The goal is to add a hook to all system calls in Linux, that is, the hook function should get called before any of those 300 Linux system calls are invoked.
There are sys_call_table hacks (e.g. [here]), which however only allow to hook one or few system calls; that is, if read() needs to be hijacked, the sys_read entry in sys_call_table is modified to the new function that has a hook handler.
Of course, you can manually hook all 300 syscall entries; but I am looking for a more elegant approach with few code modification.
A possible approach is to change the file entry_64.S where ENTRY(system_call) reside. However, as I need to use linux kernel module and hack a live system, I find it difficult to modify the memory image of entry_64.S in a running Linux system.
So my question is:
- if the
entry_64.Sdesign makes sense, how to modify a live memory area where kernel code resides (kernel code segment)? - if it does not make sense, in general, how to modify one (or few) place in Linux src code and allows all sys calls being hooked.
PS: platform: Linux 3.16 and x86_64
PS2: Again my question is DIFFERENT from those sys_call_table hacks in prior stack overflow questions. See paragraph 2 for details.
