RE: How to intercept sys_exit()...

"Aboo Valappil" <aboo@xxxxxxxxxxxxxxx> · Fri, 8 Oct 2004 09:46:21 +1000

Can we do something like this to get to sys_call_table ... If it is not
declared in any header files ...  ( It is defined in entry.S and it is
global)

extern void *sys_call_table;

then ...

long *my_sys_call_table = (long *)sys_call_table; 
void (*old_exit_syscall)( int error_code);
old_exit_syscall=my_sys_call_table[1];    
// 1 is point to sys_exit routine as per head.S

In init module session, you could ...

my_sys_call_table[1]=new_exit_syscall;

asmlinkage void new_exit_syscall (int error_code ) {

// Do your stuff
old_exit_syscall(error_code);

}
exit module session
my_sys_call_table[1]= old_exit_syscall;

I thought IDT would not have any reference to sys_call_table. It will
have a pointer to system call entry ( system_call() exception handler ),
but not the table.

Aboo

-----Original Message-----
From: kernelnewbies-bounce@xxxxxxxxxxxx
[mailto:kernelnewbies-bounce@xxxxxxxxxxxx] On Behalf Of Dhiman, Gaurav
Sent: Friday, October 08, 2004 3:54 AM
To: Prasad
Cc: kernelnewbies@xxxxxxxxxxxx
Subject: RE: How to intercept sys_exit()...

There was a good discussion last week about getting the pointer to
sys_call_table ...... just see that in archive.

In short, there are three methods

- Export deliberatly the required system call ("sys_" related function)
or the sys_call_table in Kernel sources and then compile the kernel
again.

- Get the address of sys_call_table or specific system call function
from System.map and pass it to your module at load time.

- Get the address of sys_call_table dynamically in kernel module with
the help of IDT help.

Cheers !!
Gaurav

-----Original Message-----
From: kernelnewbies-bounce@xxxxxxxxxxxx
[mailto:kernelnewbies-bounce@xxxxxxxxxxxx] On Behalf Of Prasad
Sent: Thursday, October 07, 2004 3:50 PM
To: kernelnewbies@xxxxxxxxxxxx
Subject: How to intercept sys_exit()...

	Hi there ! 
   Can anyone tell me how to intecept exit system call...?
   I'm using linux-2.6.8.1 kernel, and need to do it for some auditing 
   purpose...	
-- 
regards
   -Prasad

--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/

--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/

--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/