From owner-freebsd-hackers@FreeBSD.ORG  Thu Apr 29 13:10:04 2010
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 68EFD106566B
	for <freebsd-hackers@freebsd.org>; Thu, 29 Apr 2010 13:10:04 +0000 (UTC)
	(envelope-from z0.0z.furukawa@gmail.com)
Received: from mail-iw0-f204.google.com (mail-iw0-f204.google.com
	[209.85.223.204])
	by mx1.freebsd.org (Postfix) with ESMTP id 308A48FC26
	for <freebsd-hackers@freebsd.org>; Thu, 29 Apr 2010 13:10:03 +0000 (UTC)
Received: by iwn42 with SMTP id 42so11118858iwn.14
	for <freebsd-hackers@freebsd.org>; Thu, 29 Apr 2010 06:09:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:date:message-id
	:subject:from:to:content-type;
	bh=eZOZ8NlrI+w+R64qGH5oxbz0ZYY7wCgXJ33r/B5xflg=;
	b=IuhRrKe/ZeSBqKKEo+t6z5yZvG/r0Whfc5QQIz6686w6cz1ZCm4x7nX1WQG4ELUihr
	6NV+esSgF4dWYAa2ji5zv59iK5vAGthucFbrp3/ApXlwbdwZiTgX0KcTVy2xaR3t4IPq
	lRkqyP0ocQCWS/WyFMtPiyTOt9MYTipzTUFyA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=kgqapf7jIc4aGFQKNOONUzWGqKxecfqFnNgmB+T7UHgg3j3ohK56oHSTy3TLXXvaaO
	1T5YsrjLp/Hvor+iOeRp1IW0r5ooDq5Tzz+TSKKDyK6d5cmwCN6AZU2oaeY2RubRW4n/
	7V867Mw2otwSM0+8S1ohLP0Lrn3jOiLDqkYyA=
MIME-Version: 1.0
Received: by 10.231.182.211 with SMTP id cd19mr1629823ibb.55.1272545078291; 
	Thu, 29 Apr 2010 05:44:38 -0700 (PDT)
Received: by 10.231.156.81 with HTTP; Thu, 29 Apr 2010 05:44:38 -0700 (PDT)
Date: Thu, 29 Apr 2010 21:44:38 +0900
Message-ID: <v2h15480d8f1004290544q2b070ff8i4cc68b4f171c4593@mail.gmail.com>
From: furukawa jun <z0.0z.furukawa@gmail.com>
To: freebsd-hackers@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: How to change vnode operations ?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 13:10:04 -0000

Hi,

I know the way for changing vnode operations because I did that for my
graduate thesis.

In that thesis I made a LKM that hooks vn_write() function.

To make that software I referenced a book and a website listed below.

"Joseph Kong. Designing BSD Rootkits: An Introduction to Kernel Hacking. No
Starch Press, 2007."
"Stephanie Wehner. Fun and games with freebsd kernel modules, April 2001.
http:/
/www.r4k.net/mod/fbsdfun.html"

As a reference, I show here the part of the source code of my software.

#include <sys/param.h>                /* module           */
#include <sys/module.h>               /* module           */
#include <sys/kernel.h>               /* module           */
#include <sys/types.h>                /* size_t, copystr  */
#include <sys/systm.h>              /* copystr */
#include <sys/proc.h>                 /* struct thread    */
#include <sys/file.h>                 /* vnops            */
#include <fs/msdosfs/msdosfs_vnops.c> /* msdosfs_vnodeops */

int
fo_write_hook(struct file *fp,
        struct uio *uio,
        struct ucred *active_cred,
        int flags,
        struct thread *td);

typedef int (*fow_t)(struct file*,
        struct uio*,
        struct ucred*,
        int flags,
        struct thread*);

fow_t old_fo_write;
char mybuf[256+1];

/* fo_write hook */
int
fo_write_hook(struct file *fp,
        struct uio *uio,
        struct ucred *active_cred,
        int flags,
        struct thread *td)
{
 *   /* You can add here a new functinality. */*

    return (old_fo_write(fp, uio, active_cred, flags, td));
}

/* The function called at load/unload */
    static int
load(struct module *module, int cmd, void *arg)
{
    int error = 0;

    /* The declaration of msdosfs_vnodeops */
    /* from /usr/include/fs/msdosfs/msdosfs_vnops.c */
    /* extern struct vop_vector msdosfs_vnodeops */

    /* The initialization of msdosfs_vnodeops */
    /* from /usr/src/sys/fs/msdosfs/msdosfs_vnops.c */
    //struct vop_vector msdosfs_vnodeops = {
    //    ...
    //    .vop_read =             msdosfs_read,
    //    ...
    //    .vop_write =            msdosfs_write,
    //    ...
    //};
    switch (cmd) {
        case MOD_LOAD:
            uprintf("Module has loaded\n");
            /* Replace fo_write with fo_write_hook. */
            old_fo_write = (fow_t)(vnops.fo_write);
            vnops.fo_write = fo_write_hook;

            break;

        case MOD_UNLOAD:
            uprintf("Module has unloaded\n");

            /* Change everyhting back to normal. */
            vnops.fo_write = old_fo_write;
            break;

        default:
            error = EOPNOTSUPP;
            break;
    }

    return (error);
}

static moduledata_t fo_write_hook_mod = {
    "fo_write_hook", /* module name   */
    load,            /* event handler */
    NULL             /* EXTRA DATA    */
};

DECLARE_MODULE(fo_write_hook, fo_write_hook_mod,
        SI_SUB_DRIVERS, SI_ORDER_MIDDLE);

Jun Furukawa