How to hook the system call?

rohan puri rohan.puri15 at gmail.com
Wed Nov 23 07:02:36 EST 2011


On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu at rosedu.org>wrote:

> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta at gmail.com>
> wrote:
> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu at rosedu.org>
> wrote:
> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923 at gmail.com>
> wrote:
> >>> Hello everyone,
> >>>
> >>> I am going to hook a system call like 'read' or 'send' by modifying the
> >>> sys_call_table, but it seems that the sys_call_table is in read only
> page,
> >>> how can I set modify the sys_call_table ? Or if there any method that
> I can
> >>> use to hook a system call in module without modify the kernel source?
> >>>
> >>> Thanks!
> >>
> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the
> >> sys_call_table, within a kernel module.  Something like this:
> >
> > Alex,
> > I am pretty sure that you are using a hacked version of 2.6.35.
> >
> > Geraint,
> > In order to be able to hook a syscall you must do the following:
> >
> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
> >
> > extern void* sys_call_table[];
> > EXPORT_SYMBOL(sys_call_table);
> >
> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
> > you must have:
> >
> > .section .data,"a"
> > #include "syscall_table_32.S"
> >
> > thanks,
> > Daniel.
> >
>
> Ah, Daniel is right... I forgot about that part...
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>

You can get the address of the sys_call_table from the /proc/kallsyms and
regarding the read-only section of the this symbol you can re-map the
addresses by making use of vmap api in kernel. This will avoid the need for
the compilation of the kernel. But I would not recommend you to do this.
Their is LSM framework specifically available for this try to see if you
can make use of that.

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111123/b0024005/attachment.html 


More information about the Kernelnewbies mailing list