兼容了x86架构和arm64架构,去掉了阻断和修改的逻辑,后续放在用户开间用frida做,这个只做为调试查看用;
This commit is contained in:
lumos
parent
906540dba9
commit
bec6c9f739
13
Makefile
13
Makefile
@ -3,25 +3,16 @@ obj-m += libusbMod.o
|
||||
KDIR := /lib/modules/$(shell uname -r)/build
|
||||
PWD := $(shell pwd)
|
||||
|
||||
CC := gcc
|
||||
CFLAGS := -Wall -O2
|
||||
LIBS := -lusb-1.0
|
||||
|
||||
# 默认目标:同时编译内核模块和用户程序
|
||||
all: libusbMod.ko main
|
||||
# 默认目标:只编译内核模块
|
||||
all: libusbMod.ko
|
||||
|
||||
# 编译内核模块
|
||||
libusbMod.ko:
|
||||
make -C $(KDIR) M=$(PWD) modules
|
||||
|
||||
# 编译用户态程序 main
|
||||
main: main.c
|
||||
$(CC) $(CFLAGS) -o $@ $< $(LIBS)
|
||||
|
||||
# 清理所有生成文件
|
||||
clean:
|
||||
make -C $(KDIR) M=$(PWD) clean
|
||||
$(RM) main
|
||||
|
||||
# 加载模块
|
||||
load:
|
||||
|
||||
148
libusbMod.c
148
libusbMod.c
@ -5,141 +5,77 @@
|
||||
#include <linux/uaccess.h>
|
||||
#include <linux/usb.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/version.h>
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Leo");
|
||||
MODULE_DESCRIPTION("Hook usb_submit_urb() on ARM64 and replace callback");
|
||||
MODULE_DESCRIPTION("Monitor usb_submit_urb() data submission only");
|
||||
|
||||
static struct kprobe kp;
|
||||
|
||||
// 自定义回调上下文,保存原始回调和上下文
|
||||
struct urb_context
|
||||
// 兼容 x86_64 和 arm64 获取第一个参数
|
||||
static struct urb *get_urb_from_regs(struct pt_regs *regs)
|
||||
{
|
||||
usb_complete_t original_complete;
|
||||
void *original_context;
|
||||
};
|
||||
|
||||
// 包装回调函数
|
||||
static void callback_wrapper(struct urb *urb)
|
||||
{
|
||||
struct urb_context *ctx = urb->context;
|
||||
|
||||
pr_info("[usbFilter] [callback_wrapper] URB 完成: endpoint=0x%x, status=%d, actual_length=%d\n",
|
||||
usb_pipeendpoint(urb->pipe),
|
||||
urb->status,
|
||||
urb->actual_length);
|
||||
|
||||
if (urb->transfer_buffer && urb->actual_length > 0)
|
||||
{
|
||||
char hex[3 * 32 + 1] = {0};
|
||||
int i, len = min(32, urb->actual_length);
|
||||
unsigned char *data = (unsigned char *)urb->transfer_buffer;
|
||||
for (i = 0; i < len; ++i)
|
||||
{
|
||||
snprintf(hex + i * 3, sizeof(hex) - i * 3, "%02X ", data[i]);
|
||||
}
|
||||
pr_info("[usbFilter] [callback_wrapper] 返回数据(hex): %s\n", hex);
|
||||
}
|
||||
|
||||
if (ctx && ctx->original_complete)
|
||||
{
|
||||
urb->context = ctx->original_context;
|
||||
ctx->original_complete(urb);
|
||||
}
|
||||
|
||||
kfree(ctx); // 释放上下文
|
||||
#if defined(CONFIG_ARM64)
|
||||
return (struct urb *)regs->regs[0];
|
||||
#elif defined(CONFIG_X86_64)
|
||||
return (struct urb *)regs->di;
|
||||
#else
|
||||
#error "Unsupported architecture"
|
||||
#endif
|
||||
}
|
||||
|
||||
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
|
||||
{
|
||||
struct urb *urb_kern = (struct urb *)regs->regs[0];
|
||||
struct urb *urb_kern = get_urb_from_regs(regs);
|
||||
|
||||
if (!urb_kern)
|
||||
return 0;
|
||||
|
||||
pr_info("[usbFilter] 提交 URB 的进程: %s (pid: %d)\n", current->comm, current->pid);
|
||||
pr_info("[usbFilter] 提交URB进程: %s (pid: %d)\n", current->comm, current->pid);
|
||||
|
||||
pr_info("[usbFilter] URB: %p, pipe=0x%x, flags=0x%x\n",
|
||||
urb_kern, urb_kern->pipe, urb_kern->transfer_flags);
|
||||
|
||||
if (urb_kern->dev)
|
||||
{
|
||||
pr_info("[usbFilter] USB设备: VID=0x%04x, PID=0x%04x\n",
|
||||
if (urb_kern->dev) {
|
||||
pr_info("[usbFilter] USB设备: busnum=%d, devnum=%d, VID=0x%04x, PID=0x%04x\n",
|
||||
urb_kern->dev->bus->busnum,
|
||||
urb_kern->dev->devnum,
|
||||
urb_kern->dev->descriptor.idVendor,
|
||||
urb_kern->dev->descriptor.idProduct);
|
||||
}
|
||||
|
||||
// 打印传输方向与类型
|
||||
pr_info("[usbFilter] URB: %p, pipe=0x%x, flags=0x%x\n",
|
||||
urb_kern, urb_kern->pipe, urb_kern->transfer_flags);
|
||||
|
||||
pr_info("[usbFilter] pipe: 端点=%d, 方向=%s, 类型=%s\n",
|
||||
usb_pipeendpoint(urb_kern->pipe),
|
||||
usb_pipein(urb_kern->pipe) ? "IN" : "OUT",
|
||||
usb_pipetype(urb_kern->pipe) == PIPE_CONTROL ? "CONTROL" : usb_pipetype(urb_kern->pipe) == PIPE_ISOCHRONOUS ? "ISO"
|
||||
: usb_pipetype(urb_kern->pipe) == PIPE_BULK ? "BULK"
|
||||
: usb_pipetype(urb_kern->pipe) == PIPE_INTERRUPT ? "INTERRUPT"
|
||||
: "UNKNOWN");
|
||||
usb_pipetype(urb_kern->pipe) == PIPE_CONTROL ? "CONTROL" :
|
||||
usb_pipetype(urb_kern->pipe) == PIPE_ISOCHRONOUS ? "ISO" :
|
||||
usb_pipetype(urb_kern->pipe) == PIPE_BULK ? "BULK" :
|
||||
usb_pipetype(urb_kern->pipe) == PIPE_INTERRUPT ? "INTERRUPT" : "UNKNOWN");
|
||||
|
||||
if (usb_pipetype(urb_kern->pipe) == PIPE_CONTROL)
|
||||
{
|
||||
struct usb_ctrlrequest *setup = (struct usb_ctrlrequest *)urb_kern->setup_packet;
|
||||
if (setup)
|
||||
{
|
||||
pr_info("[usbFilter] 控制传输Setup包: bRequestType=0x%02x, bRequest=0x%02x, "
|
||||
"wValue=0x%04x, wIndex=0x%04x, wLength=%u\n",
|
||||
setup->bRequestType, setup->bRequest,
|
||||
le16_to_cpu(setup->wValue), le16_to_cpu(setup->wIndex),
|
||||
le16_to_cpu(setup->wLength));
|
||||
}
|
||||
|
||||
// //将原有的setup包传输的数据全部设置为0
|
||||
// if (urb_kern->setup_packet && urb_kern->transfer_buffer_length > 0)
|
||||
// {
|
||||
// memset(urb_kern->setup_packet, 0, urb_kern->transfer_buffer_length);
|
||||
// pr_info("[usbFilter] 已将控制传输的 setup 包数据清零\n");
|
||||
// }
|
||||
}
|
||||
else
|
||||
{
|
||||
// 打印前 32 字节传输数据
|
||||
if (urb_kern->transfer_buffer && urb_kern->transfer_buffer_length > 0)
|
||||
{
|
||||
unsigned char data[32] = {0};
|
||||
unsigned int to_copy = min(32U, (unsigned int)urb_kern->transfer_buffer_length);
|
||||
memcpy(data, urb_kern->transfer_buffer, to_copy);
|
||||
|
||||
char hex[3 * 32 + 1] = {0};
|
||||
int i;
|
||||
for (i = 0; i < to_copy; ++i)
|
||||
{
|
||||
snprintf(hex + i * 3, sizeof(hex) - i * 3, "%02X ", data[i]);
|
||||
}
|
||||
pr_info("[usbFilter] 数据内容(hex): %s\n", hex);
|
||||
// 打印控制传输的setup包内容
|
||||
if (usb_pipetype(urb_kern->pipe) == PIPE_CONTROL && urb_kern->setup_packet) {
|
||||
char setup_hex[3 * 8 + 1] = {0};
|
||||
int i;
|
||||
unsigned char *setup = (unsigned char *)urb_kern->setup_packet;
|
||||
for (i = 0; i < 8; ++i) {
|
||||
snprintf(setup_hex + i * 3, sizeof(setup_hex) - i * 3, "%02X ", setup[i]);
|
||||
}
|
||||
pr_info("[usbFilter] 控制传输setup包(8字节hex): %s\n", setup_hex);
|
||||
}
|
||||
|
||||
// 是否为目标设备
|
||||
if (urb_kern->dev &&
|
||||
urb_kern->dev->descriptor.idVendor == 0x1a86 &&
|
||||
urb_kern->dev->descriptor.idProduct == 0x55de)
