Hooking a system call.
Fredrick
fjohnber at zoho.com
Mon Mar 26 16:22:34 EDT 2012
On 03/26/2012 01:14 AM, V.Ravikumar wrote:
>
>
> On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa
> <mulyadi.santosa at gmail.com <mailto:mulyadi.santosa at gmail.com>> wrote:
>
> Hi...
>
> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar
> <ravikumar.vallabhu at gmail.com <mailto:ravikumar.vallabhu at gmail.com>>
> wrote:
> > As part of auditing purpose I need to intercept/hook
> open/read/write system
> > calls.
> >
> > As I was lack of knowledge into kernel development.Could somebody
> help me
> > out here ?
> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
> > Thanks & Regards,
> > Ravi
>
> IMHO you better use SystemTap, which is based on Kprobes. It can be
> used to hook into almost every part of kernel system, with very less
> overhead.
>
> Ok I'll also look into System Tap.
>
> But in my sample module example code for intercepting system call. how
> can I make system_call_table address to writable so that one can change
> to customized system call.
>
> Thanks & Regards,
> Ravi
>
You could use tracepoints,
register_trace_sys_enter
register_trace_sys_exit
as used by ftrace in
kernel/trace/trace_syscalls.c
-Fredrick
More information about the Kernelnewbies
mailing list