OOPS: how to hook system_call_table in redhat es5.1 on x86_64 platform - Kernel

This is a discussion on OOPS: how to hook system_call_table in redhat es5.1 on x86_64 platform - Kernel ; Hi, as you know, Linux kernel (>2.6.18) set some pages read-only, we can not hook system_call_table directly like before, the new source code on i386 is #ifdef CONFIG_DEBUG_RODATA // fix kernel perms change_page_attr(virt_to_page(syscall_table), 1, PAGE_KERNEL); global_flush_tlb(); #endif // hook syscall_table, ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: OOPS: how to hook system_call_table in redhat es5.1 on x86_64 platform

  1. OOPS: how to hook system_call_table in redhat es5.1 on x86_64 platform

    Hi,

    as you know, Linux kernel (>2.6.18) set some pages read-only, we can
    not hook system_call_table directly like before, the new source code
    on i386 is

    #ifdef CONFIG_DEBUG_RODATA
    // fix kernel perms
    change_page_attr(virt_to_page(syscall_table), 1, PAGE_KERNEL);
    global_flush_tlb();
    #endif

    // hook syscall_table, change some system call to your function
    syscall_table[__NR_open] = my_sys_open;

    #ifdef CONFIG_DEBUG_RODATA
    // fix kernel perms
    change_page_attr(virt_to_page(syscall_table), 1, PAGE_KERNEL_RO);
    global_flush_tlb();
    #endif

    but I use the source code above to redhat es5.1 on x86_64, this will
    bring Linux crash, who can help me to hook system_call_table in
    redhat es5.1 on x86_64 platform.

    Thanks
    Gang
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. Re: OOPS: how to hook system_call_table in redhat es5.1 on x86_64 platform

    On Sun, 2 Mar 2008 09:40:14 +0800
    "Gang He" wrote:

    > Hi,
    >
    > as you know, Linux kernel (>2.6.18) set some pages read-only, we can
    > not hook system_call_table directly like before, the new source code
    > on i386 is
    >


    Hi,

    2 items:
    1) lkml is not a tutorial list for how to write rootkits
    2) you forgot to point to your full source code; hooking the system call table
    is the wrong thing to do, but by not mentioning your (GPL) source code you
    don't give us the option to give you suggestions on how to achieve what you
    want.

    I would suggest you come back to this mailing list with more context on what you
    are trying to achieve including a pointer to the source code.


    --
    If you want to reach me at my work email, use arjan@linux.intel.com
    For development, discussion and tips for power savings,
    visit http://www.lesswatts.org
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread