It's true. I managed to hook into the kernel 2.4 and 2.6 using LKM but
how can do it in 2.6.30 or higher, not let me change the syscall
table references ...
when I add the LKM to stdout I get 'Killed'.
and when I try to remove the LKM tells me that is in use.
In some sites say that around 2.6.30 the syscall table is readonly.
I need to know if there is another way to make the syscall hook arround 2.6.30
Elvis.
"Sangman Kim" <nemonemo@xxxxxxxxx> escribió:
Hello Elvis,
There are numerous ways you can do, once you have root privilege.
But if you don't, it is probably impossible without some illegal way.
Actually, system call hooking itself is not very proper thing even for
people with root,
but you can refer to many linux rootkit codes available in security sites.
Most of them use LKM(loadable kernel module)s to load their code,
and manipulate either syscall handler, the system call table, or other
structures available in kernel.
You can even manipulate page tables and make the code section writable with
your module.
Sangman
On Wed, Apr 7, 2010 at 8:43 AM, Elvis Y. Tamayo Moyares <
etmoyares@xxxxxxxxxx> wrote:
hi list
I need to hook a system call in kernel 2.6,for kernel 2.6.30 or higher it
is very dificulty. I have read in some places and tell me that in these
versions the system call table is read only. Is there any way to hook a
system call in kernel 2.6.30 or higher?
thanks in advance
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx
Please read the FAQ at http://kernelnewbies.org/FAQ
