector_workflow;
 union workflow_func {
 	void (*func)(void);
 	void (*file_event)(struct secDetector_file *, int);
-	void (*timer_func)(struct timer_list *);
+	void (*create_file)(struct filename *);
+	void (*write_file)(struct filename *);
+	void (*create_process)(int);
+	void (*timer_func)(struct secDetector_workflow *, struct timer_list *);
+	void (*func_wf)(struct secDetector_workflow *);
 };
 
 typedef struct secDetector_module secDetector_module_t;
@@ -49,9 +53,13 @@ typedef struct secDetector_workflow {
 	analyze_func_t analyze_func;
 
 	//response
-	struct secdetector_response *response_array;
+	struct secDetector_response *response_array;
 	uint32_t response_array_len;
 
+	//intermediate status
+	analyze_status_t analyze_status;
+
+
 } secDetector_workflow_t;
 
 #endif
-- 
Gitee


From ff1f6a5b6d4333461c2373cb2e07889a03488325 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Thu, 12 Oct 2023 15:07:52 +0800
Subject: [PATCH 2/5] =?UTF-8?q?=E7=A7=BB=E9=99=A4=E5=A4=9A=E4=BD=99?=
 =?UTF-8?q?=E7=9A=84=E6=B3=A8=E9=87=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kerneldriver/cases/Makefile | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
index 004b5da..5361328 100644
--- a/kerneldriver/cases/Makefile
+++ b/kerneldriver/cases/Makefile
@@ -1,9 +1,5 @@
 # make secDetector_core
 
-# obj-m := secDetector_cases.o
-# secDetector_cases-objs += memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
-
-#secDetector_cases-objs := secDetector_memory_corruption.o
 obj-m += secDetector_memory_corruption.o
 
 secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
@@ -19,7 +15,6 @@ EXTRA_CFLAGS += -Wall -Werror
 ifndef KDIR
 KDIR=$(KERNEL_SRC)
 endif
-# export KBUILD_EXTRA_SYMBOLS
 
 all:
 	$(MAKE) -C $(KERNEL_SRC) M=$(PWD) modules KCPPFLAGS="${cflags-y}"
-- 
Gitee


From 816943877053b0b9ec335db240bf0331bb6155d3 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Fri, 13 Oct 2023 15:52:22 +0800
Subject: [PATCH 3/5] =?UTF-8?q?=E5=86=85=E5=AD=98=E4=BF=AE=E6=94=B9?=
 =?UTF-8?q?=E6=8E=A2=E9=92=88-=E9=9A=90=E8=97=8F=E5=86=85=E6=A0=B8?=
 =?UTF-8?q?=E6=A8=A1=E5=9D=97=E8=AF=86=E5=88=AB=20=E7=9A=84=E5=93=8D?=
 =?UTF-8?q?=E5=BA=94=E6=9C=BA=E5=88=B6=E8=A1=A5=E5=85=85=E8=B0=83=E7=94=A8?=
 =?UTF-8?q?=20response=5Freport?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../secDetector_mc_kmodule_list.c                  | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
index d3b530f..f291667 100644
--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
+++ b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
@@ -9,20 +9,24 @@
 #include <linux/list.h>
 #include <linux/spinlock.h>
 #include "secDetector_mc_kmodule_list.h"
+#include "secDetector_response.h"
+#include <linux/slab.h>
 
 #define MODULE_LIST_MAXSIZE 0x10000
+#define MC_KMODULE_REPORT_WORD_LEN 55
 
 // 3 ways for get kernel module list.
 // struct module->list
 // struct module->mkobj->kobj->entry
 // struct module->mkobj->kobj->kset
-
 void check_kmodule_list(void)
 {
 	struct module_kobject *mobj = NULL;
 	struct kobject *k = NULL;
 	struct module *m = NULL;
 	struct kset *module_kset = __this_module.mkobj.kobj.kset;
+	response_data_t log;
+
 
 	if (module_kset == NULL)
 	return;
@@ -37,8 +41,14 @@ void check_kmodule_list(void)
 
 		mutex_lock(&module_mutex);
 		m = find_module(k->name);
-		if (m == NULL)
+		if (m == NULL) {
 			pr_err("[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
+			log.report_data.len = MC_KMODULE_REPORT_WORD_LEN + strlen(k->name);
+			log.report_data.text = kmalloc(log.report_data.len, GFP_KERNEL);
+			sprintf(log.report_data.text, "[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
+			secdetector_report(&log);
+			kfree(log.report_data.text);
+		}
 		mutex_unlock(&module_mutex);
 	}
 	spin_unlock(&module_kset->list_lock);
-- 
Gitee


