问题描述

除了 LD_PRELOAD 技巧和用您提供的系统调用替换某个系统调用的 Linux 内核模块之外，是否还有可能拦截系统调用(例如打开)，以便它在到达函数之前首先通过您的函数实际开放?

Besides the LD_PRELOAD trick , and Linux Kernel Modules that replace a certain syscall with one provided by you , is there any possibility to intercept a syscall ( open for example ) , so that it first goes through your function , before it reaches the actual open ?

推荐答案

如果您确实需要一个解决方案，您可能会对完成此任务的 DR rootkit 感兴趣，http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2 关于它的文章在这里 http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/

if you really need a solution you might be interested in the DR rootkit that accomplishes just this, http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2 the article about it is here http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/

这篇关于我怎么能拦截linux sys调用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！