On Tue, Aug 3, 2010 at 8:29 AM, Kamyar Mohajerani <kammoh@xxxxxxxxx> wrote: > Hello everyone, > This is my first message to the KernelNewbies mailing list, so please > correct me if I'm not asking my question the right way. > What I actually want to do is to somehow intercept an internal kernel > function. The only way that seemed possible from my research was the > "classic" function injection technique (similar to the ones mentioned in the > old Phrack 59 and 61) by finding the function's address (e.g. through > /proc/kallsyms), overriding the first instructions with a jmp to my own > function (and optionally calling the original function by the same or other > tricks). This method works just fine for sys_* system call functions without > any problem. But when I try the same method for a function like printk , the > kernel crashes while my overridden function gets called. I'm sure my > overridden function is called as I can use the original prink in it. I have > lock and unlocked inside my function. I have also changed the function with > a one without any instructions in the body and still THE SAME thing > happens! > [ so sorry for the double post, I accidentally hit the send, I guess I was > too excited for my first post! :-) ] You have the source and can re-compile, right? If so, rename the existing func() to __func() and write your own new func() that calls __func(). It's done all the time during development. Greg -- Greg Freemyer Head of EDD Tape Extraction and Processing team Litigation Triage Solutions Specialist http://www.linkedin.com/in/gregfreemyer CNN/TruTV Aired Forensic Imaging Demo - http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/ The Norcross Group The Intersection of Evidence & Technology http://www.norcrossgroup.com -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to ecartis@xxxxxxxxxxxx Please read the FAQ at http://kernelnewbies.org/FAQ
