RE: execve replacement.

From: Abel Muñoz Alcaraz (abel@trymedia.com)
Date: Wed Oct 04 2000 - 09:53:07 EST

I need that somebody says to my module when a user application has started
or finished, and what is its name and pid.

I have rewritten my function and it seems that it works well.

Remember; it is only an example:
=========================================================================

extern void *sys_call_table[];

asmlinkage int (*system_execve)(struct pt_regs);
asmlinkage int (*system_kill)(pid_t, int);
asmlinkage void (*system_exit)(int);

asmlinkage int my_kill(pid_t pid, int sign)
{
        printk("\nPROCMON: Killing process %d.\n", pid);

        return system_kill(pid, sign);
}

asmlinkage void my_exit(int status)
{
        printk("\nPROCMON: Exiting process %d.\n", current->pid);

        return system_exit(status);
}

asmlinkage int my_execve(struct pt_regs regs)
{
        int error;
        char * filename;

        lock_kernel();

        filename = getname((char *) regs.ebx); //What does getname() do?
        error = PTR_ERR(filename);
        if (IS_ERR(filename))
        {
                unlock_kernel();

                return error;
        }

        error = do_execve(filename, (char **) regs.ecx, (char **) regs.edx, &regs);
        if (error == 0)
        {
                current->flags &= ~PF_DTRACE; // ?????

                printk("\nPROCMON: Executing process (%d) %s\n", current->pid, filename);
        }

        putname(filename); //What does putname() do?

        unlock_kernel();

        return error;
}

int init_module()
{
        system_execve = sys_call_table[__NR_execve];
        system_kill = sys_call_table[__NR_kill];
        system_exit = sys_call_table[__NR_exit];

        sys_call_table[__NR_execve] = my_execve;
        sys_call_table[__NR_kill] = my_kill;
        sys_call_table[__NR_exit] = my_exit;

        return 0;
}

void cleanup_module()
{
        if (sys_call_table[__NR_execve] != my_execve)
        {
                printk(KERN_INFO "\nThe system has been left in a unpredictable
state.\nPlease, reboot it.\n");
         }

        sys_call_table[__NR_exit] = system_exit;
        sys_call_table[__NR_kill] = system_kill;
        sys_call_table[__NR_execve] = system_execve;
}

If you know a better way, please say me.

-Abel.

-----Original Message-----
From: John Levon [mailto:moz@compsoc.man.ac.uk]
Sent: miércoles, 04 de octubre de 2000 16:21
To: Abel Muñoz Alcaraz
Subject: RE: execve replacement.

On Wed, 4 Oct 2000, [iso-8859-1] Abel Muñoz Alcaraz wrote:

> I need to create a processes hook.
> Do you know an other way?
>
> -Abel.

what do you mean by a hook ? what exact info do you need and when ? than

john 

--
"The Internet is a shallow and unreliable electronic repository of dirty
pictures, inaccurate rumors,
 bad spelling and worse grammar, inhabited largely by people with no
demonstrable social skills."
	- Chronicle of Higher Education

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sat Oct 07 2000 - 21:00:14 EST