Hooking a system call.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: Hooking a system call.
From: "V.Ravikumar" <ravikumar.vallabhu@xxxxxxxxx>
Date: Mon, 26 Mar 2012 10:15:03 +0530

As part of auditing purpose I need to intercept/hook open/read/write system calls.

I tried with below sample program. When I do a insmod of the module that was built, my system was hanged. On some re-search I came to know that we can not modify system call table as it is read only.

void **sys_call_table;

asmlinkage int (*original_call) (const char*, int, int);

asmlinkage int our_sys_open(const char* file, int flags, int mode)
{
   printk("A file was opened\n");
   return original_call(file, flags, mode);
}

int init_module()
{
    // sys_call_table address in System.map
    sys_call_table = (void*)0xc061e4e0;
    original_call = sys_call_table[__NR_open];
    sys_call_table[__NR_open] = our_sys_open;
}

void cleanup_module()
{
   // Restore the original call
   sys_call_table[__NR_open] = original_call;
}

As I was lack of knowledge into kernel development.Could somebody help me out here ?
I'm working on RHEL-5 machine with Linux kernel version 2.6.18
Thanks & Regards,
Ravi

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Follow-Ups:
- Re: Hooking a system call.
  - From: Mulyadi Santosa

Prev by Date: Re: What is use of apply_alternative function from alternative.c
Next by Date: Re: Kernel IP Forwarding path
Previous by thread: Why can't the IPv4 networking be built as a module?
Next by thread: Re: Hooking a system call.
Index(es):
- Date
- Thread

[Newbies FAQ] [Linux Kernel Development] [IETF Annouce] [Git] [Networking] [Security] [Bugtraq] [Photo] [Yosemite] [MIPS Linux] [ARM Linux] [Linux Security] [Linux Networking] [Linux RAID] [Linux SCSI] [Linux ACPI]