Hooking a system call.

Hooking a system call.

[V.Ravikumar]

As part of auditing purpose I need to intercept/hook open/read/write system
calls.

I tried with below sample program. When I do a insmod of the module that
was built, my system was hanged. On some re-search I came to know that we
can not modify system call table as it is read only.

void **sys_call_table;

asmlinkage int (*original_call) (const char*, int, int);

asmlinkage int our_sys_open(const char* file, int flags, int mode)
{
   printk("A file was opened\n");
   return original_call(file, flags, mode);
}

int init_module()
{
    // sys_call_table address in System.map
    sys_call_table = (void*)0xc061e4e0;
    original_call = sys_call_table[__NR_open];
    sys_call_table[__NR_open] = our_sys_open;
}

void cleanup_module()
{
   // Restore the original call
   sys_call_table[__NR_open] = original_call;
}

As I was lack of knowledge into kernel development.Could somebody help me
out here ?
I'm working on RHEL-5 machine with Linux kernel version 2.6.18
Thanks & Regards,
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/826c6142/attachment.html 

Hooking a system call.

[Mulyadi Santosa]

Hi...

On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com> wrote:
> As part of auditing purpose I need to intercept/hook open/read/write system
> calls.
>
> As I was lack of knowledge into kernel development.Could somebody help me
> out here ?
> I'm working on RHEL-5 machine with Linux kernel version 2.6.18
> Thanks & Regards,
> Ravi

IMHO you better use SystemTap, which is based on Kprobes. It can be
used to hook into almost every part of kernel system, with very less
overhead.

-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com

Hooking a system call.

[V.Ravikumar]

On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa
<mulyadi.santosa@gmail.com>wrote:

> Hi...
>
> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com>
> wrote:
> > As part of auditing purpose I need to intercept/hook open/read/write
> system
> > calls.
> >
> > As I was lack of knowledge into kernel development.Could somebody help me
> > out here ?
> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
> > Thanks & Regards,
> > Ravi
>
> IMHO you better use SystemTap, which is based on Kprobes. It can be
> used to hook into almost every part of kernel system, with very less
> overhead.
>
> Ok I'll also look into System Tap.

But in my sample module example code for  intercepting system call. how can
I make system_call_table address to writable so that one can change to
customized system call.

Thanks & Regards,
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/eedbb119/attachment.html 

Hooking a system call.

[Mulyadi Santosa]

On Mon, Mar 26, 2012 at 15:14, V.Ravikumar <ravikumar.vallabhu@gmail.com> wrote:
> But in my sample module example code for? intercepting system call. how can
> I make system_call_table address to writable so that one can change to
> customized system call.

My memory is a bit rigid about this part, but IIRC it's work of linker
script that put the section that holds syscall table into read-only
section. Not sure if that attribute could be changed on the fly

-- 
regards,

Mulyadi Santosa
Freelance Linux trainer and consultant

blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com

Hooking a system call.

[Peter Senna Tschudin]

There are many syscall examples for systemtap at:
http://sourceware.org/systemtap/examples/
On Mar 26, 2012 6:09 AM, "Mulyadi Santosa" <mulyadi.santosa@gmail.com>
wrote:

> On Mon, Mar 26, 2012 at 15:14, V.Ravikumar <ravikumar.vallabhu@gmail.com>
> wrote:
> > But in my sample module example code for  intercepting system call. how
> can
> > I make system_call_table address to writable so that one can change to
> > customized system call.
>
> My memory is a bit rigid about this part, but IIRC it's work of linker
> script that put the section that holds syscall table into read-only
> section. Not sure if that attribute could be changed on the fly
>
> --
> regards,
>
> Mulyadi Santosa
> Freelance Linux trainer and consultant
>
> blog: the-hydra.blogspot.com
> training: mulyaditraining.blogspot.com
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/ee02e212/attachment.html 

Hooking a system call.

[Javier Martinez Canillas]

On Mon, Mar 26, 2012 at 10:14 AM, V.Ravikumar
<ravikumar.vallabhu@gmail.com> wrote:
>
>
> On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa <mulyadi.santosa@gmail.com>
> wrote:
>>
>> Hi...
>>
>> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com>
>> wrote:
>> > As part of auditing purpose I need to intercept/hook open/read/write
>> > system
>> > calls.
>> >
>> > As I was lack of knowledge into kernel development.Could somebody help
>> > me
>> > out here ?
>> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
>> > Thanks & Regards,
>> > Ravi
>>
>> IMHO you better use SystemTap, which is based on Kprobes. It can be
>> used to hook into almost every part of kernel system, with very less
>> overhead.
>>
> Ok I'll also look into System Tap.
>
> But in my sample module example code for? intercepting system call. how can
> I make system_call_table address to writable so that one can change to
> customized system call.
>
> Thanks & Regards,
> Ravi
>

Updating the system_call_table is racy, that is why is not writable.
You should really use kprobes or systemtap for that.

Regards,

-- 
Javier Mart?nez Canillas
(+34) 682 39 81 69
Barcelona, Spain

Hooking a system call.

[Ravishankar]

>
> >>how can I make system_call_table address to writable so that one can
> change to >>customized system call.
>
>
> Like this:
      unsigned int level;
      pte_t *pte = lookup_address(sys_call_table, &level);
      if(pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;

An awesome example of pretty much what you're trying to do can be found
here:
https://github.com/fpletz/kernelroll
Enjoy :D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/d594205d/attachment.html 

Hooking a system call.

[richard -rw- weinberger]

On Mon, Mar 26, 2012 at 5:30 PM, Ravishankar <cyberax82@gmail.com> wrote:
>
> An awesome example of pretty much what you're trying to do can be found
> here:
> https://github.com/fpletz/kernelroll
> Enjoy :D

This (absolutely not awesome) example shows perfectly how stupid and
dangerous hooking the syscall table is.
Don't do it. Period.

-- 
Thanks,
//richard

Hooking a system call.

[Fredrick]

On 03/26/2012 01:14 AM, V.Ravikumar wrote:
>
>
> On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa
> <mulyadi.santosa at gmail.com <mailto:mulyadi.santosa@gmail.com>> wrote:
>
>     Hi...
>
>     On Mon, Mar 26, 2012 at 11:45, V.Ravikumar
>     <ravikumar.vallabhu at gmail.com <mailto:ravikumar.vallabhu@gmail.com>>
>     wrote:
>      > As part of auditing purpose I need to intercept/hook
>     open/read/write system
>      > calls.
>      >
>      > As I was lack of knowledge into kernel development.Could somebody
>     help me
>      > out here ?
>      > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
>      > Thanks & Regards,
>      > Ravi
>
>     IMHO you better use SystemTap, which is based on Kprobes. It can be
>     used to hook into almost every part of kernel system, with very less
>     overhead.
>
> Ok I'll also look into System Tap.
>
> But in my sample module example code for  intercepting system call. how
> can I make system_call_table address to writable so that one can change
> to customized system call.
>
> Thanks & Regards,
> Ravi
>


You could use tracepoints,

register_trace_sys_enter
register_trace_sys_exit

as used by ftrace in
kernel/trace/trace_syscalls.c

-Fredrick

Hooking a system call.

[V.Ravikumar]

On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa
<mulyadi.santosa@gmail.com>wrote:

> Hi...
>
> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com>
> wrote:
> > As part of auditing purpose I need to intercept/hook open/read/write
> system
> > calls.
> >
> > As I was lack of knowledge into kernel development.Could somebody help me
> > out here ?
> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
> > Thanks & Regards,
> > Ravi
>
> IMHO you better use SystemTap, which is based on Kprobes. It can be
> used to hook into almost every part of kernel system, with very less
> overhead.
>
>
Yes SystemTap is one of the elegant way to hook system calls.

But I need one help while hooking write system call. I need to print the
file name also, but file name is not passed to write system call. How can I
get the file for write (or sys_write ) system call.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120328/e4ed1874/attachment.html 

Hooking a system call.

[rohan puri]

On Wed, Mar 28, 2012 at 9:16 AM, V.Ravikumar
<ravikumar.vallabhu@gmail.com>wrote:

>
>
> On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa <
> mulyadi.santosa at gmail.com> wrote:
>
>> Hi...
>>
>> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com>
>> wrote:
>> > As part of auditing purpose I need to intercept/hook open/read/write
>> system
>> > calls.
>> >
>> > As I was lack of knowledge into kernel development.Could somebody help
>> me
>> > out here ?
>> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18
>> > Thanks & Regards,
>> > Ravi
>>
>> IMHO you better use SystemTap, which is based on Kprobes. It can be
>> used to hook into almost every part of kernel system, with very less
>> overhead.
>>
>>
> Yes SystemTap is one of the elegant way to hook system calls.
>
> But I need one help while hooking write system call. I need to print the
> file name also, but file name is not passed to write system call. How can I
> get the file for write (or sys_write ) system call.
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
Hi,

One way to do this is to map the physical page to new virtual page and make
that page RW and then replace with ur handlers. Refer vmap()

-Rohan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120328/40422c82/attachment.html