QQ登录

只需一步,快速开始

 找回密码
 注册

QQ登录

只需一步,快速开始

查看: 1758|回复: 7

拦截系统调用,请教:)

[复制链接]
发表于 2003-4-7 10:33:55 | 显示全部楼层 |阅读模式
用模块修改系统调用表,拦截fork和execve调用,加了些自己的代码,然后继续原调用,模块加载后总是段错,不知何故,请弄过的大虾指教,感激,感激:)
发表于 2003-4-7 10:48:15 | 显示全部楼层
segment fault is a general error. so from your description, nobody can know what error u meet. why u need modify the system call table, u can modify the sys_fork and sys_execve. that is much easier.
can u post u code? what code u use to modify the system call table?
回复

使用道具 举报

 楼主| 发表于 2003-4-7 11:23:06 | 显示全部楼层
检查过了,拦截的fork没问题,就是execve时候出的问题

代码很简单,想统计一段时间执行fork和execve的次数:

asmlinkage int count_fork(struct pt_regs regs)
{
        int result;
       
        printk("in System call fork! \n");
        fork_count++;
        result = orig_fork(regs);
        return result;
}

asmlinkage int count_execve(struct pt_regs regs)
{
        int result = 0;

        printk("in System call execve! \n");
        execve_count++;
                result = orig_execve(regs);
        return result;
}

int init_module(void)  
{
        fork_count = 0;
        execve_count = 0;
       
        orig_fork=sys_call_table[SYS_fork];
        orig_execve=sys_call_table[SYS_execve];
       
        sys_call_table[SYS_fork]=count_fork;
        sys_call_table[SYS_execve]=count_execve;
        return 0;
}

void cleanup_module(void)
{
        sys_call_table[SYS_fork]=orig_fork;
        sys_call_table[SYS_execve]=orig_execve;
        printk("fork %d times    execve %d times \n",fork_count,execve_count);
}
回复

使用道具 举报

发表于 2003-4-7 21:44:46 | 显示全部楼层
can u disable the printk in count_xxx and try again?
and for xx_count, u can use atomic_t instead of unsigned long (i guess)?

can u write u code as
asmlinkage int count_execve(..)
{
int res = orig_execve(regs);
atomic_inc(&execve_count++);
return res
}
and try again?

u also can see LTT to see how it patch and count system events.
回复

使用道具 举报

发表于 2003-4-22 03:14:35 | 显示全部楼层
[quote:02d6886bd2="cheungming"]segment fault is a general error. so from your description, nobody can know what error u meet. why u need modify the system call table, u can modify the sys_fork and sys_execve. that is much easier.
can u post u code? what code u use to modify the system call table?[/quote]

您所说的 modify the sys_fork and sys_execve 的方法具体怎么做?是通过System.map得到这两个函数的地址然后在模块里面修改吗?
回复

使用道具 举报

发表于 2003-4-22 04:36:11 | 显示全部楼层
i think u can modify the kernel code directly. add a small patch to system is not difficult. i guess that you can not safely do this in module. many be u need add some kernel lock code before change the system call table like tomorrowmine did.
sorry that i do not have time to try it, i am busy healing my own pain.
回复

使用道具 举报

发表于 2003-4-22 10:36:07 | 显示全部楼层
谢谢
我懂了
回复

使用道具 举报

发表于 2003-4-22 10:39:25 | 显示全部楼层
welcome. i do not think directly modify the system call table is a good idea is because that table should be protected by some locks otherwise what happen when u modify it and at the same time system access it? if this is not an issue. then i think his problem is because the printk. printk can not be safely used all the time.
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

GMT+8, 2024-11-29 01:06 , Processed in 0.122914 second(s), 16 queries .

© 2021 Powered by Discuz! X3.5.

快速回复 返回顶部 返回列表