Uptime

We here fake the uptime, returned by the ‘uptime’ command on 64bit x86 Linux machines.

Kernel symbols are easily accessible from /usr/src/linux/System.map

cat /usr/src/linux/System.map | grep uptime
ffffffff811b1be0 t uptime_proc_open
ffffffff811b1c00 t uptime_proc_show
ffffffff81a1ad20 r uptime_proc_fops
ffffffff81eeffc8 t proc_uptime_init
ffffffff81f4d0c8 t __initcall_proc_uptime_init6

You can see there are many uptime, related functions. The one which
we will look at is uptime_proc_show, which is at the address 0xffffffff811b1c00.

The code which exports this function is in /usr/src/linux/fs/proc/uptime.c.

#include <linux/fs.h>
#include <linux/init.h>
#include <linux/proc_fs.h>
#include <linux/sched.h>
#include <linux/seq_file.h>
#include <linux/time.h>
#include <linux/kernel_stat.h>
#include <asm/cputime.h>

static int uptime_proc_show(struct seq_file *m, void *v)
{
	struct timespec uptime;
	struct timespec idle;
	u64 idletime;
	u64 nsec;
	u32 rem;
	int i;

	idletime = 0;
	for_each_possible_cpu(i)
		idletime += (__force u64) kcpustat_cpu(i).cpustat[CPUTIME_IDLE];

	do_posix_clock_monotonic_gettime(&uptime);
	monotonic_to_bootbased(&uptime);
	nsec = cputime64_to_jiffies64(idletime) * TICK_NSEC;
	idle.tv_sec = div_u64_rem(nsec, NSEC_PER_SEC, &rem);
	idle.tv_nsec = rem;
	seq_printf(m, "%lu.%02lu %lu.%02lu\n",
			(unsigned long) uptime.tv_sec,
			(uptime.tv_nsec / (NSEC_PER_SEC / 100)),
			(unsigned long) idle.tv_sec,
			(idle.tv_nsec / (NSEC_PER_SEC / 100)));
	return 0;
}

static int uptime_proc_open(struct inode *inode, struct file *file)
{
	return single_open(file, uptime_proc_show, NULL);
}

static const struct file_operations uptime_proc_fops = {
	.open		= uptime_proc_open,
	.read		= seq_read,
	.llseek		= seq_lseek,
	.release	= single_release,
};

static int __init proc_uptime_init(void)
{
	proc_create("uptime", 0, NULL, &uptime_proc_fops);
	return 0;
}
module_init(proc_uptime_init);

We can see that the uptime is accessible from /proc/uptime

18738072.28 74817307.16

So if we hijack this uptime_proc_show function, we can then pass our fake uptime
values.

To do this we assemble, the following assembly, to jump to a function we create in
our module, in order to change the uptime values.

mov rax, {64bit address}
jmp rax
nop
nop

That assembly was added to the following patchme function.
Which in turn calls our patchee function, which handles the generation of fake uptime values.

void patchme(void *addr) {
        long val = &patchee;
        int i = 0;

        unsigned char ops[] =
            { 0x48, 0xC7, 0xC0, 0x00, 0x1C, 0x1B, 0x81, 0xFF, 0xE0, 0x90, 0x90,0x90, 0x90 };

        for (i = 0; i < 4; i++) {
                ops[i + 3] = (unsigned char)((char *)(&val))[i];
                printk("Addr: %x\n", ops[i + 3]);
        }

        unsigned char *c = (unsigned char *)addr;
        for (i = 0; i < 13; i++) {
                c[i] = ops[i];
        }
}

static int patchee(struct seq_file *m, void *v) {
        printk("In our module faking that uptime...\n");
        seq_printf(m, "18738072.28 74817307.16\n");
        return 0;
}

When uptime is called it will always return:

uptime
18:21:42 up 216 days, 21:01,  2 users,  load average: 0.21, 0.42, 0.26

ToDo:

  • Make uptime change with respect to the ‘real’ uptime, e.g. 1000x the real uptime
  • Allow passing arguments to the module

Get the code.


Leave Comment


two + 7 =

Error Please check your entries!