From a669340c91544b6df9e8f208870b42da2db91dad Mon Sep 17 00:00:00 2001
From: lumos <lumos@oispace.eu.org>
Date: Sun, 22 Jun 2025 13:56:29 +0800
Subject: [PATCH] =?UTF-8?q?=E5=8A=A0=E5=85=A5=E5=86=85=E6=A0=B8=E6=A8=A1?=
 =?UTF-8?q?=E5=9D=97=E4=BB=A5=E5=8F=8Areadme=E8=AF=B4=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                        |  10 +++
 testMod/libusb/Makefile          |  23 +++++++
 testMod/libusb/libusbMod.c       | 106 +++++++++++++++++++++++++++++++
 testMod/netlink/Makefile         |  16 +++++
 testMod/netlink/netlink_logger.c |  54 ++++++++++++++++
 5 files changed, 209 insertions(+)
 create mode 100644 README.md
 create mode 100644 testMod/libusb/Makefile
 create mode 100644 testMod/libusb/libusbMod.c
 create mode 100644 testMod/netlink/Makefile
 create mode 100644 testMod/netlink/netlink_logger.c

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..244e362
--- /dev/null
+++ b/README.md
@@ -0,0 +1,10 @@
+# 目录说明
+- `scripts` 为`Frida`注入脚本;
+- `testScripts` 为常规测试时所使用的测试脚本，主要为了寻找函数入口和验证功能;
+- `testMod`为常规测试时用所使用的内核模块，主要查看到内核处的数据如何;
+- `upper`为动态库的上位机调试程序;
+- `usbFilter.h/cpp`为动态库实际实现代码;
+
+
+# 软件需求
+- Frida
\ No newline at end of file
diff --git a/testMod/libusb/Makefile b/testMod/libusb/Makefile
new file mode 100644
index 0000000..52381f3
--- /dev/null
+++ b/testMod/libusb/Makefile
@@ -0,0 +1,23 @@
+obj-m += libusbMod.o
+
+KDIR := /lib/modules/$(shell uname -r)/build
+PWD  := $(shell pwd)
+
+# 默认目标：只编译内核模块
+all: libusbMod.ko
+
+# 编译内核模块
+libusbMod.ko:
+	make -C $(KDIR) M=$(PWD) modules
+
+# 清理所有生成文件
+clean:
+	make -C $(KDIR) M=$(PWD) clean
+
+# 加载模块
+load:
+	sudo insmod libusbMod.ko
+
+# 卸载模块
+unload:
+	sudo rmmod libusbMod
diff --git a/testMod/libusb/libusbMod.c b/testMod/libusb/libusbMod.c
new file mode 100644
index 0000000..ede1752
--- /dev/null
+++ b/testMod/libusb/libusbMod.c
@@ -0,0 +1,106 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/kprobes.h>
+#include <linux/sched.h>
+#include <linux/uaccess.h>
+#include <linux/usb.h>
+#include <linux/slab.h>
+#include <linux/version.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Leo");
+MODULE_DESCRIPTION("Monitor usb_submit_urb() data submission only");
+
+static struct kprobe kp;
+
+// 兼容 x86_64 和 arm64 获取第一个参数
+static struct urb *get_urb_from_regs(struct pt_regs *regs)
+{
+#if defined(CONFIG_ARM64)
+    return (struct urb *)regs->regs[0];
+#elif defined(CONFIG_X86_64)
+    return (struct urb *)regs->di;
+#else
+#error "Unsupported architecture"
+#endif
+}
+
+static int handler_pre(struct kprobe *p, struct pt_regs *regs)
+{
+    struct urb *urb_kern = get_urb_from_regs(regs);
+
+    if (!urb_kern)
+        return 0;
+
+    pr_info("[usbFilter] 提交URB进程: %s (pid: %d)\n", current->comm, current->pid);
+
+    if (urb_kern->dev) {
+        pr_info("[usbFilter] USB设备: busnum=%d, devnum=%d, VID=0x%04x, PID=0x%04x\n",
+                urb_kern->dev->bus->busnum,
+                urb_kern->dev->devnum,
+                urb_kern->dev->descriptor.idVendor,
+                urb_kern->dev->descriptor.idProduct);
+    }
+
+    pr_info("[usbFilter] URB: %p, pipe=0x%x, flags=0x%x\n",
+            urb_kern, urb_kern->pipe, urb_kern->transfer_flags);
+
+    pr_info("[usbFilter] pipe: 端点=%d, 方向=%s, 类型=%s\n",
+            usb_pipeendpoint(urb_kern->pipe),
+            usb_pipein(urb_kern->pipe) ? "IN" : "OUT",
+            usb_pipetype(urb_kern->pipe) == PIPE_CONTROL ? "CONTROL" :
+            usb_pipetype(urb_kern->pipe) == PIPE_ISOCHRONOUS ? "ISO" :
+            usb_pipetype(urb_kern->pipe) == PIPE_BULK ? "BULK" :
