How to hook the system call?

From: geraint0923@gmail.com (Geraint Yang)
To: kernelnewbies@lists.kernelnewbies.org
Subject: How to hook the system call?
Date: Thu, 24 Nov 2011 00:50:25 +0800	[thread overview]
Message-ID: <CAAdM-RXuuDewT3rqvYubHqtdCzBQPSp+cdwcYKS5KYLwxmkkcA@mail.gmail.com> (raw)
In-Reply-To: <CALJfu6NR-Qo5E_AZu-D8o33nzgtVEHwE9398v4Yh-oxr97muZg@mail.gmail.com>

Hi,
Thank all of you for helping me with problem!
I don't want to modify my kernel source so I am trying to learn to use LSM
security hook even though it seems that it couldn't hook all the system
calls, I think it should be enough for me.
Thanks again!

On Wed, Nov 23, 2011 at 8:02 PM, rohan puri <rohan.puri15@gmail.com> wrote:

>
>
> On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu@rosedu.org>wrote:
>
>> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com>
>> wrote:
>> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <
>> alex.juncu at rosedu.org> wrote:
>> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com>
>> wrote:
>> >>> Hello everyone,
>> >>>
>> >>> I am going to hook a system call like 'read' or 'send' by modifying
>> the
>> >>> sys_call_table, but it seems that the sys_call_table is in read only
>> page,
>> >>> how can I set modify the sys_call_table ? Or if there any method that
>> I can
>> >>> use to hook a system call in module without modify the kernel source?
>> >>>
>> >>> Thanks!
>> >>
>> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the
>> >> sys_call_table, within a kernel module.  Something like this:
>> >
>> > Alex,
>> > I am pretty sure that you are using a hacked version of 2.6.35.
>> >
>> > Geraint,
>> > In order to be able to hook a syscall you must do the following:
>> >
>> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
>> >
>> > extern void* sys_call_table[];
>> > EXPORT_SYMBOL(sys_call_table);
>> >
>> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
>> > you must have:
>> >
>> > .section .data,"a"
>> > #include "syscall_table_32.S"
>> >
>> > thanks,
>> > Daniel.
>> >
>>
>> Ah, Daniel is right... I forgot about that part...
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>
> You can get the address of the sys_call_table from the /proc/kallsyms and
> regarding the read-only section of the this symbol you can re-map the
> addresses by making use of vmap api in kernel. This will avoid the need for
> the compilation of the kernel. But I would not recommend you to do this.
> Their is LSM framework specifically available for this try to see if you
> can make use of that.
>
> Regards,
> Rohan Puri
>

-- 
Geraint Yang
Tsinghua University Department of Computer Science and Technology
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/da051d01/attachment-0001.html 