Prasad,
I am also a learner ...
I guess the best way will be to modify do_exit () in kernel/exit.c and
recompile the kernel.
Or you could do something like this from a module, I think this is
nasty.
Globally
long *my_sys_call_table = sys_call_table;
void (*old_exit_syscall)( int error_code)
old_exit_syscall=my_sys_call_table[1];
// 1 is point to sys_exit routine as per head.S
In init module session, you could ...
my_sys_call_table[1]=new_exit_syscall;
asmlinkage void new_exit_syscall (int error_code ) {
// Do your stuff
old_exit_syscall(error_code);
}
exit module session
my_sys_call_table[1]= old_exit_syscall;
Theoriticaly this should work ... Do you think ?
Aboo
-----Original Message-----
From: kernelnewbies-bounce@xxxxxxxxxxxx
[mailto:kernelnewbies-bounce@xxxxxxxxxxxx] On Behalf Of Prasad
Sent: Thursday, October 07, 2004 8:20 PM
To: kernelnewbies@xxxxxxxxxxxx
Subject: How to intercept sys_exit()...
Hi there !
Can anyone tell me how to intecept exit system call...?
I'm using linux-2.6.8.1 kernel, and need to do it for some auditing
purpose...
--
regards
-Prasad
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