+            usb_pipetype(urb_kern->pipe) == PIPE_INTERRUPT ? "INTERRUPT" : "UNKNOWN");
+
+    // 打印控制传输的setup包内容
+    if (usb_pipetype(urb_kern->pipe) == PIPE_CONTROL && urb_kern->setup_packet) {
+        char setup_hex[3 * 8 + 1] = {0};
+        int i;
+        unsigned char *setup = (unsigned char *)urb_kern->setup_packet;
+        for (i = 0; i < 8; ++i) {
+            snprintf(setup_hex + i * 3, sizeof(setup_hex) - i * 3, "%02X ", setup[i]);
+        }
+        pr_info("[usbFilter] 控制传输setup包(8字节hex): %s\n", setup_hex);
+    }
+
+    // 打印控制传输的数据内容
+    if (urb_kern->transfer_buffer && urb_kern->transfer_buffer_length > 0) {
+        unsigned int to_copy = min(32U, (unsigned int)urb_kern->transfer_buffer_length);
+        unsigned char data[32] = {0};
+        memcpy(data, urb_kern->transfer_buffer, to_copy);
+
+        char hex[3 * 32 + 1] = {0};
+        int i;
+        for (i = 0; i < to_copy; ++i) {
+            snprintf(hex + i * 3, sizeof(hex) - i * 3, "%02X ", data[i]);
+        }
+        pr_info("[usbFilter] 提交数据(前32字节hex): %s\n", hex);
+    }
+
+    return 0;
+}
+
+static int __init usb_hook_init(void)
+{
+    kp.symbol_name = "usb_submit_urb";
+    kp.pre_handler = handler_pre;
+
+    if (register_kprobe(&kp) < 0)
+    {
+        pr_err("[usbFilter] 无法注册 kprobe\n");
+        return -1;
+    }
+
+    pr_info("[usbFilter] 成功 hook usb_submit_urb()\n");
+    return 0;
+}
+
+static void __exit usb_hook_exit(void)
+{
+    unregister_kprobe(&kp);
+    pr_info("[usbFilter] 已卸载 usb_submit_urb hook\n");
+}
+
+module_init(usb_hook_init);
+module_exit(usb_hook_exit);
diff --git a/testMod/netlink/Makefile b/testMod/netlink/Makefile
new file mode 100644
index 0000000..f38c828
--- /dev/null
+++ b/testMod/netlink/Makefile
@@ -0,0 +1,16 @@
+obj-m += netlink_logger.o
+
+KDIR := /lib/modules/$(shell uname -r)/build
+PWD := $(shell pwd)
+
+all:
+	$(MAKE) -C $(KDIR) M=$(PWD) modules
+
+clean:
+	$(MAKE) -C $(KDIR) M=$(PWD) clean
+
+load:
+	sudo insmod netlink_logger.ko
+	
+unload:
+	sudo rmmod netlink_logger
\ No newline at end of file
diff --git a/testMod/netlink/netlink_logger.c b/testMod/netlink/netlink_logger.c
new file mode 100644
index 0000000..04224d2
--- /dev/null
+++ b/testMod/netlink/netlink_logger.c
@@ -0,0 +1,54 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/netlink.h>
+#include <net/sock.h>
+#include <linux/skbuff.h>
+
+#define NETLINK_USER_CUSTOM 31
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Leo");
+MODULE_DESCRIPTION("Netlink message logger for custom protocol");
+
+static struct sock *nl_sk = NULL;
+
+static void netlink_recv_msg(struct sk_buff *skb)
+{
+    struct nlmsghdr *nlh;
+    char *payload;
+
+    if (!skb)
+        return;
+
+    nlh = nlmsg_hdr(skb);
+    payload = (char *)nlmsg_data(nlh);
+
+    pr_info("[netlink_logger] Received netlink msg: %s\n", payload); //此处打印信息
+}
+
+static int __init netlink_logger_init(void)
+{
+    struct netlink_kernel_cfg cfg = {
+        .input = netlink_recv_msg,
+    };
+
+    nl_sk = netlink_kernel_create(&init_net, NETLINK_USER_CUSTOM, &cfg);
+    if (!nl_sk) {
+        pr_err("[netlink_logger] Failed to create netlink socket\n");
+        return -ENOMEM;
+    }
+
+    pr_info("[netlink_logger] Netlink logger module loaded (protocol: %d)\n", NETLINK_USER_CUSTOM);
+    return 0;
+}
+
+static void __exit netlink_logger_exit(void)
+{
+    if (nl_sk)
+        netlink_kernel_release(nl_sk);
+    pr_info("[netlink_logger] Module unloaded\n");
+}
+
+module_init(netlink_logger_init);
+module_exit(netlink_logger_exit);