From mboxrd@z Thu Jan 1 00:00:00 1970 From: fjohnber@zoho.com (Fredrick) Date: Mon, 26 Mar 2012 13:22:34 -0700 Subject: Hooking a system call. In-Reply-To: References: Message-ID: <4F70D00A.3010001@zoho.com> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On 03/26/2012 01:14 AM, V.Ravikumar wrote: > > > On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa > > wrote: > > Hi... > > On Mon, Mar 26, 2012 at 11:45, V.Ravikumar > > > wrote: > > As part of auditing purpose I need to intercept/hook > open/read/write system > > calls. > > > > As I was lack of knowledge into kernel development.Could somebody > help me > > out here ? > > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 > > Thanks & Regards, > > Ravi > > IMHO you better use SystemTap, which is based on Kprobes. It can be > used to hook into almost every part of kernel system, with very less > overhead. > > Ok I'll also look into System Tap. > > But in my sample module example code for intercepting system call. how > can I make system_call_table address to writable so that one can change > to customized system call. > > Thanks & Regards, > Ravi > You could use tracepoints, register_trace_sys_enter register_trace_sys_exit as used by ftrace in kernel/trace/trace_syscalls.c -Fredrick