Thread (14 messages) 14 messages, 7 authors, 2011-11-28

How to hook the system call?

From: Geraint Yang <hidden>
Date: 2011-11-23 16:50:25 

Hi,
Thank all of you for helping me with problem!
I don't want to modify my kernel source so I am trying to learn to use LSM
security hook even though it seems that it couldn't hook all the system
calls, I think it should be enough for me.
Thanks again!



On Wed, Nov 23, 2011 at 8:02 PM, rohan puri [off-list ref] wrote:


On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu [off-list ref]wrote:
quoted
On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta [off-list ref]
wrote:
quoted
On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <
alex.juncu at rosedu.org> wrote:
quoted
quoted
On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang [off-list ref]
wrote:
quoted
quoted
quoted
Hello everyone,

I am going to hook a system call like 'read' or 'send' by modifying
the
quoted
quoted
quoted
sys_call_table, but it seems that the sys_call_table is in read only
page,
quoted
quoted
quoted
how can I set modify the sys_call_table ? Or if there any method that
I can
quoted
quoted
quoted
use to hook a system call in module without modify the kernel source?

Thanks!
On a 2.6.35 kernel, it worked for me just by changing an entry in the
sys_call_table, within a kernel module.  Something like this:
Alex,
I am pretty sure that you are using a hacked version of 2.6.35.

Geraint,
In order to be able to hook a syscall you must do the following:

1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c

extern void* sys_call_table[];
EXPORT_SYMBOL(sys_call_table);

2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
you must have:

.section .data,"a"
#include "syscall_table_32.S"

thanks,
Daniel.
Ah, Daniel is right... I forgot about that part...

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies at kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
You can get the address of the sys_call_table from the /proc/kallsyms and
regarding the read-only section of the this symbol you can re-map the
addresses by making use of vmap api in kernel. This will avoid the need for
the compilation of the kernel. But I would not recommend you to do this.
Their is LSM framework specifically available for this try to see if you
can make use of that.

Regards,
Rohan Puri


-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/da051d01/attachment-0001.html
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help