tomorrowmine 发表于 2003-4-7 10:33:55

拦截系统调用,请教:)

用模块修改系统调用表,拦截fork和execve调用,加了些自己的代码,然后继续原调用,模块加载后总是段错,不知何故,请弄过的大虾指教,感激,感激:) :roll:

Dragonfly 发表于 2003-4-7 10:48:15

segment fault is a general error. so from your description, nobody can know what error u meet. why u need modify the system call table, u can modify the sys_fork and sys_execve. that is much easier.
can u post u code? what code u use to modify the system call table?

tomorrowmine 发表于 2003-4-7 11:23:06

检查过了,拦截的fork没问题,就是execve时候出的问题

代码很简单,想统计一段时间执行fork和execve的次数:

asmlinkage int count_fork(struct pt_regs regs)
{
        int result;
       
        printk("in System call fork! \n");
        fork_count++;
        result = orig_fork(regs);
        return result;
}

asmlinkage int count_execve(struct pt_regs regs)
{
        int result = 0;

        printk("in System call execve! \n");
        execve_count++;
                result = orig_execve(regs);
        return result;
}

int init_module(void)
{
        fork_count = 0;
        execve_count = 0;
       
        orig_fork=sys_call_table;
        orig_execve=sys_call_table;
       
        sys_call_table=count_fork;
        sys_call_table=count_execve;
        return 0;
}

void cleanup_module(void)
{
        sys_call_table=orig_fork;
        sys_call_table=orig_execve;
        printk("fork %d times    execve %d times \n",fork_count,execve_count);
}

Dragonfly 发表于 2003-4-7 21:44:46

can u disable the printk in count_xxx and try again?
and for xx_count, u can use atomic_t instead of unsigned long (i guess)?

can u write u code as
asmlinkage int count_execve(..)
{
int res = orig_execve(regs);
atomic_inc(&execve_count++);
return res
}
and try again?

u also can see LTT to see how it patch and count system events.

keenor 发表于 2003-4-22 03:14:35

segment fault is a general error. so from your description, nobody can know what error u meet. why u need modify the system call table, u can modify the sys_fork and sys_execve. that is much easier.
can u post u code? what code u use to modify the system call table?

您所说的 modify the sys_fork and sys_execve 的方法具体怎么做?是通过System.map得到这两个函数的地址然后在模块里面修改吗?

Dragonfly 发表于 2003-4-22 04:36:11

i think u can modify the kernel code directly. add a small patch to system is not difficult. i guess that you can not safely do this in module. many be u need add some kernel lock code before change the system call table like tomorrowmine did.
sorry that i do not have time to try it, i am busy healing my own pain.

keenor 发表于 2003-4-22 10:36:07

谢谢
我懂了

Dragonfly 发表于 2003-4-22 10:39:25

welcome. i do not think directly modify the system call table is a good idea is because that table should be protected by some locks otherwise what happen when u modify it and at the same time system access it? if this is not an issue. then i think his problem is because the printk. printk can not be safely used all the time.
页: [1]
查看完整版本: 拦截系统调用,请教:)