Re: Want to dump information about the process when it exits (Linux Kernel 2.4)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 5/12/06, Asim <asimkadav@xxxxxxxxx> wrote:

> > > > > > Hi,
> > > > > >    I have an requirement of logging program's name with time stamp on

> > >
> > You need to intercept the exec (execv) system call and not exit/fork.
> >
> > -- Asim
> >

> Hi Asim, thanks for the reply. Could you explain a bit how hooking
> execve() will help?
> --
>

All processes except the swapper are created by the fork & exec (of
program code) mechanism.

sys_execve :

 arch/i386/kernel/process.c:asmlinkage int sys_execve(struct pt_regs regs)

 do_execve is called within sys_execve :

 error = do_execve(filename, (char **) regs.ecx, (char **)regs.edx, &regs);

Defn of do_execve :

 /usr/src/linux/fs/exec.c:int do_execve(char * filename, char ** argv,
   char ** envp, struct pt_regs * regs)

So you actually need to :

1.Intercept the sys_execve system call.

2.Do your logging.

3.Call the do_execve system call.

4.Take care of the arguments when you do (3).
This can get painful(need hard reboots) if you err.After your logging,
call do_execve as :

 error = do_execve(filename, (char **) regs.ecx, (char **)regs.edx, &regs);

Simply passing over the regs parameter wont work.

Thanks,
Asim

--
Aerodynamically the bumblebee shouldn't be able to fly, but the
bumblebee doesn't know that so it goes on flying anyway.



Hi Asim, isn't that for tracking process start? I am interested in
tracking process exit / termination.

--

Regards,
Dang

--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
FAQ:           http://kernelnewbies.org/faq/
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux