Hooking a system call.
V.Ravikumar
ravikumar.vallabhu at gmail.com
Mon Mar 26 00:45:03 EDT 2012
As part of auditing purpose I need to intercept/hook open/read/write system
calls.
I tried with below sample program. When I do a insmod of the module that
was built, my system was hanged. On some re-search I came to know that we
can not modify system call table as it is read only.
void **sys_call_table;
asmlinkage int (*original_call) (const char*, int, int);
asmlinkage int our_sys_open(const char* file, int flags, int mode)
{
printk("A file was opened\n");
return original_call(file, flags, mode);
}
int init_module()
{
// sys_call_table address in System.map
sys_call_table = (void*)0xc061e4e0;
original_call = sys_call_table[__NR_open];
sys_call_table[__NR_open] = our_sys_open;
}
void cleanup_module()
{
// Restore the original call
sys_call_table[__NR_open] = original_call;
}
As I was lack of knowledge into kernel development.Could somebody help me
out here ?
I'm working on RHEL-5 machine with Linux kernel version 2.6.18
Thanks & Regards,
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/826c6142/attachment.html
More information about the Kernelnewbies
mailing list