Questions on intercepting execve syscall
Pawel Jakub Dawidek
nick at garage.freebsd.pl
Mon Nov 17 04:53:28 PST 2003
On Mon, Nov 17, 2003 at 11:02:10AM +0300, Samy Al Bahra wrote:
+> > See http://www.enderunix.org/murat/linux_subexec/linux_subexec.c for a simple
+> > example.
+>
+> This is 4.X specific (proc usage). I would just like to note that there is an
+> execve symbol which you can reference in your code directly (rather than
+> creating your own pointer for deinitialization).
+>
+> EX:
+> -sysent[SYS_execve].sy_call = (sy_call_t *)oldexecve;
+> +sysent[SYS_execve].sy_call = (sy_call_t *)execve;
And if there are two modules that intercept execve(2)?
Storing old value in dedicated pointer is correct.
There still will be a problem when modules are loaded and unloaded
in random order. Unload order have to be reverse load order, if not,
invalid pointer (of module that was already unloaded) will be stored
in sysent table.
--
Pawel Jakub Dawidek pawel at dawidek.net
UNIX Systems Programmer/Administrator http://garage.freebsd.pl
Am I Evil? Yes, I Am! http://cerber.sourceforge.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20031117/26df7f4f/attachment.bin
More information about the freebsd-hackers
mailing list