Hi Ashish, Well there are workarounds to do the required system call hacking. What you can do is, before loading the kernel module, you look up the address of sys_call_table in /boot/Syste.map file and pass this address to kernel module at loading time as a parameter. Kernel module can store this address in its unsigned long variable and can use it as a pointer to sys_call_table. This is a workaround, but not a secure way to do it, as System.map lies in filesystem and anybody can modify ot change the name of this file, in that case your module will not be loaded properly. The other and secure way to do this is (spl for i386 platform), that you do the following thing in your module initialization function. 1. - get the pointer to IDT (Interrupt Descriptor Table), using SIDT assembly instruction. This instruction will store the value of IDTR register of processor, which actually is a pointer to IDT in kernel. 2. - Once you get the pointer to IDT, get to the 128th entry of IDT by multiplying 128 with 8 (as each entry in IDT is of 8 bytes) and adding that to the IDT pointer, which we got in first step. This is a pointer to the system gate through with system calls enter kernel mode. 3. - As each entry in IDT is of 8 bytes, now you are pointing to the system call entry in IDT. Get the offset from this entry (1, 2, 7 and 8th bytes). To know the format of this entry in IDT, read the article: http://www.osdever.net/tutorials/interrupts.3.php?the_id=41 4. - once you get an offset, it's a pointer to the system_call() function, which actually calls the specific system call after checking the system call number passed. You can find this function at following link: http://lxr.linux.no/source/arch/i386/kernel/entry.S?v=2.4.21#L202 5. - Now comes some complex thing. You have a pointer to this function, now you need to check for following assembly instruction in it call *SYMBOL_NAME(sys_call_table)(,%eax,4) It is the instruction which is calling the specific system call by looking it in sys_call_table array of pointers. You need to know the machine instruction corresponding to this assembly instruction. I don't exactly remember the bit sequence for it, which we need to check, you need to check the first 3 bytes of this machine instruction if it matches, your pointer is onto this instruction, now pick the next four bytes and that will be the base address of sys_call_table. Just for explanation, I am assuming that first 3 bytes in the machine instruction corresponding to above mentioned assembly instruction are as follows: 0x2A 0x34 0XBE. Assuming this following code will get you the pointer to sys_call_table array, which is a system call table in kernel. In following code 'p' contains the pointer to system_call() function (this is after step 4 mentioned above) If((*((char *)p) == 0x2A) && (*((char *)p + 1) == 0x34) && (*((char *)p + 2) == 0xBE)){ P = ((char *)p + 3); sys_call_table_ptr = *((unsigned long *)p + 1); } After this code we have the pointer to sys_call_table in 'sys_call_table_ptr' pointer variable. NOTE: second method is only for i386 platform as it depends upon the machine instruction format. Hope things are not too complex ..... well you can contact me on my mobile (040-32384853) if you want to discuss something, as second method is something which I have also used. I might be of some help to you. Regards, Gaurav -----Original Message----- From: kernelnewbies-bounce@xxxxxxxxxxxx [mailto:kernelnewbies-bounce@xxxxxxxxxxxx] On Behalf Of Ashish Mishra Sent: Thursday, September 30, 2004 5:55 PM To: Kenel Newbies Subject: Seek Help !!! Hi, I am totally new to linux kernel . I want to intercept system calls with sys_call_table. But , it seems that this symbol is not exported in linux kernel 2.4. Is there any method by which i can export this symbol ?? Waiting for the help .... Thanx Ashish Mishra -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/ -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
