Re: How to hook the system call?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
Thank all of you for helping me with problem!
I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me.
Thanks again!



On Wed, Nov 23, 2011 at 8:02 PM, rohan puri <rohan.puri15@xxxxxxxxx> wrote:


On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <alex.juncu@xxxxxxxxxx> wrote:
On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <daniel.baluta@xxxxxxxxx> wrote:
> On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu <alex.juncu@xxxxxxxxxx> wrote:
>> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <geraint0923@xxxxxxxxx> wrote:
>>> Hello everyone,
>>>
>>> I am going to hook a system call like 'read' or 'send' by modifying the
>>> sys_call_table, but it seems that the sys_call_table is in read only page,
>>> how can I set modify the sys_call_table ? Or if there any method that I can
>>> use to hook a system call in module without modify the kernel source?
>>>
>>> Thanks!
>>
>> On a 2.6.35 kernel, it worked for me just by changing an entry in the
>> sys_call_table, within a kernel module.  Something like this:
>
> Alex,
> I am pretty sure that you are using a hacked version of 2.6.35.
>
> Geraint,
> In order to be able to hook a syscall you must do the following:
>
> 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c
>
> extern void* sys_call_table[];
> EXPORT_SYMBOL(sys_call_table);
>
> 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S
> you must have:
>
> .section .data,"a"
> #include "syscall_table_32.S"
>
> thanks,
> Daniel.
>

Ah, Daniel is right... I forgot about that part...

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

You can get the address of the sys_call_table from the /proc/kallsyms and regarding the read-only section of the this symbol you can re-map the addresses by making use of vmap api in kernel. This will avoid the need for the compilation of the kernel. But I would not recommend you to do this. Their is LSM framework specifically available for this try to see if you can make use of that.

Regards,
Rohan Puri



--
Geraint Yang
Tsinghua University Department of Computer Science and Technology


_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux