Kernel module to monitor syscalls?

Question

I would like to create a kernel module from scratch that latches to a user session and monitors each system call made by processes belonging to that user.

I know what everyone is thinking - "use strace" - but I'd like to have some of my own logging and analysis with the data I collect, and strace has some issues - an application could use "mmap" to write to a file without the file contents ever appearing as the arguments of an "open" system call, or an application without any write permission may create coredumps to copy sensitive data.

I want to be able to handle these special cases and do some of my own logging. I wonder though - how can I route all syscalls through my module? Is there any way to do that without touching the kernel code?

Thanks

Answer 1

I have done something similar in the past by using a kernel module to patch the system call table. Each patched function did something like the following:

patchFunction(/*params*/)
{
   // pre checks
   ret = origFunction(/*params*/);
   // post checks
   return ret;
}

Note that when you start mucking around in the kernel data structures, your module becomes version dependent. The kernel module will probably have to be compiled for the specific kernel version you are installing on.

Also note, this is a technique employed by many rootkits so if you have security software installed it may try to prevent you from doing something like this.

Answer 2

I don't have the exact answer to your question, but I red a paper a couple of days ago and it may be useful for you:

http://www.cse.iitk.ac.in/users/moona/students/Y2157230.pdf/