Hi, Thank all of you for helping me with problem! I don't want to modify my kernel source so I am trying to learn to use LSM security hook even though it seems that it couldn't hook all the system calls, I think it should be enough for me. Thanks again!
On Wed, Nov 23, 2011 at 8:02 PM, rohan puri <[email protected]> wrote: > > > On Wed, Nov 23, 2011 at 3:57 PM, Alexandru Juncu <[email protected]>wrote: > >> On Wed, Nov 23, 2011 at 12:10 PM, Daniel Baluta <[email protected]> >> wrote: >> > On Wed, Nov 23, 2011 at 11:22 AM, Alexandru Juncu < >> [email protected]> wrote: >> >> On Wed, Nov 23, 2011 at 10:40 AM, Geraint Yang <[email protected]> >> wrote: >> >>> Hello everyone, >> >>> >> >>> I am going to hook a system call like 'read' or 'send' by modifying >> the >> >>> sys_call_table, but it seems that the sys_call_table is in read only >> page, >> >>> how can I set modify the sys_call_table ? Or if there any method that >> I can >> >>> use to hook a system call in module without modify the kernel source? >> >>> >> >>> Thanks! >> >> >> >> On a 2.6.35 kernel, it worked for me just by changing an entry in the >> >> sys_call_table, within a kernel module. Something like this: >> > >> > Alex, >> > I am pretty sure that you are using a hacked version of 2.6.35. >> > >> > Geraint, >> > In order to be able to hook a syscall you must do the following: >> > >> > 1. export syscall_table in arch/x86/kernel/i386_ksyms_32.c >> > >> > extern void* sys_call_table[]; >> > EXPORT_SYMBOL(sys_call_table); >> > >> > 2. make sys_call_table writebale. In arch/x86/kernel/entry_32.S >> > you must have: >> > >> > .section .data,"a" >> > #include "syscall_table_32.S" >> > >> > thanks, >> > Daniel. >> > >> >> Ah, Daniel is right... I forgot about that part... >> >> _______________________________________________ >> Kernelnewbies mailing list >> [email protected] >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> > > You can get the address of the sys_call_table from the /proc/kallsyms and > regarding the read-only section of the this symbol you can re-map the > addresses by making use of vmap api in kernel. This will avoid the need for > the compilation of the kernel. But I would not recommend you to do this. > Their is LSM framework specifically available for this try to see if you > can make use of that. > > Regards, > Rohan Puri > -- Geraint Yang Tsinghua University Department of Computer Science and Technology
_______________________________________________ Kernelnewbies mailing list [email protected] http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
