On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@xxxxxxxxx> wrote:
> Hello everyone,
>
> I am going to hook a system call like 'read' or 'send' by modifying the
> sys_call_table, but it seems that the sys_call_table is in read only page,
> how can I set modify the sys_call_table ? Or if there any method that I can
> use to hook a system call in module without modify the kernel source?
>
> Thanks!
On a 2.6.35 kernel, it worked for me just by changing an entry in the
sys_call_table, within a kernel module. Something like this:
spin_lock(&sys_call_table_lock);
old_sys_calls[sys_call] = sys_call_table[sys_call];
sys_call_table[sys_call] = interceptor;
is_intercepted[sys_call] = 1;
spin_unlock(&sys_call_table_lock);
asmlinkage long interceptor(struct syscall_params sp)
{
long sys_call=sp.eax, r=0;
r = old_sys_calls[sys_call](sp);
do_stuff();
return r;
}
--
Alexandru Juncu
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
