* How to hook the system call? @ 2011-11-23 8:40 Geraint Yang 2011-11-23 9:22 ` Alexandru Juncu 2011-11-27 22:17 ` Jonathan Neuschäfer 0 siblings, 2 replies; 14+ messages in thread From: Geraint Yang @ 2011-11-23 8:40 UTC (permalink / raw) To: kernelnewbies Hello everyone, I am going to hook a system call like 'read' or 'send' by modifying the sys_call_table, but it seems that the sys_call_table is in read only page, how can I set modify the sys_call_table ? Or if there any method that I can use to hook a system call in module without modify the kernel source? Thanks! -- Geraint Yang Tsinghua University Department of Computer Science and Technology -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111123/c6c2c072/attachment.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 8:40 How to hook the system call? Geraint Yang @ 2011-11-23 9:22 ` Alexandru Juncu 2011-11-23 10:10 ` Daniel Baluta 2011-11-27 22:17 ` Jonathan Neuschäfer 1 sibling, 1 reply; 14+ messages in thread From: Alexandru Juncu @ 2011-11-23 9:22 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> wrote: > Hello everyone, > > I am going to hook a system call like 'read' or 'send' by modifying the > sys_call_table, but it seems that the sys_call_table is in read only page, > how can I set modify the sys_call_table ? Or if there any method that I can > use to hook a system call in module without modify the kernel source? > > Thanks! On a 2.6.35 kernel, it worked for me just by changing an entry in the sys_call_table, within a kernel module. Something like this: spin_lock(&sys_call_table_lock); old_sys_calls[sys_call] = sys_call_table[sys_call]; sys_call_table[sys_call] = interceptor; is_intercepted[sys_call] = 1; spin_unlock(&sys_call_table_lock); asmlinkage long interceptor(struct syscall_params sp) { long sys_call=sp.eax, r=0; r = old_sys_calls[sys_call](sp); do_stuff(); return r; } -- Alexandru Juncu ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 9:22 ` Alexandru Juncu @ 2011-11-23 10:10 ` Daniel Baluta 2011-11-23 10:27 ` Alexandru Juncu 0 siblings, 1 reply; 14+ messages in thread From: Daniel Baluta @ 2011-11-23 10:10 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@rosedu.org> wrote: > On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> wrote: >> Hello everyone, >> >> I am going to hook a system call like 'read' or 'send' by modifying the >> sys_call_table, but it seems that the sys_call_table is in read only page, >> how can I set modify the sys_call_table ? Or if there any method that I can >> use to hook a system call in module without modify the kernel source? >> >> Thanks! > > On a 2.6.35 kernel, it worked for me just by changing an entry in the > sys_call_table, within a kernel module. ?Something like this: Alex, I am pretty sure that you are using a hacked version of 2.6.35. Geraint, In order to be able to hook a syscall you must do the following: 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c extern void* sys_call_table[]; EXPORT_SYMBOL(sys_call_table); 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S you must have: .section .data,"a" #include "syscall_table_32.S" thanks, Daniel. ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 10:10 ` Daniel Baluta @ 2011-11-23 10:27 ` Alexandru Juncu 2011-11-23 12:02 ` rohan puri 0 siblings, 1 reply; 14+ messages in thread From: Alexandru Juncu @ 2011-11-23 10:27 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com> wrote: > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@rosedu.org> wrote: >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> wrote: >>> Hello everyone, >>> >>> I am going to hook a system call like 'read' or 'send' by modifying the >>> sys_call_table, but it seems that the sys_call_table is in read only page, >>> how can I set modify the sys_call_table ? Or if there any method that I can >>> use to hook a system call in module without modify the kernel source? >>> >>> Thanks! >> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the >> sys_call_table, within a kernel module. ?Something like this: > > Alex, > I am pretty sure that you are using a hacked version of 2.6.35. > > Geraint, > In order to be able to hook a syscall you must do the following: > > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c > > extern void* sys_call_table[]; > EXPORT_SYMBOL(sys_call_table); > > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S > you must have: > > .section .data,"a" > #include "syscall_table_32.S" > > thanks, > Daniel. > Ah, Daniel is right... I forgot about that part... ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 10:27 ` Alexandru Juncu @ 2011-11-23 12:02 ` rohan puri 2011-11-23 16:50 ` Geraint Yang 0 siblings, 1 reply; 14+ messages in thread From: rohan puri @ 2011-11-23 12:02 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu@rosedu.org>wrote: > On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com> > wrote: > > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@rosedu.org> > wrote: > >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> > wrote: > >>> Hello everyone, > >>> > >>> I am going to hook a system call like 'read' or 'send' by modifying the > >>> sys_call_table, but it seems that the sys_call_table is in read only > page, > >>> how can I set modify the sys_call_table ? Or if there any method that > I can > >>> use to hook a system call in module without modify the kernel source? > >>> > >>> Thanks! > >> > >> On a 2.6.35 kernel, it worked for me just by changing an entry in the > >> sys_call_table, within a kernel module. Something like this: > > > > Alex, > > I am pretty sure that you are using a hacked version of 2.6.35. > > > > Geraint, > > In order to be able to hook a syscall you must do the following: > > > > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c > > > > extern void* sys_call_table[]; > > EXPORT_SYMBOL(sys_call_table); > > > > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S > > you must have: > > > > .section .data,"a" > > #include "syscall_table_32.S" > > > > thanks, > > Daniel. > > > > Ah, Daniel is right... I forgot about that part... > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > You can get the address of the sys_call_table from the /proc/kallsyms and regarding the read-only section of the this symbol you can re-map the addresses by making use of vmap api in kernel. This will avoid the need for the compilation of the kernel. But I would not recommend you to do this. Their is LSM framework specifically available for this try to see if you can make use of that. Regards, Rohan Puri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111123/b0024005/attachment.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 12:02 ` rohan puri @ 2011-11-23 16:50 ` Geraint Yang 2011-11-23 16:59 ` Alexandru Juncu 0 siblings, 1 reply; 14+ messages in thread From: Geraint Yang @ 2011-11-23 16:50 UTC (permalink / raw) To: kernelnewbies Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again! On Wed, Nov 23, 2011 at 8:02 PM, rohan puri <rohan.puri15@gmail.com> wrote: > > > On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu@rosedu.org>wrote: > >> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@gmail.com> >> wrote: >> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu < >> alex.juncu at rosedu.org> wrote: >> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@gmail.com> >> wrote: >> >>> Hello everyone, >> >>> >> >>> I am going to hook a system call like 'read' or 'send' by modifying >> the >> >>> sys_call_table, but it seems that the sys_call_table is in read only >> page, >> >>> how can I set modify the sys_call_table ? Or if there any method that >> I can >> >>> use to hook a system call in module without modify the kernel source? >> >>> >> >>> Thanks! >> >> >> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the >> >> sys_call_table, within a kernel module. Something like this: >> > >> > Alex, >> > I am pretty sure that you are using a hacked version of 2.6.35. >> > >> > Geraint, >> > In order to be able to hook a syscall you must do the following: >> > >> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c >> > >> > extern void* sys_call_table[]; >> > EXPORT_SYMBOL(sys_call_table); >> > >> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S >> > you must have: >> > >> > .section .data,"a" >> > #include "syscall_table_32.S" >> > >> > thanks, >> > Daniel. >> > >> >> Ah, Daniel is right... I forgot about that part... >> >> _______________________________________________ >> Kernelnewbies mailing list >> Kernelnewbies at kernelnewbies.org >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> > > You can get the address of the sys_call_table from the /proc/kallsyms and > regarding the read-only section of the this symbol you can re-map the > addresses by making use of vmap api in kernel. This will avoid the need for > the compilation of the kernel. But I would not recommend you to do this. > Their is LSM framework specifically available for this try to see if you > can make use of that. > > Regards, > Rohan Puri > -- Geraint Yang Tsinghua University Department of Computer Science and Technology -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/da051d01/attachment-0001.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 16:50 ` Geraint Yang @ 2011-11-23 16:59 ` Alexandru Juncu 2011-11-23 18:05 ` Geraint Yang 0 siblings, 1 reply; 14+ messages in thread From: Alexandru Juncu @ 2011-11-23 16:59 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com> wrote: > Hi, > Thank all of you for helping me with problem! > I don't want to modify my kernel source so I am trying to learn to use LSM > security hook even though it seems that it couldn't hook all the system > calls, I think it should be enough for me. > Thanks again! I know that AppArmor can hock syscalls like read, write and memory mapping and can deny or accept them. I am not sure if you can make it do something else when hocked, but I know it has a script-like configuration, so maybe you can take some other actions. ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 16:59 ` Alexandru Juncu @ 2011-11-23 18:05 ` Geraint Yang 2011-11-23 18:20 ` Nuno Martins 2011-11-24 4:04 ` rohan puri 0 siblings, 2 replies; 14+ messages in thread From: Geraint Yang @ 2011-11-23 18:05 UTC (permalink / raw) To: kernelnewbies Hi, I have tried the LSM framework,but when I make my module , I got "waining:'register_security' undefined", then I check security/security.c and found out that register_security is not exported ! So if I want to use this function ,I must hack kernel by exporting and recompiling kernel which is allowed for me. So ...well, it seems that LSM doesn't work for module without modifying the kernel source. On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@rosedu.org>wrote: > On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com> > wrote: > > Hi, > > Thank all of you for helping me with problem! > > I don't want to modify my kernel source so I am trying to learn to use > LSM > > security hook even though it seems that it couldn't hook all the system > > calls, I think it should be enough for me. > > Thanks again! > > I know that AppArmor can hock syscalls like read, write and memory > mapping and can deny or accept them. I am not sure if you can make it > do something else when hocked, but I know it has a script-like > configuration, so maybe you can take some other actions. > -- Geraint Yang Tsinghua University Department of Computer Science and Technology -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/90d7aa65/attachment.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 18:05 ` Geraint Yang @ 2011-11-23 18:20 ` Nuno Martins 2011-11-24 4:04 ` rohan puri 1 sibling, 0 replies; 14+ messages in thread From: Nuno Martins @ 2011-11-23 18:20 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 6:05 PM, Geraint Yang <geraint0923@gmail.com> wrote: > Hi, > I have tried the LSM framework,but when I make my module , I got > "waining:'register_security' undefined", then I check security/security.c > and found out that register_security is not exported ! So if I want to use > this function ,I must hack kernel by exporting and recompiling kernel which > is allowed for me. > So ...well, it seems that LSM doesn't work for module without modifying the > kernel source. > > > > On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@rosedu.org> > wrote: >> >> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com> >> wrote: >> > Hi, >> > Thank all of you for helping me with problem! >> > I don't want to modify my kernel source so I am trying to learn to use >> > LSM >> > security hook even though it seems that it couldn't hook all the system >> > calls, I think it should be enough for me. >> > Thanks again! >> >> I know that AppArmor can hock syscalls like read, write and memory >> mapping and can deny or accept them. I am not sure if you can make it >> do something else when hocked, but I know it has a script-like >> configuration, so maybe you can take some other actions. > > If you can hook the system calls, you could try KProbes, is a dynamic instrumentation, that is used in Linux Kernel. You could use a JProbe to "capture" the function parameters of the instrumented function. If you have KProbes in your kernel, you can create a module to instrument the syscall that you want. Maybe it can be a starting point for you ... Other projects that use KProbes are DProbes and SystemTap, you can also give it a look. > > -- > Geraint Yang > Tsinghua University Department of Computer Science and Technology > > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > -- Nuno Martins ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 18:05 ` Geraint Yang 2011-11-23 18:20 ` Nuno Martins @ 2011-11-24 4:04 ` rohan puri 1 sibling, 0 replies; 14+ messages in thread From: rohan puri @ 2011-11-24 4:04 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 11:35 PM, Geraint Yang <geraint0923@gmail.com>wrote: > Hi, > I have tried the LSM framework,but when I make my module , I got > "waining:'register_security' undefined", then I check security/security.c > and found out that register_security is not exported ! So if I want to use > this function ,I must hack kernel by exporting and recompiling kernel which > is allowed for me. > So ...well, it seems that LSM doesn't work for module without modifying > the kernel source. > > > > This function is declared as extern in header linux/security.h, you can include this header in your code and call this function. > > On Thu, Nov 24, 2011 at 12:59 AM, Alexandru Juncu <alex.juncu@rosedu.org>wrote: > >> On Wed, Nov 23, 2011 at 6:50 PM, Geraint Yang <geraint0923@gmail.com> >> wrote: >> > Hi, >> > Thank all of you for helping me with problem! >> > I don't want to modify my kernel source so I am trying to learn to use >> LSM >> > security hook even though it seems that it couldn't hook all the system >> > calls, I think it should be enough for me. >> > Thanks again! >> >> I know that AppArmor can hock syscalls like read, write and memory >> mapping and can deny or accept them. I am not sure if you can make it >> do something else when hocked, but I know it has a script-like >> configuration, so maybe you can take some other actions. >> > > > > -- > Geraint Yang > Tsinghua University Department of Computer Science and Technology > > > Regards, Rohan Puri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111124/091d5b86/attachment.