* Hooking a system call.
@ 2012-03-26 4:45 V.Ravikumar
2012-03-26 7:48 ` Mulyadi Santosa
0 siblings, 1 reply; 11+ messages in thread
From: V.Ravikumar @ 2012-03-26 4:45 UTC (permalink / raw)
To: kernelnewbies
As part of auditing purpose I need to intercept/hook open/read/write system
calls.
I tried with below sample program. When I do a insmod of the module that
was built, my system was hanged. On some re-search I came to know that we
can not modify system call table as it is read only.
void **sys_call_table;
asmlinkage int (*original_call) (const char*, int, int);
asmlinkage int our_sys_open(const char* file, int flags, int mode)
{
printk("A file was opened\n");
return original_call(file, flags, mode);
}
int init_module()
{
// sys_call_table address in System.map
sys_call_table = (void*)0xc061e4e0;
original_call = sys_call_table[__NR_open];
sys_call_table[__NR_open] = our_sys_open;
}
void cleanup_module()
{
// Restore the original call
sys_call_table[__NR_open] = original_call;
}
As I was lack of knowledge into kernel development.Could somebody help me
out here ?
I'm working on RHEL-5 machine with Linux kernel version 2.6.18
Thanks & Regards,
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/826c6142/attachment.html
^ permalink raw reply [flat|nested] 11+ messages in thread* Hooking a system call. 2012-03-26 4:45 Hooking a system call V.Ravikumar @ 2012-03-26 7:48 ` Mulyadi Santosa 2012-03-26 8:14 ` V.Ravikumar 2012-03-28 3:46 ` V.Ravikumar 0 siblings, 2 replies; 11+ messages in thread From: Mulyadi Santosa @ 2012-03-26 7:48 UTC (permalink / raw) To: kernelnewbies Hi... On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com> wrote: > As part of auditing purpose I need to intercept/hook open/read/write system > calls. > > As I was lack of knowledge into kernel development.Could somebody help me > out here ? > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 > Thanks & Regards, > Ravi IMHO you better use SystemTap, which is based on Kprobes. It can be used to hook into almost every part of kernel system, with very less overhead. -- regards, Mulyadi Santosa Freelance Linux trainer and consultant blog: the-hydra.blogspot.com training: mulyaditraining.blogspot.com ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 7:48 ` Mulyadi Santosa @ 2012-03-26 8:14 ` V.Ravikumar 2012-03-26 8:27 ` Mulyadi Santosa ` (3 more replies) 2012-03-28 3:46 ` V.Ravikumar 1 sibling, 4 replies; 11+ messages in thread From: V.Ravikumar @ 2012-03-26 8:14 UTC (permalink / raw) To: kernelnewbies On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa <mulyadi.santosa@gmail.com>wrote: > Hi... > > On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com> > wrote: > > As part of auditing purpose I need to intercept/hook open/read/write > system > > calls. > > > > As I was lack of knowledge into kernel development.Could somebody help me > > out here ? > > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 > > Thanks & Regards, > > Ravi > > IMHO you better use SystemTap, which is based on Kprobes. It can be > used to hook into almost every part of kernel system, with very less > overhead. > > Ok I'll also look into System Tap. But in my sample module example code for intercepting system call. how can I make system_call_table address to writable so that one can change to customized system call. Thanks & Regards, Ravi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/eedbb119/attachment.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 8:14 ` V.Ravikumar @ 2012-03-26 8:27 ` Mulyadi Santosa 2012-03-26 13:04 ` Peter Senna Tschudin 2012-03-26 13:43 ` Javier Martinez Canillas ` (2 subsequent siblings) 3 siblings, 1 reply; 11+ messages in thread From: Mulyadi Santosa @ 2012-03-26 8:27 UTC (permalink / raw) To: kernelnewbies On Mon, Mar 26, 2012 at 15:14, V.Ravikumar <ravikumar.vallabhu@gmail.com> wrote: > But in my sample module example code for? intercepting system call. how can > I make system_call_table address to writable so that one can change to > customized system call. My memory is a bit rigid about this part, but IIRC it's work of linker script that put the section that holds syscall table into read-only section. Not sure if that attribute could be changed on the fly -- regards, Mulyadi Santosa Freelance Linux trainer and consultant blog: the-hydra.blogspot.com training: mulyaditraining.blogspot.com ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 