On Mon, Mar 06, 2017 at 10:18:26AM +0300, Lev Olshvang wrote: > Hello all, > > In kernels 3.X up to 4.2 execve(|) system call was for x86_64 architecture > the the system call was made through some > magic ( I can't say I understand it ) assembly stub in > arch/x86/kernel/entry_64.S > so up to kernel 4.2 it was possble to patch this assembly to install the > hook, ex. see > http://stackoverflow.com/questions/8372912/hooking-sys-execve-on-linux-3-x/9672512#9672512 > > But this hook still can't access in a proper way filename argument, althouth > I tried to do it with in the same way as > fs/exec.c does : using kernel's getname() function (which I was need to find > through kallsyms_lookup_name() > > In kernels 4.2 and up, the arch/x86/kernel/entry_64.S is gone, and I still > dont' have a clue what to do to get filename as a char string.
Why do you want to hook a syscall? that's a very complex, and broken, and ill-advised thing to do. Please don't do that. What problem are you trying to solve here that led you to think that putting a syscall hook in is a good solution? thanks, greg k-h _______________________________________________ Kernelnewbies mailing list [email protected] https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
