Re: System call hooking in 2.6 kernel..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Henrik,

I came across a method over a google.
They've shown the way something like this:

"The easiest way is to modify in kernel mode the system call table, where all addresses of the system call service routines are stored. We have to develop a driver (because they act in kernel mode) which saves the original address and storesthe address of his own function which calls the original function, makes the logging stuff and returns the value the original function returned." 

This is not good method indeed. This'll affect the other system call and causes the kernel panic sometime too.

> or, are you going to write a module
Of course, I am about to write a kernel module, which will hook the unlink system call(with some mature way) and logg the stuff. And I don't have to pass any argument to this module. Functionality should work for any deleted file, may be user deleted or process deleted. Cause ultimately it'll call the unlink sys call..

Regards
Ashish



--- On Mon, 10/11/08, Henrik Austad <henrik@xxxxxxxxx> wrote:

> From: Henrik Austad <henrik@xxxxxxxxx>
> Subject: Re: System call hooking in 2.6 kernel..
> To: ashitpro@xxxxxxxxxxx
> Date: Monday, 10 November, 2008, 3:43 PM
> On Monday 10 November 2008 10:06:06 ashish mahamuni wrote:
> > Hello All,
> >
> > I am trying to write a module which will log the user
> who deleted the
> > file... So, I am thinking of hooking the unlink system
> call...
> > Which is the best way to achieve this?
> > Is it possible in 2.6 kernel?
> 
> are you going to trigger it *from* the syscall? If so, you
> cannot do this as a 
> module, as the syscall is compiled into the kernel.
> Removing this dynamically 
> can be quite disasterous.
> 
> or, are you going to write a module that takes a file as
> argument, deletes it 
> and logs various bits and pieces of information?
> 
> > Regards
> > Ashish
> 
> 
> -- 
>  -> henrik


      Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/


--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux