hi , on the simpler side , u might just want to do a extern void * sys_call_table ; EXPORT_SYMBOL(sys_call_table) ; in kernel/ksyms.c :) On Thu, 30 Sep 2004 20:34:55 +0530, Dhiman, Gaurav <gaurav.dhiman@xxxxxx> wrote: > > Hi Ashish, > > Well there are workarounds to do the required system call hacking. > What you can do is, before loading the kernel module, you look up the > address of sys_call_table in /boot/Syste.map file and pass this address > to kernel module at loading time as a parameter. Kernel module can store > this address in its unsigned long variable and can use it as a pointer > to sys_call_table. > > This is a workaround, but not a secure way to do it, as System.map lies > in filesystem and anybody can modify ot change the name of this file, in > that case your module will not be loaded properly. > > The other and secure way to do this is (spl for i386 platform), that you > do the following thing in your module initialization function. > > 1. - get the pointer to IDT (Interrupt Descriptor Table), using SIDT > assembly instruction. This instruction will store the value of IDTR > register of processor, which actually is a pointer to IDT in kernel. > > 2. - Once you get the pointer to IDT, get to the 128th entry of IDT by > multiplying 128 with 8 (as each entry in IDT is of 8 bytes) and adding > that to the IDT pointer, which we got in first step. This is a pointer > to the system gate through with system calls enter kernel mode. > > 3. - As each entry in IDT is of 8 bytes, now you are pointing to the > system call entry in IDT. Get the offset from this entry (1, 2, 7 and > 8th bytes). To know the format of this entry in IDT, read the article: > http://www.osdever.net/tutorials/interrupts.3.php?the_id=41 > > 4. - once you get an offset, it's a pointer to the system_call() > function, which actually calls the specific system call after checking > the system call number passed. You can find this function at following > link: http://lxr.linux.no/source/arch/i386/kernel/entry.S?v=2.4.21#L202 > > 5. - Now comes some complex thing. You have a pointer to this function, > now you need to check for following assembly instruction in it > > call *SYMBOL_NAME(sys_call_table)(,%eax,4) > > It is the instruction which is calling the specific system call by > looking it in sys_call_table array of pointers. You need to know the > machine instruction corresponding to this assembly instruction. I don't > exactly remember the bit sequence for it, which we need to check, you > need to check the first 3 bytes of this machine instruction if it > matches, your pointer is onto this instruction, now pick the next four > bytes and that will be the base address of sys_call_table. Just for > explanation, I am assuming that first 3 bytes in the machine instruction > corresponding to above mentioned assembly instruction are as follows: > 0x2A 0x34 0XBE. Assuming this following code will get you the pointer to > sys_call_table array, which is a system call table in kernel. > > In following code 'p' contains the pointer to system_call() function > (this is after step 4 mentioned above) > > If((*((char *)p) == 0x2A) && (*((char *)p + 1) == 0x34) && (*((char *)p > + 2) == 0xBE)){ > P = ((char *)p + 3); > sys_call_table_ptr = *((unsigned long *)p + 1); > } > > After this code we have the pointer to sys_call_table in > 'sys_call_table_ptr' pointer variable. > NOTE: second method is only for i386 platform as it depends upon the > machine instruction format. > > Hope things are not too complex ..... well you can contact me on my > mobile (040-32384853) if you want to discuss something, as second method > is something which I have also used. I might be of some help to you. > > Regards, > Gaurav > > -----Original Message----- > From: kernelnewbies-bounce@xxxxxxxxxxxx > [mailto:kernelnewbies-bounce@xxxxxxxxxxxx] On Behalf Of Ashish Mishra > Sent: Thursday, September 30, 2004 5:55 PM > To: Kenel Newbies > Subject: Seek Help !!! > > Hi, > I am totally new to linux kernel . I want to intercept system calls > with sys_call_table. But , it seems that this symbol is not exported in > linux kernel 2.4. > Is there any method by which i can export this symbol ?? > > Waiting for the help .... > > Thanx > Ashish Mishra > > -- > Kernelnewbies: Help each other learn about the Linux kernel. > Archive: http://mail.nl.linux.org/kernelnewbies/ > FAQ: http://kernelnewbies.org/faq/ > > -- > Kernelnewbies: Help each other learn about the Linux kernel. > Archive: http://mail.nl.linux.org/kernelnewbies/ > FAQ: http://kernelnewbies.org/faq/ > > -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
