diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c index fd013be33ac61ab69bd1a50fa19a09ea7341331f..6a7edda2965e242fbcdcdb3a52afe24b309ccf8a 100644 --- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c +++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c @@ -13,6 +13,7 @@ #include #include "secDetector_mc_kmodule_baseline.h" #include "secDetector_response.h" +#include "secDetector_analyze.h" #define MODULE_LIST_MAXSIZE 0x10000 #define NAME_LEN 4096 @@ -69,8 +70,6 @@ static void report_kmodule_baseline(void) char *module_name_all = NULL; char *header_msg = NULL; char strtmp[] = ", "; - struct timespec64 ts; - struct tm stm; int header_msg_len; int ret; response_data_t log; @@ -87,14 +86,10 @@ static void report_kmodule_baseline(void) return; } - ktime_get_real_ts64(&ts); - time64_to_tm(ts.tv_sec, 0, &stm); - header_msg_len = scnprintf(header_msg, HEADER_MSG_LEN, - "time=%04ld%02d%02d%02d%02d%02d event_type=kmodulelist module_name=", - stm.tm_year + 1900, stm.tm_mon + 1, stm.tm_mday, stm.tm_hour, stm.tm_min, stm.tm_sec); + header_msg_len = get_timestamp_str(&header_msg); if (header_msg_len <= 0) goto out; - + strcat(module_name_all, "event_type=kmodulelist module_name="); list_for_each_entry_safe(get_module_name, get_module_name_next, &chkrkatt_module_list, list) { if (get_module_name != NULL && get_module_name_next != NULL) { /* 2: ', ' */ diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c index b8a71231523184dd58e7c7a0ede7b30f99349bee..5b487ac35d90c68825212a3a6984867ac2bda0c1 100644 --- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c +++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c @@ -15,7 +15,7 @@ #define TIME_INTERVAL 10 DEFINE_MUTEX(case_mc_mutex); - +#define KERNELKEYDATATAMPER 0x00008000 static void check_all_watching_memory(void) { @@ -50,10 +50,11 @@ static struct secDetector_workflow workflow_array[] = { }; static struct secDetector_module mc_module = { - .name = "secDetector memory corruption module", + .name = "memory_corruption", .enabled = ATOMIC_INIT(true), .workflow_array = workflow_array, .workflow_array_len = ARRAY_SIZE(workflow_array), + .event_type = KERNELKEYDATATAMPER, }; static int __init register_secDetector_mc(void) diff --git a/kerneldriver/core/Makefile b/kerneldriver/core/Makefile index b87d47dfd4ad07334fb86ecdc067342931ccf1cb..6b32f96ae61646c2e5ec037d7e5438f07bbedaab 100644 --- a/kerneldriver/core/Makefile +++ b/kerneldriver/core/Makefile @@ -6,8 +6,9 @@ secDetector_core-objs += hook_unit/secDetector_hook_tracepoint.o secDetector_core-objs += hook_unit/secDetector_hook_kprobe.o secDetector_core-objs += hook_unit/secDetector_hook_lsm.o secDetector_core-objs += hook_unit/secDetector_hook.o -secDetector_core-objs += collect_unit/secDetector_collect.o +secDetector_core-objs += collect_unit/secDetector_time.o secDetector_core-objs += collect_unit/secDetector_function_switch.o +secDetector_core-objs += collect_unit/secDetector_collect.o secDetector_core-objs += analyze_unit/secDetector_analyze.o secDetector_core-objs += analyze_unit/secDetector_save_check.o secDetector_core-objs += response_unit/secDetector_proc.o diff --git a/kerneldriver/core/analyze_unit/secDetector_analyze.c b/kerneldriver/core/analyze_unit/secDetector_analyze.c index 4e0845e5467e5d5bb6dfca29b3f81c81d9583e74..688a5e06af0764863552901aa9ec8c2f4848c1a1 100644 --- a/kerneldriver/core/analyze_unit/secDetector_analyze.c +++ b/kerneldriver/core/analyze_unit/secDetector_analyze.c @@ -7,7 +7,11 @@ */ #include "secDetector_analyze.h" #include "secDetector_save_check.h" - +#include +#include +#include +#include +#define TIME_STR_MAX_LEN 100 analyze_func_t analyze_units[NR_ANALYZE] = { [ANALYZE_PRESET_SAVE_CHECK] = analyze_save_check, @@ -22,4 +26,42 @@ void free_analyze_status_data(analyze_status_t *analyze_status_data) default: break; } -} \ No newline at end of file +} + +int get_timestamp_str(char **ret_str) +{ + struct timespec64 ts; + struct tm stm; + char *stm_str; + int stm_str_len = 0; + + ktime_get_real_ts64(&ts); + time64_to_tm(ts.tv_sec, 0, &stm); + + stm_str = (char *)kzalloc(TIME_STR_MAX_LEN, GFP_ATOMIC); + if (stm_str == NULL) { + pr_err("kzalloc failed\n"); + *ret_str = NULL; + return 0; + } + + stm_str_len = scnprintf(stm_str, TIME_STR_MAX_LEN, + "timestamp=%04ld%02d%02d.