 |
My Top 3 |
 |
I have found four ways how to handle a system call on Linux systems (few of them works also on Unix systems) by your custom function:
Hooking with system call table modification
This means replacing the pointer to the main system call handler by the pointer to your function in the system call table:
extern void *sys_call_table[];
You need to do it in kernel mode, so you need to develop a kernel module. Notice, there is no problem to develop a kernel module.
Also as of kernel version 2.6 the system call table position is unknown. You can search for it in the memory by looking for an expected pattern.
Modification of the kernel code
Easily modify the system call handler function in the kernel source code and rebuild kernel ;).
Using ptrace system call
It provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.
See man 2 ptrace.
Wrapping system shared library function
This works only for programs that use libc shared library. In most cases it could be good enough. Here is the example libsyscallhack.c for wrapping the creat function:
#include <sys/types.h>
#include <sys/stat.h>#include <stdio.h>
#include <stdarg.h>
#include <fcntl.h>#define __USE_GNU
#include <dlfcn.h>
#undef __USE_GNUint (*real_creat)(const char *, mode_t) = NULL;
int creat(const char *pathname, mode_t mode)
{
  if (!real_creat)
  fprintf(stderr, "System call creat
  return real_creat(pathname, mode);
}
When building on Linux, add -ldl to the linker command. On Unix it is not needed.
cc -shared -o libsyscallhack.so -ldl libsyscallhack.c
To make your library wrapping the real creat function, set this environment variable on Linux:
export
Or on Unix:
export
Now you can run any application and all calls to the creat function will be handled by your custom function.
Leave a Reply