From mboxrd@z Thu Jan  1 00:00:00 1970
From: j.neuschaefer@gmx.net (Jonathan =?utf-8?Q?Neusch=C3=A4fer?=)
Date: Sun, 27 Nov 2011 23:17:19 +0100
Subject: How to hook the system call?
In-Reply-To: <CAAdM-RWsvJ_EQUfmx8daZbahH54FAzAm4FniGCWbKK_z8mN4TQ@mail.gmail.com>
References: <CAAdM-RWsvJ_EQUfmx8daZbahH54FAzAm4FniGCWbKK_z8mN4TQ@mail.gmail.com>
Message-ID: <20111127221719.GA1522@debian.debian>
To: kernelnewbies@lists.kernelnewbies.org
List-Id: kernelnewbies.lists.kernelnewbies.org

On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote:
> Hello everyone,
> 
> I am going to hook a system call like 'read' or 'send' by modifying the
> sys_call_table, but it seems that the sys_call_table is in read only page,
> how can I set modify the sys_call_table ? Or if there any method that I can
> use to hook a system call in module without modify the kernel source?

There's a kernel module for "advanced rickrolling" that overwrites the
open entry in the syscall table: https://github.com/fpletz/kernelroll

It does some trickery to make the page writable first.

HTH,
	Jonathan Neusch?fer