|
||||
{
|
||||
// 打印控制传输的数据内容
|
||||
if (urb_kern->transfer_buffer && urb_kern->transfer_buffer_length > 0) {
|
||||
unsigned int to_copy = min(32U, (unsigned int)urb_kern->transfer_buffer_length);
|
||||
unsigned char data[32] = {0};
|
||||
memcpy(data, urb_kern->transfer_buffer, to_copy);
|
||||
|
||||
pr_info("[usbFilter] 命中目标设备,替换 URB 回调\n");
|
||||
|
||||
struct urb_context *ctx = kmalloc(sizeof(*ctx), GFP_ATOMIC);
|
||||
if (!ctx)
|
||||
{
|
||||
pr_err("[usbFilter] 分配回调上下文失败\n");
|
||||
return 0;
|
||||
char hex[3 * 32 + 1] = {0};
|
||||
int i;
|
||||
for (i = 0; i < to_copy; ++i) {
|
||||
snprintf(hex + i * 3, sizeof(hex) - i * 3, "%02X ", data[i]);
|
||||
}
|
||||
|
||||
ctx->original_complete = urb_kern->complete;
|
||||
ctx->original_context = urb_kern->context;
|
||||
|
||||
urb_kern->complete = callback_wrapper;
|
||||
urb_kern->context = ctx;
|
||||
|
||||
// 可以选择返回 0,让 URB 正常提交;也可以选择模拟成功阻断:
|
||||
// regs->regs[0] = 0;
|
||||
// return 1;
|
||||
pr_info("[usbFilter] 提交数据(前32字节hex): %s\n", hex);
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
61
main.c
61
main.c
@ -1,61 +0,0 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <libusb-1.0/libusb.h>
|
||||
|
||||
#define VENDOR_ID 0x1a86 // 替换为你的设备 VID
|
||||
#define PRODUCT_ID 0x55de // 替换为你的设备 PID
|
||||
#define BULK_EP_OUT 0x06 // OUT端点地址(低位为0表示OUT)
|
||||
#define INTERFACE_NUMBER 4 // USB接口编号
|
||||
|
||||
int main(void) {
|
||||
libusb_device_handle *handle = NULL;
|
||||
int r;
|
||||
int transferred;
|
||||
unsigned char send_data[] = {0x01, 0x02, 0x03, 0x04, 0x05}; // 要发送的数据
|
||||
|
||||
// 初始化libusb
|
||||
r = libusb_init(NULL);
|
||||
if (r < 0) {
|
||||
fprintf(stderr, "Failed to init libusb: %s\n", libusb_error_name(r));
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
// 打开设备
|
||||
handle = libusb_open_device_with_vid_pid(NULL, VENDOR_ID, PRODUCT_ID);
|
||||
if (!handle) {
|
||||
fprintf(stderr, "Failed to open device\n");
|
||||
libusb_exit(NULL);
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
// 获取接口权限(可选,部分系统如Linux必须)
|
||||
if (libusb_kernel_driver_active(handle, INTERFACE_NUMBER)) {
|
||||
libusb_detach_kernel_driver(handle, INTERFACE_NUMBER);
|
||||
}
|
||||
|
||||
r = libusb_claim_interface(handle, INTERFACE_NUMBER);
|
||||
if (r < 0) {
|
||||
fprintf(stderr, "Failed to claim interface: %s\n", libusb_error_name(r));
|
||||
libusb_close(handle);
|
||||
libusb_exit(NULL);
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
// 发送数据(Bulk OUT)
|
||||
r = libusb_bulk_transfer(handle, BULK_EP_OUT, send_data, sizeof(send_data), &transferred, 1000);
|
||||
if (r == 0) {
|
||||
printf("Sent %d\n", transferred);
|
||||
if (transferred != sizeof(send_data)) {
|
||||
fprintf(stderr, "Warning: Only %d of %zu bytes sent\n", transferred, sizeof(send_data));
|
||||
}
|
||||
} else {
|
||||
fprintf(stderr, "Failed to send data: %s\n", libusb_error_name(r));
|
||||
}
|
||||
|
||||
// 释放接口 & 关闭
|
||||
libusb_release_interface(handle, INTERFACE_NUMBER);
|
||||
libusb_close(handle);
|
||||
libusb_exit(NULL);
|
||||
|
||||
return EXIT_SUCCESS;
|
||||
}
|
||||
Reference in New Issue
Block a user