本文介绍了访问sys_call_table的内核2.6+的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

是否有可能访问 sys_call_table的从我自己的模块内核2.6 + ?我将AP preciate如果有人可以给文章链接或入门指南。我需要一个方法,而不需要修改内核源$ C ​​$ C。我知道这是容易对 Linux 2.4内核,您可以使用外部符号,但是从 2.6内核。

Is there any possibility to access the sys_call_table from my own module for Kernel 2.6+? I will appreciate if someone can give links to articles or how-tos. I need a method without the necessity to modify Kernel source code. I know it was easy on Linux 2.4 Kernel, you could use the external symbol, however this ability was removed from Kernel 2.6.

推荐答案

随着你真正要做的是通过自己的函数替换系统调用,我建议使用Kprobes的这样的工作,你可以很容易地打破任意内核地址(或符号(如sys_exit,sys_whateversyscall)和改变执行路径,这一切在运行时,与内核模块,如果你需要:)它有一个非常低的开销。

As what you are really trying to do is replace a syscall by your own function, I would recommend using kprobes for this kind of job, you can easily break on any kernel address (or symbol (e.g. sys_exit, sys_whateversyscall) and alter the execution path, all of this at runtime, with a kernel module if you need to :) It has a very low overhead.

Kprobes的通过突破动态替换指令(例如:第一个你的系统调用入口的指令)(如INT3在x86(或jprobes如果你只为你的code添加到系统调用,而不是完全取代它)工作)。里面的do_int3处理程序,一个通知通知Kprobes的,这反过来执行传递到您注册的功能,从中点你可以做几乎任何事情。

Kprobes (or jprobes if you only to add your code to the syscall as opposed to replace it completely) work by dynamically replacing an instruction (e.g. first instruction of your syscall entry) by a break (e.g. int3 on x86). Inside the do_int3 handler, a notifier notifies kprobes, which in turn passes the execution to your registered function, from which point you can do almost anything.

一个很不错的文档在文档/ kprobes.txt给出,以便在样本/ Kprobes的/ kprobes_example.c一个小例子(在这个例子中,他们打破do_fork登录系统上的每个叉)。它有一个非常简单的API,是非常便携nowdays。

A very good documentation is given in Documentation/kprobes.txt so as a tiny example in samples/kprobes/kprobes_example.c (in this example they break on do_fork to log each fork on the system). It has a very simple API and is very portable nowdays.

这篇关于访问sys_call_table的内核2.6+的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-29 17:34