Re: Hooking a system call.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 03/26/2012 01:14 AM, V.Ravikumar wrote:
>
>
> On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa
> <mulyadi.santosa@xxxxxxxxx <mailto:mulyadi.santosa@xxxxxxxxx>> wrote:
>
>     Hi...
>
>     On Mon, Mar 26, 2012 at 11:45, V.Ravikumar
>     <ravikumar.vallabhu@xxxxxxxxx <mailto:ravikumar.vallabhu@xxxxxxxxx>>
>     wrote:
>      > As part of auditing purpose I need to intercept/hook
>     open/read/write system
>      > calls.
>      >
>      > As I was lack of knowledge into kernel development.Could somebody
>     help me
>      > out here ?
>      > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
>      > Thanks & Regards,
>      > Ravi
>
>     IMHO you better use SystemTap, which is based on Kprobes. It can be
>     used to hook into almost every part of kernel system, with very less
>     overhead.
>
> Ok I'll also look into System Tap.
>
> But in my sample module example code for  intercepting system call. how
> can I make system_call_table address to writable so that one can change
> to customized system call.
>
> Thanks & Regards,
> Ravi
>


You could use tracepoints,

register_trace_sys_enter
register_trace_sys_exit

as used by ftrace in
kernel/trace/trace_syscalls.c

-Fredrick


_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies


[Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Networking]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]

Add to Google Powered by Linux