Re: System call hooking in 2.6 kernel..

Mon, 10 Nov 2008 02:41:59 -0800 

Hello Henrik,

I came across a method over a google.
They've shown the way something like this:

"The easiest way is to modify in kernel mode the system call table, where all 
addresses of the system call service routines are stored. We have to develop a 
driver (because they act in kernel mode) which saves the original address and 
storesthe address of his own function which calls the original function, makes 
the logging stuff and returns the value the original function returned." 

This is not good method indeed. This'll affect the other system call and causes 
the kernel panic sometime too.

> or, are you going to write a module
Of course, I am about to write a kernel module, which will hook the unlink 
system call(with some mature way) and logg the stuff. And I don't have to pass 
any argument to this module. Functionality should work for any deleted file, 
may be user deleted or process deleted. Cause ultimately it'll call the unlink 
sys call..

Regards
Ashish



--- On Mon, 10/11/08, Henrik Austad <[EMAIL PROTECTED]> wrote:

> From: Henrik Austad <[EMAIL PROTECTED]>
> Subject: Re: System call hooking in 2.6 kernel..
> To: [EMAIL PROTECTED]
> Date: Monday, 10 November, 2008, 3:43 PM
> On Monday 10 November 2008 10:06:06 ashish mahamuni wrote:
> > Hello All,
> >
> > I am trying to write a module which will log the user
> who deleted the
> > file... So, I am thinking of hooking the unlink system
> call...
> > Which is the best way to achieve this?
> > Is it possible in 2.6 kernel?
> 
> are you going to trigger it *from* the syscall? If so, you
> cannot do this as a 
> module, as the syscall is compiled into the kernel.
> Removing this dynamically 
> can be quite disasterous.
> 
> or, are you going to write a module that takes a file as
> argument, deletes it 
> and logs various bits and pieces of information?
> 
> > Regards
> > Ashish
> 
> 
> -- 
>  -> henrik


      Add more friends to your messenger and enjoy! Go to 
http://messenger.yahoo.com/invite/


--
To unsubscribe from this list: send an email with
"unsubscribe kernelnewbies" to [EMAIL PROTECTED]
Please read the FAQ at http://kernelnewbies.org/FAQ

Reply via email to