intercepting file system system calls
As far as hooking into the kernel and intercepting system calls go, this is something I do in a security module I wrote:
https://github.com/cormander/tpe-lkm
Look at hijacks.c and symbols.c for the code; how they're used is in the hijack_syscalls
function inside security.c. I haven't tried this on linux > 3.0 yet, but the same basic concept should still work.
It's a bit tricky, and you may have to write a good deal of kernel code to do the file copy before the unlink, but it's possible here.
how to intercept calls to the file systems
Using LD_PRELOAD
, you can have your intercepting code run in the callee's memory space. Using a library constructor function (__attribute__((constructor))
), you can have code of your choosing run when the library first starts up, e.g. mmap
ing your virtual filesystem and initializing it.
Then, when you intercept the calls with your preloaded library, the library's functions are running in the target process, with access to the constructed filesystem -- no need for IPC.
If the calling process must manage the filesystem, you'll incur overhead communicating to it. I'd recommend mapping the important parts of the filesystem in the child process (perhaps as a shared memory region), and instead using a listener in the child to watch for filesystem changes from the parent (with suitable locking around your filesystem operations). You can do the change notification with a simple pipe as the bandwidth requirements are lower.
Also check out Plash, a paravirtualizing system which sandboxes filesystem access by providing a modified Glibc.
How to correctly intercept system calls in the Linux kernel 5.*?
There is no correct way to do this.
LSM (Linux Security Modules) doesn't support system calls interception,
with LSMs you need the implemented some of the functions listed at lsm_hooks_defs.h.
There are two alternatives ways to intercept system calls which I'm aware of:
Hook the
sys_call_table
which can be obtained, and overwrite the pointers with your new function:unsigned long *sys_call_table_ptr = kallsyms_lookup_name("sys_call_table");
unsigned long cr0 = read_cr0();
write_cr0(cr0 & ~x86_CR0_WP);
sys_call_table_ptr[__NR_getpid] = new_getpid;
write_cr0(cr0);Using kprobe: Syscall functions name expands with the prefix
__do_sys_
(see __SYSCALL_DEFINEx).
For example, kprobe on__do_sys_finit_module
(or any other syscall you want) as follow:static struct kprobe kp = {
.symbol_name = "__do_sys_finit_module",
};
static int handler_pre(struct kprobe *p, struct pt_regs *regs) {
// do your logic
// obtain function arguments using register (calling convetion)
}
static int __init kprobe_init(void)
{
kp.pre_handler = handler_pre;
ret = register_kprobe(&kp);
if (ret < 0) {
printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
return ret;
}
printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
return 0;
}
static void __exit kprobe_exit(void)
{
unregister_kprobe(&kp);
printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}
Is it possible to intercept stat calls on files in a Linux file system? (from userspace)
It is possible with the technique is known as function interposition.
It works for applications that you start or control the start-up environment to be able to set LD_PRELOAD
environment variable.
Intercepting a system call
original_call=sys_call_table[__NR_open];
....
sys_call_table[__NR_open]=our_call;
If you're intercepting fork
, the entry for open
is not what you want to change.
And instead of the address of the sys_fork() from System.map, you should have used the address of sys_call_table
.
how could I intercept linux sys calls?
if you really need a solution you might be interested in the DR rootkit that accomplishes just this, http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2 the article about it is here http://www.theregister.co.uk/2008/09/04/linux_rootkit_released/
Related Topics
Siege Aborted Due to Excessive Socket Failure
How to Detect If a Server Is Using Spdy
Eclipse Doesn't Use The Path Set in .Bashrc
Is There a Libc in Kernel Space
Find The Depth of The Current Path
Move Lines Matching a Pattern from One File to Another
Why Does Git Fail on Push/Fetch with "Too Many Open Files"
Failed Opening The Rdb File ... Read-Only File System
Symbol Lookup Error: ./Executablename: Undefined Symbol: _Zn18Qxmldefaulthandlerc2Ev
Redirecting Apache Logs to Stdout
Sudo Apt-Get Update Fail on Ubuntu 17.04
Grep for Text with Wild Card in Between
Adjust Audio Volume Level with Cli Omxplayer - Raspberry Pi
Is Number of Frame = Number of Pages(Linux)
Tar Error: Unexpected Eof in Archive