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-23 8:40 How to hook the system call? Geraint Yang 2011-11-23 9:22 ` Alexandru Juncu @ 2011-11-27 22:17 ` Jonathan Neuschäfer 2011-11-28 1:12 ` richard -rw- weinberger 1 sibling, 1 reply; 14+ messages in thread From: Jonathan Neuschäfer @ 2011-11-27 22:17 UTC (permalink / raw) To: kernelnewbies On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote: > Hello everyone, > > I am going to hook a system call like 'read' or 'send' by modifying the > sys_call_table, but it seems that the sys_call_table is in read only page, > how can I set modify the sys_call_table ? Or if there any method that I can > use to hook a system call in module without modify the kernel source? There's a kernel module for "advanced rickrolling" that overwrites the open entry in the syscall table: https://github.com/fpletz/kernelroll It does some trickery to make the page writable first. HTH, Jonathan Neusch?fer ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-27 22:17 ` Jonathan Neuschäfer @ 2011-11-28 1:12 ` richard -rw- weinberger 2011-11-28 2:12 ` Geraint Yang 2011-11-28 9:48 ` Jonathan Neuschäfer 0 siblings, 2 replies; 14+ messages in thread From: richard -rw- weinberger @ 2011-11-28 1:12 UTC (permalink / raw) To: kernelnewbies On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neusch?fer <j.neuschaefer@gmx.net> wrote: > On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote: >> Hello everyone, >> >> I am going to hook a system call like 'read' or 'send' by modifying the >> sys_call_table, but it seems that the sys_call_table is in read only page, >> how can I set modify the sys_call_table ? Or if there any method that I can >> use to hook a system call in module without modify the kernel source? Please keep in mind that hooking a system call is very bad and error prone. -- Thanks, //richard ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-28 1:12 ` richard -rw- weinberger @ 2011-11-28 2:12 ` Geraint Yang 2011-11-28 9:48 ` Jonathan Neuschäfer 1 sibling, 0 replies; 14+ messages in thread From: Geraint Yang @ 2011-11-28 2:12 UTC (permalink / raw) To: kernelnewbies Thanks for advice ! I am using the LSM framework even though it need recompiling the kernel. But I will also give a try to the kernelroll module. Modifying sys_call_table is easier to get error but it can get more freedom than LSM framework which could only hook on limit hooking points. On Mon, Nov 28, 2011 at 9:12 AM, richard -rw- weinberger < richard.weinberger@gmail.com> wrote: > On Sun, Nov 27, 2011 at 11:17 PM, Jonathan Neusch?fer > <j.neuschaefer@gmx.net> wrote: > > On Wed, Nov 23, 2011 at 04:40:14PM +0800, Geraint Yang wrote: > >> Hello everyone, > >> > >> I am going to hook a system call like 'read' or 'send' by modifying the > >> sys_call_table, but it seems that the sys_call_table is in read only > page, > >> how can I set modify the sys_call_table ? Or if there any method that I > can > >> use to hook a system call in module without modify the kernel source? > > Please keep in mind that hooking a system call is very bad and error prone. > > -- > Thanks, > //richard > -- Geraint Yang Tsinghua University Department of Computer Science and Technology -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20111128/65e8ac05/attachment.html ^ permalink raw reply [flat|nested] 14+ messages in thread
* How to hook the system call? 2011-11-28 1:12 ` richard -rw- weinberger 2011-11-28 2:12 ` Geraint Yang @ 2011-11-28 9:48 ` Jonathan Neuschäfer 1 sibling, 0 replies; 14+ messages in thread From: Jonathan Neuschäfer @ 2011-11-28 9:48 UTC (permalink / raw) To: kernelnewbies On Mon, Nov 28, 2011 at 02:12:37AM +0100, richard -rw- weinberger wrote: > Please keep in mind that hooking a system call is very bad and error prone. Sure. -- Jonathan Neusch?fer ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2011-11-28 9:48 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-11-23 8:40 How to hook the system call? Geraint Yang 2011-11-23 9:22 ` Alexandru Juncu 2011-11-23 10:10 ` Daniel Baluta 2011-11-23 10:27 ` Alexandru Juncu 2011-11-23 12:02 ` rohan puri 2011-11-23 16:50 ` Geraint Yang 2011-11-23 16:59 ` Alexandru Juncu 2011-11-23 18:05 ` Geraint Yang 2011-11-23 18:20 ` Nuno Martins 2011-11-24 4:04 ` rohan puri 2011-11-27 22:17 ` Jonathan Neuschäfer 2011-11-28 1:12 ` richard -rw- weinberger 2011-11-28 2:12 ` Geraint Yang 2011-11-28 9:48 ` Jonathan Neuschäfer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).