8:27 ` Mulyadi Santosa @ 2012-03-26 13:04 ` Peter Senna Tschudin 0 siblings, 0 replies; 11+ messages in thread From: Peter Senna Tschudin @ 2012-03-26 13:04 UTC (permalink / raw) To: kernelnewbies There are many syscall examples for systemtap at: http://sourceware.org/systemtap/examples/ On Mar 26, 2012 6:09 AM, "Mulyadi Santosa" <mulyadi.santosa@gmail.com> wrote: > On Mon, Mar 26, 2012 at 15:14, V.Ravikumar <ravikumar.vallabhu@gmail.com> > wrote: > > But in my sample module example code for intercepting system call. how > can > > I make system_call_table address to writable so that one can change to > > customized system call. > > My memory is a bit rigid about this part, but IIRC it's work of linker > script that put the section that holds syscall table into read-only > section. Not sure if that attribute could be changed on the fly > > -- > regards, > > Mulyadi Santosa > Freelance Linux trainer and consultant > > blog: the-hydra.blogspot.com > training: mulyaditraining.blogspot.com > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/ee02e212/attachment.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 8:14 ` V.Ravikumar 2012-03-26 8:27 ` Mulyadi Santosa @ 2012-03-26 13:43 ` Javier Martinez Canillas 2012-03-26 15:30 ` Ravishankar 2012-03-26 20:22 ` Fredrick 3 siblings, 0 replies; 11+ messages in thread From: Javier Martinez Canillas @ 2012-03-26 13:43 UTC (permalink / raw) To: kernelnewbies On Mon, Mar 26, 2012 at 10:14 AM, V.Ravikumar <ravikumar.vallabhu@gmail.com> wrote: > > > On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa <mulyadi.santosa@gmail.com> > wrote: >> >> Hi... >> >> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com> >> wrote: >> > As part of auditing purpose I need to intercept/hook open/read/write >> > system >> > calls. >> > >> > As I was lack of knowledge into kernel development.Could somebody help >> > me >> > out here ? >> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 >> > Thanks & Regards, >> > Ravi >> >> IMHO you better use SystemTap, which is based on Kprobes. It can be >> used to hook into almost every part of kernel system, with very less >> overhead. >> > Ok I'll also look into System Tap. > > But in my sample module example code for? intercepting system call. how can > I make system_call_table address to writable so that one can change to > customized system call. > > Thanks & Regards, > Ravi > Updating the system_call_table is racy, that is why is not writable. You should really use kprobes or systemtap for that. Regards, -- Javier Mart?nez Canillas (+34) 682 39 81 69 Barcelona, Spain ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 8:14 ` V.Ravikumar 2012-03-26 8:27 ` Mulyadi Santosa 2012-03-26 13:43 ` Javier Martinez Canillas @ 2012-03-26 15:30 ` Ravishankar 2012-03-26 19:33 ` richard -rw- weinberger 2012-03-26 20:22 ` Fredrick 3 siblings, 1 reply; 11+ messages in thread From: Ravishankar @ 2012-03-26 15:30 UTC (permalink / raw) To: kernelnewbies > > >>how can I make system_call_table address to writable so that one can > change to >>customized system call. > > > Like this: unsigned int level; pte_t *pte = lookup_address(sys_call_table, &level); if(pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW; An awesome example of pretty much what you're trying to do can be found here: https://github.com/fpletz/kernelroll Enjoy :D -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120326/d594205d/attachment.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 15:30 ` Ravishankar @ 2012-03-26 19:33 ` richard -rw- weinberger 0 siblings, 0 replies; 11+ messages in thread From: richard -rw- weinberger @ 2012-03-26 19:33 UTC (permalink / raw) To: kernelnewbies On Mon, Mar 26, 2012 at 5:30 PM, Ravishankar <cyberax82@gmail.com> wrote: > > An awesome example of pretty much what you're trying to do can be found > here: > https://github.com/fpletz/kernelroll > Enjoy :D This (absolutely not awesome) example shows perfectly how stupid and dangerous hooking the syscall table is. Don't do it. Period. -- Thanks, //richard ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 8:14 ` V.Ravikumar ` (2 preceding siblings ...) 