1

Is there any possibility to access the sys_call_table from my own module for Kernel 2.6+? I will appreciate if someone can give links to articles or how-tos. I need a method without the necessity to modify Kernel source code. I know it was easy on Linux 2.4 Kernel, you could use the external symbol, however this ability was removed from Kernel 2.6.

Sangeeth Saravanaraj
  • 16,027
  • 21
  • 69
  • 98
roman
  • 5,100
  • 14
  • 44
  • 77
  • 2
    This ability was removed because it's usually the wrong way to do whatever it is you're trying to do, and because it makes things too easy for rootkits. What are you actually trying to do, in the end? – bdonlan Jan 12 '12 at 18:33
  • Trying to replace system calls with my own methods. – roman Jan 12 '12 at 18:36
  • Module is always the wrong way to modify syscalls... – Zan Lynx Jan 12 '12 at 18:38
  • possible duplicate of [sys_call_table in linux kernel 2.6.18](http://stackoverflow.com/questions/1586481/sys-call-table-in-linux-kernel-2-6-18) – Zan Lynx Jan 12 '12 at 18:39
  • can you tell any other way to modify sys_calls table? – roman Jan 12 '12 at 18:44
  • Which system calls are you trying to replace? – Random832 Jan 12 '12 at 19:32
  • @Roman, but _why_ are you replacing syscalls? Do you want to intercept filesystem operations? If so, why not use FUSE or something? Otherwise, why are you doing this? – bdonlan Jan 12 '12 at 21:16
  • @ZanLynx "Always" seems a bit strong... Do you have any arguments? It can be very useful to replace syscalls at runtime with a module, even if only when you are in the development phase (I don't want to reboot my embedded device or kvm each time I want to do a test iteration). – Quentin Casasnovas Jan 12 '12 at 22:52
  • @QuentinCasasnovas, if you're looking to systematically patch the kernel, and have the original source available, ksplice can do this for you in a better-controlled way. – bdonlan Jan 13 '12 at 01:17
  • I'm trying to write system calls interceptor and tracer. I want to be able to intercept any system call and to be able to change their functionality at runtime. – roman Jan 13 '12 at 10:41
  • 1
    @Roman Then kprobes (and particularly jprobes if all you need is tracing) are a particularly good fit for this job. It works by registering a handler with the same prototype of the function (or syscall in your case) that you want to trace. Each time the syscall will be hit, your handler will be called with the same arguments as the syscall just before. If you only want to do tracing, you could do everything in userland with the ftrace API. – Quentin Casasnovas Jan 14 '12 at 11:00

3 Answers3

2

As what you are really trying to do is replace a syscall by your own function, I would recommend using kprobes for this kind of job, you can easily break on any kernel address (or symbol (e.g. sys_exit, sys_whateversyscall) and alter the execution path, all of this at runtime, with a kernel module if you need to :) It has a very low overhead.

Kprobes (or jprobes if you only to add your code to the syscall as opposed to replace it completely) work by dynamically replacing an instruction (e.g. first instruction of your syscall entry) by a break (e.g. int3 on x86). Inside the do_int3 handler, a notifier notifies kprobes, which in turn passes the execution to your registered function, from which point you can do almost anything.

A very good documentation is given in Documentation/kprobes.txt so as a tiny example in samples/kprobes/kprobes_example.c (in this example they break on do_fork to log each fork on the system). It has a very simple API and is very portable nowdays.

Quentin Casasnovas
  • 1,079
  • 5
  • 10
1

I've answered a few other questions similar to this one:

An in-depth explanation of my TPE LKM module that does this, see this explanation on my blog

NOTE: As mentioned in the comments to your question, this is not the proper way to do things. It's best if you recompile the kernel, though I do understand that there are situations where that is not an option.

Community
  • 1
  • 1
Corey Henderson
  • 7,239
  • 1
  • 39
  • 43
0

Since kernel 2.6.* system call table is not exported anymore. Here you can find how to re-export it:

http://www.sans.org/reading_room/whitepapers/honors/linux-kernel-rootkits-protecting-systems_1500

Take a look on page 144.

Peter Krejci
  • 3,182
  • 6
  • 31
  • 49