Write a system call as a kernel module

Question

I have been given an assignment to "Write a system call as a kernel module". Now as far as I could understand from my reading on the internet, it is not exactly possible to implement a system call as a kernel module, however there are ways to intercept the existing system calls. Is this the right way to do it ? I found one such example on this blog: http://syprog.blogspot.in/2011/10/hijack-linux-system-calls-part-i.html

Answer 1

In linux sys_call_table contains function pointers for all system calls. This table was initially exported back in the days of 2.4 , then it was made static , then again it was exported in of some of latest kernels.Lets take example of two cases.

Case 1. sys_call_table exported.

Use following line in your kernel module.

sys_call_table[AVAILABLE_INDEX] = new_sys_call;

New system call can be implemented as.

asmlinkage new_sys_call(...) { }

Case - 2) sys_call_table not exported.

Try getting sys_call_table address by grepping in System.map

$cat System.map|grep sys_call_table

Hard code the value in your module.

If that is not available , then we need to determine the table address dynamically. sys_call_table most likely be there in the beginning of kernel text section.

Here are steps to compute base address of sys_call_table

1. Find two system calls which are placed next to each other in the table(from source code). For ex: sys_read , sys_open.

2. Get address of these sys calls.

3. Search these two addresses from the beginning of text section.

   (Compute start of text section by , objdump -h vmlinux|grep ".text")

4. When you found it , compute the base of sys_call_table , based on their relative offset.