2012-03-26 15:30 ` Ravishankar @ 2012-03-26 20:22 ` Fredrick 3 siblings, 0 replies; 11+ messages in thread From: Fredrick @ 2012-03-26 20:22 UTC (permalink / raw) To: kernelnewbies On 03/26/2012 01:14 AM, V.Ravikumar wrote: > > > On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa > <mulyadi.santosa at gmail.com <mailto:mulyadi.santosa@gmail.com>> wrote: > > Hi... > > On Mon, Mar 26, 2012 at 11:45, V.Ravikumar > <ravikumar.vallabhu at gmail.com <mailto:ravikumar.vallabhu@gmail.com>> > wrote: > > As part of auditing purpose I need to intercept/hook > open/read/write system > > calls. > > > > As I was lack of knowledge into kernel development.Could somebody > help me > > out here ? > > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 > > Thanks & Regards, > > Ravi > > IMHO you better use SystemTap, which is based on Kprobes. It can be > used to hook into almost every part of kernel system, with very less > overhead. > > Ok I'll also look into System Tap. > > But in my sample module example code for intercepting system call. how > can I make system_call_table address to writable so that one can change > to customized system call. > > Thanks & Regards, > Ravi > You could use tracepoints, register_trace_sys_enter register_trace_sys_exit as used by ftrace in kernel/trace/trace_syscalls.c -Fredrick ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-26 7:48 ` Mulyadi Santosa 2012-03-26 8:14 ` V.Ravikumar @ 2012-03-28 3:46 ` V.Ravikumar 2012-03-28 6:10 ` rohan puri 1 sibling, 1 reply; 11+ messages in thread From: V.Ravikumar @ 2012-03-28 3:46 UTC (permalink / raw) To: kernelnewbies On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa <mulyadi.santosa@gmail.com>wrote: > Hi... > > On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com> > wrote: > > As part of auditing purpose I need to intercept/hook open/read/write > system > > calls. > > > > As I was lack of knowledge into kernel development.Could somebody help me > > out here ? > > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 > > Thanks & Regards, > > Ravi > > IMHO you better use SystemTap, which is based on Kprobes. It can be > used to hook into almost every part of kernel system, with very less > overhead. > > Yes SystemTap is one of the elegant way to hook system calls. But I need one help while hooking write system call. I need to print the file name also, but file name is not passed to write system call. How can I get the file for write (or sys_write ) system call. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120328/e4ed1874/attachment.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* Hooking a system call. 2012-03-28 3:46 ` V.Ravikumar @ 2012-03-28 6:10 ` rohan puri 0 siblings, 0 replies; 11+ messages in thread From: rohan puri @ 2012-03-28 6:10 UTC (permalink / raw) To: kernelnewbies On Wed, Mar 28, 2012 at 9:16 AM, V.Ravikumar <ravikumar.vallabhu@gmail.com>wrote: > > > On Mon, Mar 26, 2012 at 1:18 PM, Mulyadi Santosa < > mulyadi.santosa at gmail.com> wrote: > >> Hi... >> >> On Mon, Mar 26, 2012 at 11:45, V.Ravikumar <ravikumar.vallabhu@gmail.com> >> wrote: >> > As part of auditing purpose I need to intercept/hook open/read/write >> system >> > calls. >> > >> > As I was lack of knowledge into kernel development.Could somebody help >> me >> > out here ? >> > I'm working on RHEL-5 machine with Linux kernel version 2.6.18 >> > Thanks & Regards, >> > Ravi >> >> IMHO you better use SystemTap, which is based on Kprobes. It can be >> used to hook into almost every part of kernel system, with very less >> overhead. >> >> > Yes SystemTap is one of the elegant way to hook system calls. > > But I need one help while hooking write system call. I need to print the > file name also, but file name is not passed to write system call. How can I > get the file for write (or sys_write ) system call. > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > Hi, One way to do this is to map the physical page to new virtual page and make that page RW and then replace with ur handlers. Refer vmap() -Rohan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120328/40422c82/attachment.html ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2012-03-28 6:10 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-03-26 4:45 Hooking a system call V.Ravikumar 2012-03-26 7:48 ` Mulyadi Santosa 2012-03-26 8:14 ` V.Ravikumar 2012-03-26 8:27 ` Mulyadi Santosa 2012-03-26 13:04 ` Peter Senna Tschudin 2012-03-26 13:43 ` Javier Martinez Canillas 2012-03-26 15:30 ` Ravishankar 2012-03-26 19:33 ` richard -rw- weinberger 2012-03-26 20:22 ` Fredrick 2012-03-28 3:46 ` V.Ravikumar 2012-03-28 6:10 ` rohan puri
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).