Created
February 1, 2020 13:44
-
-
Save GoldenOak/0ba31054e0ca396a864997d54f32abce to your computer and use it in GitHub Desktop.
Snippet of system call hooking for the Linux kernel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * This is not a whole code, but only a snippet. | |
| * Some functions *is* missing. | |
| */ | |
| asmlinkage long (*orig_shutdown)(int, int); | |
| unsigned long *sys_call_table; | |
| hooking_syscall(void *hook_addr, uint16_t syscall_offset, unsigned long *sys_call_tabe) | |
| { | |
| unprotect_memory(); | |
| sys_call_table[syscall_offset] = (unsigned long)hook_addr; | |
| protect_memory(); | |
| } | |
| unhooking_syscall(void *orig_addr, uint16_t syscall_offset) | |
| { | |
| unprotect_memory(); | |
| sys_call_table[syscall_offset] = (unsigned long)hook_addr; | |
| protect_memory(); | |
| } | |
| asmlinkage int hooked_shutdown(int magic1, int magic2) | |
| { | |
| printk("Hello from hook!"); | |
| return orig_shutdown(magic1, magic2); | |
| } | |
| static int __init module_init(void) | |
| { | |
| unsigned long *sys_call_table = kallsyms_lookup_name("sys_call_table")); | |
| orig_shutdown = (void*)sys_call_table[__NR_shutdown]; | |
| hooking_syscall(hooked_shutdown, __NR_shutdown, sys_call_tabe); | |
| } | |
| static void __exit module_cleanup(void) | |
| { | |
| unhooking_syscall(orig_shutdown, __NE_shutdown, sys_call_table); | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Shouldn't line 19 set the
sys_call_table[syscall_offset]to(unsigned long)orig_addrinstead of(unsigned long)hook_addr?