Allocating Kernel Memory from User Space

Now that you've seen how to "properly" allocate kernel memory using module code, let's do it using run-time kernel memory patching. Here is the algorithm (Cesare, 1998, as cited in sd and devik, 2001) we'll be using:

  1. Retrieve the in-memory address of the mkdir system call.

  2. Save sizeof(kmalloc) bytes of mkdir.

  3. Overwrite mkdir with kmalloc.

  4. Call mkdir.

  5. Restore mkdir.

With this algorithm, you are basically patching a system call with your own code, issuing the system call (which will execute your code instead), and then restoring the system call. This algorithm can be used to execute any piece of code in kernel space without a KLD.

However, keep in mind that when you overwrite a system call, any process that issues ...

Get Designing BSD Rootkits now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial