Hi > Which is the best way to achieve this? > Is it possible in 2.6 kernel? You might generally want patch the kernel, because syscall table is not exported in 2.6 and access to it through a module becomes more complicated from version to version. Possibly someone from the group would suggest a solution based on patching VFS. As for the syscall table you need to find it for yourself. Examples that are few months old might not work any longer. However people from Immunity Inc released working code on GPL in their IA 32 DR Rootkit. You're not interested in whole debug registers stuff, only in routine that seeks for syscall table. Then you would exchange pointer to unlink with pointer to your function, and your function after doing its job (logging) would in turn call original unlink. Regards, Lech -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
