On Monday 10 November 2008 11:28:41 ashish mahamuni wrote: > Hello Henrik, > > I came across a method over a google. this is where you provide the URL for the howto :-) > They've shown the way something like this: > > "The easiest way is to modify in kernel mode the system call table, where > all addresses of the system call service routines are stored. We have to > develop a driver (because they act in kernel mode) which saves the original > address and storesthe address of his own function which calls the original > function, makes the logging stuff and returns the value the original > function returned." yes, I can se *why* you wan the driver (because of kernel-mode). So, basically, you are going to change the syscall table and add another function entry there which will receive the same arguments as unlink, do the logging and then call the original syscall? My point was: if you do this as a *module*, you will not be able to compile the kernel, as the compiler cannot reslove the address properly. Your must add the new syscall into the kernel and recompile the entire kernel. > > This is not good method indeed. This'll affect the other system call and > causes the kernel panic sometime too. Indeed it would :-) > > or, are you going to write a module > > Of course, I am about to write a kernel module, which will hook the unlink > system call(with some mature way) and logg the stuff. And I don't have to > pass any argument to this module. Functionality should work for any deleted > file, may be user deleted or process deleted. Cause ultimately it'll call > the unlink sys call.. what is 'some mature way'? why doesn't the module need any arguments? Are you going to log things like 'some file got deleted?' i.e. shouldn't you at least let the function get the name of the file? > Regards > Ashish I'm not sure if I understand your problem correctly, perhaps some of the other bright guys can shed some light on it :-) -- -> henrik -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