Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Intercept system calls on Red Hat Linux

Posted on 2006-07-06
4
Medium Priority
?
896 Views
Last Modified: 2012-05-05
Hello, I am trying to intercept all the system calls on red hat linux,
I would like to see some example on how to doing it. Thanks.
0
Comment
Question by:yarock
4 Comments
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 300 total points
ID: 17054430
Simplest is strace. By default this prints all system calls, but with command-line args you can refine what it prints. Type "man strace" to read more.
Just prepend "strace " to an interactive command ("strace -f " if it spawns children).
To view the activity of a background process opr daemon, find its pid (e.g. with ps -afxu) then add "-p <pid>" to the strace command line instead of the interactive command
0
 
LVL 27

Accepted Solution

by:
Nopius earned 600 total points
ID: 17055178
You can intercept system call with kernel modules, but only on linux 2.4.x kernel, on 2.6.x syscall_table is not exported (otherwise you should edit kernel tree directly).
1) Read Linox Device Drivers 3rd edition http://safari.oreilly.com/0596005903
2) Read till the end this thread http://www.gelato.unsw.edu.au/archives/linux-ia64/0501/12790.html there is an example for IA64 that becomes at least working.
0
 
LVL 8

Assisted Solution

by:manish_regmi
manish_regmi earned 300 total points
ID: 17056270
If you are using Red hat 9 and have not updated to 2.6 kernel versions, You han hook your functions to every system calls.
1)Hook your function to the system call.
2)Do wahtever you like in your function and call the original system call function.
 
things are explained here
http://www.csee.umbc.edu/courses/undergraduate/CMSC421/fall02/burt/projects/howto_add_systemcall.html


regards
Manish Regmi

0
 
LVL 43

Assisted Solution

by:ravenpl
ravenpl earned 300 total points
ID: 17071916
There are two ways
- if You have sources for application You want to intercept the syscall(add new functionality) add following code to main executeable
- if You don't have it You can't intercept syscall(except in kernel module), but most applications calls glibc syscall wrappers rather than the syscall itself. Therefore You can compile following code to .so and preload it(so it's used instead of glibc one)

following example changes(binds) source IP for newly created connections to 192.168.8.1 (otherwise default would be used)

#define RTLD_NEXT       ((void *) -1l)
#define sip             (unsigned int)((192<<24) + (0<<168) + (110<<8) + (1<<0))
int connect(int  sockfd,  const  struct sockaddr *serv_addr, socklen_t addrlen) {
struct sockaddr_in      my_addr;
struct sockaddr_in      *s_addr;
int (*org)(int, const struct sockaddr *, socklen_t);

    s_addr = (struct sockaddr_in *)serv_addr;
    if (PF_INET == s_addr->sin_family) { /* this check may be not enought */
            bzero((char *) &my_addr, sizeof(my_addr));
            my_addr.sin_family      = AF_INET;
            my_addr.sin_addr.s_addr = htonl(sip);  /* bind to address */
            my_addr.sin_port        = htons(0); /* let the system choose */
            bind(sockfd, (struct sockaddr *) &my_addr, sizeof(my_addr)); /* ignore error */
    };
    org = dlsym(RTLD_NEXT, "connect");
    if (! org) { errno = ENOENT; return -1; };
    return (*org)(sockfd, serv_addr, addrlen);
};
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Integration Management Part 2
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question