How to hook the system call?

Geraint Yang geraint0923 at gmail.com
Wed Nov 23 11:50:25 EST 2011


Hi,
Thank all of you for helping me with problem!
I don't want to modify my kernel source so I am trying to learn to use LSM
security hook even though it seems that it couldn't hook all the system
calls, I think it should be enough for me.
Thanks again!



On Wed, Nov 23, 2011 at 8:02 PM, rohan puri <rohan.puri15 at gmail.com> wrote:

>
>
> On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu at rosedu.org>wrote:
>
>> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta at gmail.com>
>> wrote:
>> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <
>> alex.juncu at rosedu.org> wrote:
>> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923 at gmail.com>
>> wrote:
>> >>> Hello everyone,
>> >>>
>> >>> I am going to hook a system call like 'read' or 'send' by modifying
>> the
>> >>> sys_call_table, but it seems that the sys_call_table is in read only
>> page,
>> >>> how can I set modify the sys_call_table ? Or if there any method that
>> I can
>> >>> use to hook a system call in module without modify the kernel source?
>> >>>
>> >>> Thanks!
>> >>
>> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the
>> >> sys_call_table, within a kernel module.  Something like this:
>> >
>> > Alex,
>> > I am pretty sure that you are using a hacked version of 2.6.35.
>> >
>> > Geraint,
>> > In order to be able to hook a syscall you must do the following:
>> >
>> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
>> >
>> > extern void* sys_call_table[];
>> > EXPORT_SYMBOL(sys_call_table);
>> >
>> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
>> > you must have:
>> >
>> > .section .data,"a"
>> > #include "syscall_table_32.S"
>> >
>> > thanks,
>> > Daniel.
>> >
>>
>> Ah, Daniel is right... I forgot about that part...
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>
> You can get the address of the sys_call_table from the /proc/kallsyms and
> regarding the read-only section of the this symbol you can re-map the
> addresses by making use of vmap api in kernel. This will avoid the need for
> the compilation of the kernel. But I would not recommend you to do this.
> Their is LSM framework specifically available for this try to see if you
> can make use of that.
>
> Regards,
> Rohan Puri
>



-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/da051d01/attachment-0001.html 


More information about the Kernelnewbies mailing list