Intercepting sys_exit( ) in 2.4 Kernels
The 2.4
kernels export the
sys_call_table
symbol. Many people still use the
2.4 kernels, so this section quickly shows you how to write an LKM
for the 2.4 kernel to intercept sys_exit( )
. This
example is very simple and straightforward, and once you understand
how intercept_exit.c works,
you’ll be able to port the other examples in this
chapter to 2.4 kernels.
Warning
The 2.4 kernels distributed by Red Hat are back-ported and do not
export sys_call_table
. In this case, use the
techniques presented in the earlier sections to grab
sys_call_table
by brute force or by using
System.map.
The intercept_exit
module intercepts
sys_exit( )
and prints the value of
error_code
passed to sys_exit()
onto the console. The init_module( )
function is called when the LKM is loaded. This function stores a
reference to the original sys_exit( )
call, and it
points sys_call_table[_ _NR_exit]
to
our_fake_exit_function
:
original_sys_exit = sys_call_table[_ _NR_exit]; sys_call_table[_ _NR_exit]=our_fake_exit_function;
The our_fake_exit_function( )
call prints the
value of error_code
and then calls the original
sys_exit( )
:
asmlinkage int our_fake_exit_function(int error_code) { printk("HEY! sys_exit called with error_code=%d\n",error_code); return original_sys_exit(error_code); }
The LKM restores sys_call_table[_ _NR_exit]
to
point to original_sys_exit
when it is unloaded:
sys_call_table[_ _NR_exit]=original_sys_exit;
intercept_exit.c
Following is the full source code of our ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.