P. Heekang
Reputation: 349
System Call Interception (Hijacking) with Linux Loadable Kernel Module
I'm trying to hijack a system call with loadable kernel module in Linux Kernel v4.19.8.
I could find the virtual address of sys_call_table from /boot/System.map-4.19.8. However, when I tries to access to it, dmesg gives me the message below:
BUG : unable to handle kernel paging request at [address of sys_call_table]
So, here's my question.
- Is it even possible to hijack system call with loadable kernel module in Linux Kernel v4.19.8?
- If it is possible, how can I do it?
Thank you in advance.
Upvotes: 1
Views: 824
Answers (1)
Chris Browning
Reputation: 51
There are hooks you can use depending on the system call you're interested in. Often there's a callback that you can patch in with your module. So you might create a wrapper function and do some stuff then call the 'real' callback when you're done.
Check out this library: https://github.com/pmem/syscall_intercept
Upvotes: 1
Related Questions
- How to correctly intercept system calls in the Linux kernel 5.*?
- Loadable Kernel Module Programming and System Call Interception
- Call trace when loading a module in Linux
- Arguments in syscall intercept using loadable kernel module seem to be broken
- lkm func hijacking BUG
- System call interception in linux-kernel module (kernel 3.5)
- Intercepting a system call
- Kernel module interacting with sys_call
- Hijacking sys calls
- intercepting file system system calls