Skip to content

init_module

Intro

init_module - loads a kernel module into the kernel

Description

The init_module system call is used to initiate (load) a kernel module into kernel memory. The module itself is provided in the form of a binary image pointed to by module_image, and its size is specified in bytes through the len argument. Additionally, any parameters that need to be passed to the module at initialization may be specified via the param_values argument.

Using this system call enables users to extend the kernel's functionality with the use of kernel modules. However, users must be aware of any potential issues with loading and executing a module, as well as any compatibility issues should the module not be designed for the kernel version being used.

Arguments

  • module_image:void*[U] - A pointer to the binary image of the module to load. Must have been allocated through dynamic memory allocation.
  • len:unsigned long[K] - The size in bytes of the binary image of the module being loaded.
  • param_values:const char*[U] - Pointer to a buffer containing the parameters for the module as a single string.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_init_module

Type

kprobe

Purpose

This function is hooked in order to record module initialization parameters.

Example Use Case

Recording any kernel module initialization parameters can be useful in analyzing rootkit or malicious code infections that may occur in the kernel.

Issues

Since kernel-space operations are generally privileged, any malicious or unauthorized additions to the kernel may be difficult to detect if this system call is used.

  • delete_module - to unload a kernel module.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.