拦截系统调用，请教：）

tomorrowmine

用模块修改系统调用表，拦截fork和execve调用，加了些自己的代码，然后继续原调用，模块加载后总是段错，不知何故，请弄过的大虾指教，感激，感激：）

Dragonfly

segment fault is a general error. so from your description, nobody can know what error u meet. why u need modify the system call table, u can modify the sys_fork and sys_execve. that is much easier.
can u post u code? what code u use to modify the system call table?

tomorrowmine

检查过了，拦截的fork没问题，就是execve时候出的问题

代码很简单，想统计一段时间执行fork和execve的次数：

asmlinkage int count_fork(struct pt_regs regs)
{
        int result;
       
        printk("in System call fork! \n");
        fork_count++;
        result = orig_fork(regs);
        return result;
}

asmlinkage int count_execve(struct pt_regs regs)
{
        int result = 0;

        printk("in System call execve! \n");
        execve_count++;
                result = orig_execve(regs);
        return result;
}

int init_module(void)  
{
        fork_count = 0;
        execve_count = 0;
       
        orig_fork=sys_call_table[SYS_fork];
        orig_execve=sys_call_table[SYS_execve];
       
        sys_call_table[SYS_fork]=count_fork;
        sys_call_table[SYS_execve]=count_execve;
        return 0;
}

void cleanup_module(void)
{
        sys_call_table[SYS_fork]=orig_fork;
        sys_call_table[SYS_execve]=orig_execve;
        printk("fork %d times    execve %d times \n",fork_count,execve_count);
}

Dragonfly

can u disable the printk in count_xxx and try again?
and for xx_count, u can use atomic_t instead of unsigned long (i guess)?

can u write u code as
asmlinkage int count_execve(..)
{
int res = orig_execve(regs);
atomic_inc(&execve_count++);
return res
}
and try again?

u also can see LTT to see how it patch and count system events.

keenor

[quote:02d6886bd2="cheungming"]segment fault is a general error. so from your description, nobody can know what error u meet. why u need modify the system call table, u can modify the sys_fork and sys_execve. that is much easier.
can u post u code? what code u use to modify the system call table?[/quote]

您所说的 modify the sys_fork and sys_execve 的方法具体怎么做？是通过System.map得到这两个函数的地址然后在模块里面修改吗？

Dragonfly

i think u can modify the kernel code directly. add a small patch to system is not difficult. i guess that you can not safely do this in module. many be u need add some kernel lock code before change the system call table like tomorrowmine did.
sorry that i do not have time to try it, i am busy healing my own pain.

keenor

谢谢
我懂了

Dragonfly

welcome. i do not think directly modify the system call table is a good idea is because that table should be protected by some locks otherwise what happen when u modify it and at the same time system access it? if this is not an issue. then i think his problem is because the printk. printk can not be safely used all the time.