Re: Hooking a system call.

[rohan puri <rohan.puri15@xxxxxxxxx>]

On Wed, Mar 28, 2012 at 9:16 AM, V.Ravikumar <ravikumar.vallabhu@xxxxxxxxx> wrote:

On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa <mulyadi.santosa@xxxxxxxxx> wrote:

Hi...

On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@xxxxxxxxx> wrote:
> As part of auditing purpose I need to intercept/hook open/read/write system
> calls.
>

> As I was lack of knowledge into kernel development.Could somebody help me
> out here ?
> I'm working on RHEL-5 machine with Linux kernel version 2.6.18
> Thanks & Regards,
> Ravi

IMHO you better use SystemTap, which is based on Kprobes. It can be
used to hook into almost every part of kernel system, with very less
overhead.

Yes SystemTap is one of the elegant way to hook system calls.

But I need one help while hooking write system call. I need to print the file name also, but file name is not passed to write system call. How can I get the file for write (or sys_write ) system call.

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Hi,

One way to do this is to map the physical page to new virtual page and make that page RW and then replace with ur handlers. Refer vmap()

-Rohan

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies