On Wed, 08 Mar 2017 15:20:57 +0300, Lev Olshvang said:
> Hi Greg,
>
> Thank you for a prompt reply. My intention is to build some euristics for
> Intrusion detection of embedded based on sequence of syscalls.
> I am collecting syscall events and send then with netlink to my monitor.
> Since
Hi Greg, Thank you for a prompt reply. My intention is to build some euristics for Intrusion detection of embedded based on sequence of syscalls.I am collecting syscall events and send then with netlink to my monitor.Since platform may use SELinux or other LSM, I thought the hook of syscall is the
On Wed, Mar 08, 2017 at 03:20:57PM +0300, Lev Olshvang wrote:
> Hi Greg,
>
> Thank you for a prompt reply. My intention is to build some euristics for
> Intrusion detection of embedded based on sequence of syscalls.
> I am collecting syscall events and send then with netlink to my monitor.
>
Hello all,
In kernels 3.X up to 4.2 execve(|) system call was for x86_64 architecture
the the system call was made through some
magic ( I can't say I understand it ) assembly stub in
arch/x86/kernel/entry_64.S
so up to kernel 4.2 it was possble to patch this assembly to install the hook,
On Tue, 07 Mar 2017 20:22:33 +0100, Greg KH said:
> On Mon, Mar 06, 2017 at 10:18:26AM +0300, Lev Olshvang wrote:
> Why do you want to hook a syscall? that's a very complex, and broken,
> and ill-advised thing to do. Please don't do that.
>
> What problem are you trying to solve here that led
On Mon, Mar 06, 2017 at 10:18:26AM +0300, Lev Olshvang wrote:
> Hello all,
>
> In kernels 3.X up to 4.2 execve(|) system call was for x86_64 architecture
> the the system call was made through some
> magic ( I can't say I understand it ) assembly stub in
> arch/x86/kernel/entry_64.S
> so up
