Linux calls system call

Linux Kernel Module Programming Guide

So, if we want to change the way a system call works, what we need to do is write our own function to implement it (usually by adding some of our own code and then call the original function), and then change the pointer to the function sys_call_table.　　　　Since we may be removed after we do not want to leave the system in an unstable state, it is important that the Cleanup_module table be restored to its original state. The following is a sample of the source code of the kernel module. We want to "spy" on a specific user, and PRINTK () message whenever a user opens a file. To achieve this goal, we system calls to open a file to replace it with its own function, called Our_sys_open. This function checks the UID (user ID) of the current procedure, and if it equals the UID we monitor, it calls PRINTK () to display the file name being opened. Then, either way

Note that all related issues make system calls to steal unfeasiable for production use. In order to prevent people from doing potentially harmful things sys_call_table is no longer an export. This means that if you want to do more than just a dry run of this example, you will have to present the kernel patch in order to sys_call_table the exit. In the sample directory, you will find a readme and a patch. As you can imagine, such modifications cannot be taken lightly. Don't try this value system (i.e. system, you don't have-or can't recover easily). You need to get the full source code for this guide as a tarball in order to get patches and readme. Depending on your kernel version, you may even need to apply patches. Is it still here? Well, so is the chapter. If a kernel hacker Will's big dumb wolf, this is the first thing he wants.

/* * SYSCALL.C * * System call "stealing" sample. *//* * Copyright (C) 2001 by Peter Jay Salzman *//* * The necessary headers files *//* * Standard in kernel modules * * #include <linux/kernel.h>/* We ' re doing kernel work */#include <linux/module.h>/* Specifically, a module, */# Include <linux/moduleparam.h>/* which would have params */#include <linux/unistd.h>/* the list of system calls  *//* * for the current (process) structure, we need * this to know and the current user is. */#include <linux/sched.h> #include <asm/uaccess.h>/* * The system call table (a table of functions). We * just define this as external, and the kernel would * fill it up for us when we're insmod ' Ed * * Sys_call_table is no Longer exported in 2.6.x kernels. * If you really want-try this dangerous module, you'll * has to apply the supplied patch against your current kernel * and recompile it. */extern void *sys_call_table[];/* * UID we want to spy On-will be filledFrom the * command line */static int Uid;module_param (uid, int, 0644);/* * A Pointer to the original system call. The reason * We keep this, rather than call the original function * (Sys_open), is because somebody else might has * repl Aced the system call before us. Note that this * isn't 100% safe, because if another module * replaced Sys_open before us, then when we ' re inserted * we ' ll call the function in that module-and it * might is removed before we are. * * Another reason for this is the we can ' t get sys_open.  * It's a static variable, so it's not exported. */asmlinkage Int (*original_call) (const char *, int, int);/* * The function we ' ll replace Sys_open (the function * Calle D When you call the ' open system call ' with. to * Find the exact prototype, with the number and type * of arguments, we find the original function first * (It's at fs/ OPEN.C). * * In theory, this means, which we ' re tied to the "current version of the kernel. In practice, the * system calls almost NEVer change (It would wreck havoc * and require programs to be recompiled, since the system * calls is the interface Betwe En the kernel and the * processes).  */asmlinkage int Our_sys_open (const char *filename, int flags, int mode) {int i = 0;char ch;/* * Check If this is the user We ' re spying on */if (uid = = Current->uid) {/* * Report the file, if relevant */PRINTK ("opened file by%d:", UID); do {get_user (ch, filename + i), i++;p rintk ("%c", ch), and} while (ch! = 0);p rintk ("\ n");}  /* * Call the original sys_open-otherwise, we lose * the ability to open files */return original_call (filename, flags, mode);} /* * Initialize the Module-replace the system call */int Init_module () {/* * Warning-too late for it now, but maybe for * Next time ... */printk (kern_alert "I ' m dangerous. I hope you do a ");p RINTK (kern_alert" Sync before you insmod ' Ed me.\n ");p rintk (Kern_alert" My counterpart, Cleanup_module (), is even ");p RINTK (kern_alert" more dangerous. if\n ");p rintk (kern_alert" You value Your file system, it would ");p RINTK (kern_alert" be \ "sync; Rmmod\ "\ n");p RINTK (Kern_alert "When you remove this module.\n");/* Keep A pointer to the original function in * origin Al_call, and then replace the system call * in the system call table with Our_sys_open */original_call = sys_call_table[_ _nr_open];sys_call_table[__nr_open] = our_sys_open;/* * To get the address of the function for system * Call Foo, go to S  Ys_call_table[__nr_foo]. */PRINTK (kern_info "Spying on uid:%d\n", UID); return 0;} /* * Cleanup-unregister the appropriate file From/proc */void Cleanup_module () {/* * Return the system call back to N Ormal */if (Sys_call_table[__nr_open]! = Our_sys_open) {PRINTK (Kern_alert "Somebody else also played with the");p RINTK (K Ern_alert "Open System call\n");p RINTK (kern_alert "The system may be a left in");p RINTK (Kern_alert "an unstable state.\n"); }sys_call_table[__nr_open] = Original_call;}

Linux calls system call