Re: intercepting syscalls

From: Zan Lynx
Date: Fri Apr 15 2005 - 14:29:19 EST

Next message: Matt Mackall: "Re: Fortuna"
Previous message: Andre Tomt: "Re: [SATA] status reports updated"
In reply to: Timur Tabi: "Re: intercepting syscalls"
Next in thread: Petr Baudis: "Re: intercepting syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2005-04-15 at 14:04 -0400, Igor Shmukler wrote:
> Hello,
> We are working on a LKM for the 2.6 kernel.
> We HAVE to intercept system calls. I understand this could be
> something developers are no encouraged to do these days, but we need
> this.
> Patching kernel to export sys_call_table is not an option. The fast
> and dirty way to do this would be by using System.map, but I would
> rather we find a cleaner approach.

These ideas are hardly a clean approach but might work although I
haven't tried:

Hook into an existing kernel function that is exported to modules that
can be called by a system call, like a /proc or /sys file. On a
sys_read or sys_write to your /proc file, perform a stack trace back to
the system call, then search and adjust to find the system call table
pointer.

You might also be able to look at the int $80 vector and grub through
the machine code to find it.

Of course, anything like this will probably only work on x86 and need to
be rewritten for each architecture. Very messy.
--
Zan Lynx <zlynx@xxxxxxx>

Attachment: signature.asc
Description: This is a digitally signed message part

Next message: Matt Mackall: "Re: Fortuna"
Previous message: Andre Tomt: "Re: [SATA] status reports updated"
In reply to: Timur Tabi: "Re: intercepting syscalls"
Next in thread: Petr Baudis: "Re: intercepting syscalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]