[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Received: from chello089079223139.chello.pl [89.79.223.139]
Hi,
If I am not missing anything and if there is libc wrapper provided
for calls to be trapped then I think this can be done userspace.
Just write the wrappers for calls to be trapped and and make a shared
lib out of it, and then do
a LD_PRELOAD of that lib, or add it to /etc/ld.so.preload.
So
space, which would do this
thing. I am concerned about portability.
I thought, I could do this using hooking. Thats why I asked about it.
Regards,
Ashish
--- On Mon, 10/11/08, Manish Katiyar [EMAIL PROTECTED] wrote:
From: Manish Katiyar [EMAIL PROTECTED]
Subject: Re: System call hooking
the sysadmin sets LD_PRELOAD to /lib/libunlinkwrapper.so which
overrides the unlink() system call to add logging.
now a nasty user wants to delete a file using unlink() (though she
could use others to change the content of the file) without being
traced by the sysadmin. to achieve this she
On Tue, Nov 11, 2008 at 11:28 PM, Vimal [EMAIL PROTECTED] wrote:
the sysadmin sets LD_PRELOAD to /lib/libunlinkwrapper.so which
overrides the unlink() system call to add logging.
now a nasty user wants to delete a file using unlink() (though she
could use others to change the content of the
El Tue, Nov 11, 2008 at 02:29:34PM +0530 sandeep lahane ha dit:
Can you elaborate a little please?
the sysadmin sets LD_PRELOAD to /lib/libunlinkwrapper.so which
overrides the unlink() system call to add logging.
now a nasty user wants to delete a file using unlink() (though she
could use
On Tue, Nov 11, 2008 at 3:56 PM, sandeep lahane
[EMAIL PROTECTED] wrote:
On Tue, Nov 11, 2008 at 3:34 PM, Matthias Kaehlcke
[EMAIL PROTECTED] wrote:
El Tue, Nov 11, 2008 at 02:29:34PM +0530 sandeep lahane ha dit:
Can you elaborate a little please?
the sysadmin sets LD_PRELOAD to
On Mon, Nov 10, 2008 at 2:36 PM, ashish mahamuni [EMAIL PROTECTED]wrote:
Hello All,
I am trying to write a module which will log the user who deleted the
file...
So, I am thinking of hooking the unlink system call...
Which is the best way to achieve this?
Is it possible in 2.6 kernel?
Hi
El Mon, Nov 10, 2008 at 12:03:27PM +0100 [EMAIL PROTECTED] ha dit:
Which is the best way to achieve this?
Is it possible in 2.6 kernel?
You might generally want patch the kernel, because syscall table is not
exported in 2.6 and access to it through a module becomes more complicated
from
On Mon, Nov 10, 2008 at 8:51 PM, [EMAIL PROTECTED] wrote:
Oh I forget - you can take (copy+paste maybe) location of all the calls
from System.map file for your kernel - it is available with majority of
distributions and at any custom compilations. You'll find howtos on the
net.
The code I
On Mon, Nov 10, 2008 at 5:06 PM, ashish mahamuni [EMAIL PROTECTED] wrote:
Hello All,
I am trying to write a module which will log the user who deleted the file...
So, I am thinking of hooking the unlink system call...
Which is the best way to achieve this?
Is it possible in 2.6 kernel?
How
Oh I forget - you can take (copy+paste maybe) location of all the calls
from System.map file for your kernel - it is available with majority of
distributions and at any custom compilations. You'll find howtos on the
net.
The code I mentioned in previous post follows IDT handler for int 0x80 to
El Mon, Nov 10, 2008 at 11:16:06PM +0800 Peter Teoh ha dit:
On Mon, Nov 10, 2008 at 5:06 PM, ashish mahamuni [EMAIL PROTECTED] wrote:
Hello All,
I am trying to write a module which will log the user who deleted the
file...
So, I am thinking of hooking the unlink system call...
Which
or process deleted. Cause ultimately it'll call the unlink
sys call..
Regards
Ashish
--- On Mon, 10/11/08, Henrik Austad [EMAIL PROTECTED] wrote:
From: Henrik Austad [EMAIL PROTECTED]
Subject: Re: System call hooking in 2.6 kernel..
To: [EMAIL PROTECTED]
Date: Monday, 10 November, 2008, 3:43 PM
On Monday 10 November 2008 11:28:41 ashish mahamuni wrote:
Hello Henrik,
I came across a method over a google.
this is where you provide the URL for the howto :-)
They've shown the way something like this:
The easiest way is to modify in kernel mode the system call table, where
all
Hi
Which is the best way to achieve this?
Is it possible in 2.6 kernel?
You might generally want patch the kernel, because syscall table is not
exported in 2.6 and access to it through a module becomes more complicated
from version to version.
Possibly someone from the group would suggest a
On 11/10/08, ashish mahamuni [EMAIL PROTECTED] wrote:
Hello All,
I am trying to write a module which will log the user who deleted the file...
So, I am thinking of hooking the unlink system call...
Which is the best way to achieve this?
Is it possible in 2.6 kernel?
You can use this ugly
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
Received: from chello089079223139.chello.pl [89.79.223.139] with HTTP/1.1
(POST); Mon, 10 Nov 2008 22:24:14 +0100
User-Agent: RoundCube Webmail/0.1
On Tue, Nov 11, 2008 at 5:24 AM, [EMAIL PROTECTED] wrote:
there is only 4 debug registers available, whereas kprobe allow
limitless (almost) numbers of probe points.
Well yes - but if you want to trace syscalls you can just set the trap for
the call gate.
yes, of course, since all
19 matches
Mail list logo