%02d:%02d:%02d ", + stm.tm_year + 1900, stm.tm_mon + 1, stm.tm_mday, stm.tm_hour, stm.tm_min, stm.tm_sec); + if (stm_str_len <= 0) { + pr_err("scnprintf failed\n"); + kfree(stm_str); + *ret_str = NULL; + return 0; + } + + *ret_str = kstrdup(stm_str, GFP_KERNEL); + if (*ret_str == NULL) { + pr_err("kstrdup failed\n"); + stm_str_len = 0; + } + + kfree(stm_str); + return stm_str_len; +} +EXPORT_SYMBOL_GPL(get_timestamp_str); \ No newline at end of file diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c index 8aa00e5674053822bcf4b0ded8a2b76736900260..101a0285c4fce3767d8e8682c8f24b8b7af36345 100644 --- a/kerneldriver/core/analyze_unit/secDetector_save_check.c +++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c @@ -83,11 +83,13 @@ static int analyze_save_check_init(struct list_head *collect_data_list, analyze_ -static int analyze_save_check_normal(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data) +static int analyze_save_check_normal(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data, unsigned int event_type) { int data_index = 0; unsigned long long measure_value; struct collect_data *cd; + char *timestamp = NULL; + int timestamp_len; char **response_arrays; int response_array_index = 0; char int_str[MAX_DIGITS]; @@ -150,12 +152,18 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz } if (ret == RESPONSE_REPORT) { - response_data->report_data.len = response_data_char_len; + timestamp_len = get_timestamp_str(×tamp); + response_data->report_data.type = event_type; + response_data->report_data.len = response_data_char_len + timestamp_len; response_data->report_data.text = kmalloc(response_data_char_len + 1, GFP_KERNEL); if (response_data->report_data.text == NULL) { pr_err("kmalloc failed"); return -ENOMEM; } + if (timestamp_len > 0) { + strncat(response_data->report_data.text, timestamp, timestamp_len); + kfree(timestamp); + } for (i = 0; i < response_array_index; i++) { strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i])); kfree(response_arrays[i]); @@ -166,10 +174,10 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz return ret; } -int analyze_save_check(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data) +int analyze_save_check(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data, unsigned int event_type) { if (analyze_status_data->sc_data.init_tag == 1) { - return analyze_save_check_normal(collect_data_list, analyze_status_data, response_data); + return analyze_save_check_normal(collect_data_list, analyze_status_data, response_data, event_type); } else { return analyze_save_check_init(collect_data_list, analyze_status_data, response_data); } diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.h b/kerneldriver/core/analyze_unit/secDetector_save_check.h index 50719a494cdc5345be8da8ee9a3e425cf12ed647..3523dc126e6d7c030a98075c0683203365e9c2b6 100644 --- a/kerneldriver/core/analyze_unit/secDetector_save_check.h +++ b/kerneldriver/core/analyze_unit/secDetector_save_check.h @@ -9,7 +9,8 @@ #define SECDETECTOR_SAVE_CHECK_H #include "secDetector_analyze_type.h" #include "secDetector_collect_type.h" -int analyze_save_check(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, response_data_t *response_data); +int analyze_save_check(struct list_head *collect_data_list, analyze_status_t *analyze_status_data, + response_data_t *response_data, unsigned int event_type); void free_analyze_status_data_sc(analyze_status_t *analyze_status_data); #endif \ No newline at end of file diff --git a/kerneldriver/core/collect_unit/secDetector_collect.c b/kerneldriver/core/collect_unit/secDetector_collect.c index 58cac64f426fa95d55fd9d085ae54969d70c60c1..c04dd33888af9b12cdfdc96bed28d998c1624ba6 100644 --- a/kerneldriver/core/collect_unit/secDetector_collect.c +++ b/kerneldriver/core/collect_unit/secDetector_collect.c @@ -7,11 +7,12 @@ */ #include "secDetector_collect.h" #include "secDetector_function_switch.h" +#include "secDetector_time.h" #include -#include collect_func_t collect_units[NR_COLLECT] = { [COLLECT_GLOBAL_FUNCTION_SWITCH] = collect_function_switch, + [COLLECT_TIME] = collect_time, }; diff --git a/kerneldriver/core/collect_unit/secDetector_time.c b/kerneldriver/core/collect_unit/secDetector_time.c new file mode 100644 index 0000000000000000000000000000000000000000..041e2aaaa476369463cf94cf6f10e1eb624608b3 --- /dev/null +++ b/kerneldriver/core/collect_unit/secDetector_time.c @@ -0,0 +1,41 @@ +/* + * SPDX-License-Identifier: GPL-2.0 + * + * Author: yieux + * create: 2023-11-17 + * Description: the collect unit of time func. + */ +#include "secDetector_time.h" +#include "secDetector_collect.h" +#include +#include +#include +#include + +void collect_time(current_context_t cc, struct list_head *ret_list) +{ + struct timespec64 ts; + struct tm *stm; + const char *name = "time"; + struct collect_data *cd; + + stm = (struct tm *)kmalloc(sizeof(struct tm), GFP_KERNEL); + if (stm == NULL) { + pr_err("kmalloc failed\n"); + return; + } + ktime_get_real_ts64(&ts); + time64_to_tm(ts.tv_sec, 0, stm); + + cd = init_collect_data(name); + if (cd == NULL) { + kfree(stm); + return; + } + cd->value_type = COLLECT_VALUE_REGION; + cd->value.region_value.addr = (void *)stm; + cd->value.region_value.size = sizeof(struct tm); + + list_add_tail(&cd->list, ret_list); +} + diff --git a/kerneldriver/core/collect_unit/secDetector_time.h b/kerneldriver/core/collect_unit/secDetector_time.h new file mode 100644 index 0000000000000000000000000000000000000000..2ebc95d08deba760a5b8472d23d95a061f252a3e --- /dev/null +++ b/kerneldriver/core/collect_unit/secDetector_time.h @@ -0,0 +1,12 @@ +/* + * SPDX-License-Identifier: GPL-2.0 + * + * Author: yieux + * create: 2023-11-17 + * Description: the collect unit of time head. + */ +#ifndef SECDETECTOR_TIME_H +#define SECDETECTOR_TIME_H +#include "secDetector_collect_type.h" +void collect_time(current_context_t cc, struct list_head *ret_list); +#endif \ No newline at end of file diff --git a/kerneldriver/core/secDetector_workflow.c b/kerneldriver/core/secDetector_workflow.c index 27b8f8bdb6fcdb19bbafe515e2234b8dac1d619c..69dcdbea7219b026a05d2908012096c608d659ac 100644 --- a/kerneldriver/core/secDetector_workflow.c +++ b/kerneldriver/core/secDetector_workflow.c @@ -31,7 +31,7 @@ void preset_workflow(secDetector_workflow_t *wf) sc->collect_func(NULL, &collect_data_list); } - repsonse_id = wf->analyze_func(&collect_data_list, &(wf->analyze_status), &rd); + repsonse_id = wf->analyze_func(&collect_data_list, &(wf->analyze_status), &rd, wf->module->event_type); if (repsonse_id >= 0) wf->response_array[repsonse_id].response_func(&rd); diff --git a/kerneldriver/include/secDetector_analyze.h b/kerneldriver/include/secDetector_analyze.h index 12ea75913f405394f13720d1354337a4361b158e..b7dcf69586a1cf9763774aa96d2b03310fb66219 100644 --- a/kerneldriver/include/secDetector_analyze.h +++ b/kerneldriver/include/secDetector_analyze.h @@ -12,4 +12,5 @@ extern analyze_func_t analyze_units[NR_ANALYZE]; void free_analyze_status_data(analyze_status_t *analyze_status_data); +extern int get_timestamp_str(char **ret_str); #endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_analyze_type.h b/kerneldriver/include/secDetector_analyze_type.h index dab1a76fafd055325f88890a940d5b21fd1770bf..5be2e79e06a003c1c6ffa93845e6c3ce3fc24ee6 100644 --- a/kerneldriver/include/secDetector_analyze_type.h +++ b/kerneldriver/include/secDetector_analyze_type.h @@ -52,5 +52,5 @@ typedef union analyze_status { // int (*save_check_func)(struct list_head *, analyze_status_t *); // } analyze_func_t; -typedef int (*analyze_func_t)(struct list_head *, analyze_status_t *, response_data_t *); +typedef int (*analyze_func_t)(struct list_head *, analyze_status_t *, response_data_t *, unsigned int); #endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_module_type.h b/kerneldriver/include/secDetector_module_type.h index 37600cac7935851cb78bca0833c2fcf7b0878850..f86ecbe424dac711c8603f8545ae39a39b3b9e68 100644 --- a/kerneldriver/include/secDetector_module_type.h +++ b/kerneldriver/include/secDetector_module_type.h @@ -29,6 +29,7 @@ struct secDetector_module { unsigned int id; char *name; struct module *kmodule; + unsigned int event_type; atomic_t enabled; secDetector_workflow_t *workflow_array;