From 13ce75f2eafc3a79bdaaa996a727951833b966a5 Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Fri, 13 Oct 2023 15:59:19 +0800
Subject: [PATCH 4/5] bug fix

---
 kerneldriver/include/secDetector_analyze.h       | 2 +-
 kerneldriver/include/secDetector_analyze_type.h  | 2 +-
 kerneldriver/include/secDetector_workflow_type.h | 3 ---
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/kerneldriver/include/secDetector_analyze.h b/kerneldriver/include/secDetector_analyze.h
index cd1472d..12ea759 100644
--- a/kerneldriver/include/secDetector_analyze.h
+++ b/kerneldriver/include/secDetector_analyze.h
@@ -11,5 +11,5 @@
 
 extern analyze_func_t analyze_units[NR_ANALYZE];
 
-void free_analyze_status_data(analyze_status_t *as);
+void free_analyze_status_data(analyze_status_t *analyze_status_data);
 #endif
\ No newline at end of file
diff --git a/kerneldriver/include/secDetector_analyze_type.h b/kerneldriver/include/secDetector_analyze_type.h
index 3d7a0a5..dab1a76 100644
--- a/kerneldriver/include/secDetector_analyze_type.h
+++ b/kerneldriver/include/secDetector_analyze_type.h
@@ -21,7 +21,7 @@ enum ANALYZE_TYPE {
 };
 
 enum ANALYZE_STATUS_DATA_TYPE {
-	ANALYZE_STATUS_BASIE,
+	ANALYZE_STATUS_BASIC,
 	ANALYZE_STATUS_SAVE_CHECK,
 };
 
diff --git a/kerneldriver/include/secDetector_workflow_type.h b/kerneldriver/include/secDetector_workflow_type.h
index ec0f445..8e619b4 100644
--- a/kerneldriver/include/secDetector_workflow_type.h
+++ b/kerneldriver/include/secDetector_workflow_type.h
@@ -23,9 +23,6 @@ struct secDetector_workflow;
 union workflow_func {
 	void (*func)(void);
 	void (*file_event)(struct secDetector_file *, int);
-	void (*create_file)(struct filename *);
-	void (*write_file)(struct filename *);
-	void (*create_process)(int);
 	void (*timer_func)(struct secDetector_workflow *, struct timer_list *);
 	void (*func_wf)(struct secDetector_workflow *);
 };
-- 
Gitee


From 9b083f6d520bb70129f2a6d5255752b869e706da Mon Sep 17 00:00:00 2001
From: yieux <yangxy79315@sina.com>
Date: Fri, 13 Oct 2023 16:08:27 +0800
Subject: [PATCH 5/5] =?UTF-8?q?=E7=94=B1=E4=B8=80=E6=AC=A1=E4=BF=AE?=
 =?UTF-8?q?=E6=94=B9=E6=8C=81=E7=BB=AD=E6=8A=A5=E5=91=8A=EF=BC=8C=E5=8F=98?=
 =?UTF-8?q?=E4=B8=BA=E4=B8=80=E6=AC=A1=E4=BF=AE=E6=94=B9=E5=8F=AA=E6=8A=A5?=
 =?UTF-8?q?=E5=91=8A=E4=B8=80=E6=AC=A1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kerneldriver/core/analyze_unit/secDetector_save_check.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
index d93f258..8aa00e5 100644
--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
@@ -122,6 +122,8 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
 				break;
 		}
 		if (measure_value != analyze_status_data->sc_data.data[data_index]) {
+			pr_debug("[save_check]%s: original: %llx; now: %llx.!\n",
+					cd->name, analyze_status_data->sc_data.data[data_index], measure_value);
 			response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
 			if (response_arrays[response_array_index] == NULL) {
 				pr_err("kmalloc failed");
@@ -131,7 +133,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
 			strcpy(response_arrays[response_array_index], "[save_check]");
 			//应该有 workflow的名字
 			strncat(response_arrays[response_array_index], cd->name, strlen(cd->name));
-			strcat(response_arrays[response_array_index],": original:");
+			strcat(response_arrays[response_array_index],": original: ");
 			sprintf(int_str, "%llx", analyze_status_data->sc_data.data[data_index]);
 			strncat(response_arrays[response_array_index], int_str, strlen(int_str));
 			strcat(response_arrays[response_array_index],"; now: ");
@@ -142,6 +144,7 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
 			response_data_char_len += strlen(response_arrays[response_array_index]);
 			ret = RESPONSE_REPORT;
 			response_array_index ++;
+			analyze_status_data->sc_data.data[data_index] = measure_value;
 		}
 		data_index ++;
 	}
-- 
Gitee