From mboxrd@z Thu Jan  1 00:00:00 1970
From: levonshe@yandex.com (Lev Olshvang)
Date: Mon, 06 Mar 2017 10:18:26 +0300
Subject: how to get filename of execve() system call from kernel module which
	install hook to syscall table to intercept original syscall in
	kernels before 4.2 and atter 4.2 ? X86_64
Message-ID: <8698561488784706@web17j.yandex.ru>
To: kernelnewbies@lists.kernelnewbies.org
List-Id: kernelnewbies.lists.kernelnewbies.org

Hello all,

 In kernels 3.X up to 4.2 execve(|) system call was  for x86_64 architecture the the system call was made through some 
magic ( I can't say I understand it ) assembly stub in arch/x86/kernel/entry_64.S
so up to kernel 4.2 it was possble to patch this assembly to install the hook, ex. see 
http://stackoverflow.com/questions/8372912/hooking-sys-execve-on-linux-3-x/9672512#9672512

But this hook still can't access  in a proper way filename argument, althouth I tried to do it with in the same way as 
fs/exec.c does : using  kernel's getname() function (which I was need to find through kallsyms_lookup_name() 
 
In kernels 4.2 and up, the arch/x86/kernel/entry_64.S is gone, and I still dont' have a clue what to do to get filename as a char string.


Please advise.
Lev.