system-calls

Hijacking sys calls

馋奶兔 提交于 2019-12-07 12:24:55
问题 I'm writing a kernel module and I need to hijack/wrap some sys calls. I'm brute-forcing the sys_call_table address and I'm using cr0 to disable/enable page protection. So far so good (I'll make public the entire code once it's done, so I can update this question if somebody wants). Anyways, I have noticed that if I hijack __NR_sys_read I get a kernel oops when I unload the kernel module, and also all konsoles (KDE) crash. Note that this doesn't happen with __NR_sys_open or __NR_sys_write . I

How to write int to file using write system call and read them exactly as written?

守給你的承諾、 提交于 2019-12-07 10:55:16
问题 How can I write int, float or other types to a file using the write system call of UNIX? I want to do so without using any lib function like fprintf or fwrite . I want to use file descriptor and not the FILE* . After opening again, the file must be read exactly as written, without needing to know what size to read. 回答1: This is as simple as it can get (note that stdio.h is only included for printf ; the read/write works without it): #include <unistd.h> #include <fcntl.h> #include <stdio.h>

intercepting the openat() system call for GNU tar

一曲冷凌霜 提交于 2019-12-07 08:10:45
问题 I'm trying to intercept the openat() system call on Linux using a custom shared library that I can load via LD_PRELOAD . An example intercept-openat.c has this content: #define _GNU_SOURCE #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <stdio.h> #include <dlfcn.h> int (*_original_openat)(int dirfd, const char *pathname, int flags, mode_t mode); void init(void) __attribute__((constructor)); int openat(int dirfd, const char *pathname, int flags, mode_t mode); void

How does strace read the file name of system call sys_open?

点点圈 提交于 2019-12-07 07:53:23
问题 I am writing a program which uses Ptrace and does the following: It reads the current eax and checks if the system call is sys_open. If it is then i need to know what are the arguments that are passed. int sys_open(const char * filename, const int mode, const int mask) So eax = 5 implies it is a open system call I came to know ebx has the address of the file location from this Question But how do I knows the length of the file name so I can read the contents in that location? I came across

unix system call monitor

泪湿孤枕 提交于 2019-12-07 07:35:22
问题 how to monitor system calls for a process? 回答1: Check strace In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option. Each line in the trace contains the system call name, followed by its arguments in parentheses and its

copy data from kernel space to user space

杀马特。学长 韩版系。学妹 提交于 2019-12-07 07:25:19
问题 I'm trying to make a custom system call. my system call takes 2 parameters struct buffer **mybuffer & int size . it's imposed any change that happens to **mybuffer should reflect in the user-space, but it seems it doesn't work. so I've seen somewhere else that i can use copy_to_user(void *dest, void *src, int size) to copy data from kernel space to user space. in user-space i have a struct called buffer, also this struct appears the same in the system call. typedef struct buffer { int n;

Add new system call at FreeBSD 10.1

落爺英雄遲暮 提交于 2019-12-07 06:07:25
I wanna add new system call at FreeBSD. My system call code is: #include <sys/types.h> #include <sys/param.h> #include <sys/systm.h> #include <sys/kernel.h> #include <sys/proc.h> #include <sys/mount.h> #include <sys/sysproto.h> int Sum(int a, int b); int Sum(a,b) { int c; c = a + b; return (0); } But when I rebuild the kernel, I have an error: What's wrong? Can you help me? Thanks a lot. Here's how I did it with my example system call of setkey which takes two unsigned ints. I added my system call to the end /kern/syscalls.master 546 AUE_NULL STD { int setkey(unsigned int k0, unsigned int k1);

Do other operating systems implement the Linux system call splice?

独自空忆成欢 提交于 2019-12-07 04:23:27
问题 In an application I am developing I use splice on Linux for socket-to-socket data transfer. Do other operating systems (specifically at least Windows, OS X and FreeBSD) implement splice or an equivalent solution? Is it possible to imitate socket-to-socket data splice ing on Windows with sendfile ¹ + memmap ¹? ¹ Both exist on Windows under different names which I do not remember. Update You can see the performance improvements of splice vs user space buffers on Linux. DF , DR , F , MF , MR are

call gettid witin glibc

Deadly 提交于 2019-12-07 02:04:08
问题 I am working in glibc and I need to get the id of the current thread. For this i use syscall(SYS_gettid); Issue is, i am forced to include bits/syscall.h instead of ideal case i.e sys/syscall.h . sys/syscall.h internally calls bits/syscall.h but that is wrapped with #ifndef _LIBC macro. i.e #ifndef _LIBC /* The Linux kernel header file defines macros `__NR_<name>', but some programs expect the traditional form `SYS_<name>'. So in building libc we scan the kernel's list and produce <bits

Programmatically check whether a linux kernel module exists or not at runtime

回眸只為那壹抹淺笑 提交于 2019-12-06 23:23:58
问题 I am writing a C daemon, which depends on the existence of two kernel modules in order to do its job. The program does not directly use these (or any other) modules. It only needs them to exist. Therefore, I would like to programmatically check whether these modules are already loaded or not, in order to warn the user at runtime. Before I start to do things like parsing /proc/modules or lsmod output, does a utility function already exist somewhere? Something like is_module_loaded(const char*
订阅 system-calls