3rd-party/linux-kernel-module-cheat
1
0
Fork 0
mirror of https://github.com/cirosantilli/linux-kernel-module-cheat.git synced 2026-01-23 02:05:57 +01:00
Code Issues Releases Wiki Activity

run: create -F option to run base64 encoded command after busybox init

Browse Source 
Fix ./run -h which was showing the build help instead.
This commit is contained in:
Ciro Santilli
2018-04-19 08:57:35 +01:00
parent 9805d333ea
commit 2c084f5fb2
4 changed files with 40 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
README.adoc
View File

@@ -896,7 +896,7 @@ It is kind of random: if you just `insmod` manually and then immediately `./rung
But this fails most of the time: shell 1: But this fails most of the time: shell 1:
.... ....
./run -a arm -f 'lkmc_eval="insmod /hello.ko"' ./run -a arm -F 'insmod /hello.ko'
.... ....
shell 2: shell 2:
@@ -983,7 +983,7 @@ So once we find the address the first time, we can just reuse it afterwards, as
Do a fresh boot and get the module: Do a fresh boot and get the module:
.... ....
./run -f 'lkmc_eval="/pr_debug.sh;insmod /fops.ko;/poweroff.out"' ./run -F '/pr_debug.sh;insmod /fops.ko;/poweroff.out'
.... ....
The boot must be fresh, because the load address changes every time we insert, even after removing previous modules. The boot must be fresh, because the load address changes every time we insert, even after removing previous modules.
@@ -1747,7 +1747,20 @@ although `-E` is smarter:
so you should almost always use it, unless you are really counting each cycle ;-) so you should almost always use it, unless you are really counting each cycle ;-)
This method prevents the BusyBox' init from launching a shell, so you cannot interact with the system afterwards. If you also want that, use: <<init-busybox>>. This method replaces BusyBox' init completely, which makes things more minimal, but also has has the following consequences:
* `/etc/fstab` mounts are not done, notably `/proc` and `/sys`, test it out with:
+
....
./run -E 'echo asdf;ls /proc;ls /sys;echo qwer'
....
* no shell is launched at the end of boot for you to interact with the system. You could explicitly add a `sh` at the end of your commands however:
+
....
./run -E 'echo hello;sh'
....
The best way to overcome those limitations is to use: <<init-busybox>>
If the script is large, you can add it to a gitignored file and pass that to `-E` as in: If the script is large, you can add it to a gitignored file and pass that to `-E` as in:
@@ -1799,13 +1812,23 @@ but why not just use your super simple and effective `/poweroff.out` and be done
[[init-busybox]] [[init-busybox]]
=== Run command at the end of BusyBox init === Run command at the end of BusyBox init
If you rely on something that BusyBox' init set up for you like networking, you could do: If you rely on something that BusyBox' init set up for you like `/etc/fstab`, this is the method you should use:
.... ....
./run -f 'lkmc_eval="insmod /hello.ko;wget -S google.com;poweroff.out;"' ./run -F 'echo asdf;ls /proc;ls /sys;echo qwer'
.... ....
The `lkmc_eval` option gets evaled by our default `S98` startup script if present. After the commands run, you are left on an interactive shell.
The above command is basically equivalent to:
....
./run -f 'lkmc_eval="insmod /hello.ko;poweroff.out;"'
....
where the `lkmc_eval` option gets evaled by our default `S98` startup script if present.
However, `-F` is smarter and uses `base64` encoding, much like `-E` vs `-e`, so you will just use `-F` most of the time.
Alternatively, add them to a new `init.d` entry to run at the end o the BusyBox init: Alternatively, add them to a new `init.d` entry to run at the end o the BusyBox init:

3
rootfs_overlay/etc/init.d/S98
View File

@@ -1,7 +1,8 @@
#!/bin/sh #!/bin/sh
echo "hello S98" echo "hello S98"
if [ -n "$lkmc_eval" ]; then if [ -n "$lkmc_eval" ]; then
echo "$lkmc_eval"
eval "$lkmc_eval" eval "$lkmc_eval"
elif [ -n "$lkmc_eval_base64" ]; then
eval "$(printf "$lkmc_eval_base64" | base64 -d)"
fi fi
exit 0 exit 0

11
run
View File

@@ -31,7 +31,7 @@ tmux_args=
# just to prevent QEMU from emitting a warning that '' is not valid. # just to prevent QEMU from emitting a warning that '' is not valid.
trace_enable=pr_manager_run trace_enable=pr_manager_run
vnc= vnc=
while getopts a:c:DdE:e:f:G:ghIiKkm:T:U:uVx OPT; do while getopts a:c:DdE:e:F:f:G:ghIiKkm:T:U:uVx OPT; do
case "$OPT" in case "$OPT" in
a) a)
arch="$OPTARG" arch="$OPTARG"
@@ -52,10 +52,13 @@ while getopts a:c:DdE:e:f:G:ghIiKkm:T:U:uVx OPT; do
lkmc_eval="$OPTARG" lkmc_eval="$OPTARG"
;; ;;
e) e)
extra_append="$extra_append $OPTARG" extra_append="${extra_append} ${OPTARG}"
;;
F)
extra_append_after_dash="${extra_append_after_dash} lkmc_eval_base64=\"$(printf "${OPTARG}" | base64)\""
;; ;;
f) f)
extra_append_after_dash="$extra_append_after_dash $OPTARG" extra_append_after_dash="${extra_append_after_dash} ${OPTARG}"
;; ;;
G) G)
gem5opts="$OPTARG \\ gem5opts="$OPTARG \\
@@ -65,7 +68,7 @@ while getopts a:c:DdE:e:f:G:ghIiKkm:T:U:uVx OPT; do
gem5=true gem5=true
;; ;;
h) h)
cat build-usage.adoc 1>&2 cat run-usage.adoc 1>&2
exit exit
;; ;;
I) I)

2
run-usage.adoc
View File

@@ -19,6 +19,8 @@
Only options that come before the `-`, i.e. "standard" Only options that come before the `-`, i.e. "standard"
options, should be passed with this option. options, should be passed with this option.
Example: `./run -a arm -e 'init=/poweroff.out'` Example: `./run -a arm -e 'init=/poweroff.out'`
|`-F` |`CMDSTR` |Much like `-f`, but base64 encods the string.
Mnemonic: `-F` is to `-f` what `-E` is to `-e`.
|`-f` |`CLI_OPTIONS` |Pass an extra Linux kernel command line options, |`-f` |`CLI_OPTIONS` |Pass an extra Linux kernel command line options,
add a dash `-` separator, and place the options after the dash. add a dash `-` separator, and place the options after the dash.
Intended for custom options understood by our `init` scripts, Intended for custom options understood by our `init` scripts,