"Elvis Y. Tamayo Moyares" <[email protected]> writes: > It's true. I managed to hook into the kernel 2.4 and 2.6 using LKM but > how can do it in 2.6.30 or higher, not let me change the syscall > table references ... > when I add the LKM to stdout I get 'Killed'. > and when I try to remove the LKM tells me that is in use. > In some sites say that around 2.6.30 the syscall table is readonly. > I need to know if there is another way to make the syscall hook arround 2.6.30 > > Elvis. >
You might want to check out 'fanotify' which can alert you when specific events take place (like open() or close()) and will be handy if you are building a malware scanner or something like that. Although, if you want it for a private project of some kind you could as well disable CONFIG_DEBUG_RODATA on your kernel :) -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to [email protected] Please read the FAQ at http://kernelnewbies.org/FAQ
