Solved

Intercept system calls on Red Hat Linux

Posted on 2006-07-06
4
852 Views
Last Modified: 2012-05-05
Hello, I am trying to intercept all the system calls on red hat linux,
I would like to see some example on how to doing it. Thanks.
0
Comment
Question by:yarock
4 Comments
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 100 total points
ID: 17054430
Simplest is strace. By default this prints all system calls, but with command-line args you can refine what it prints. Type "man strace" to read more.
Just prepend "strace " to an interactive command ("strace -f " if it spawns children).
To view the activity of a background process opr daemon, find its pid (e.g. with ps -afxu) then add "-p <pid>" to the strace command line instead of the interactive command
0
 
LVL 27

Accepted Solution

by:
Nopius earned 200 total points
ID: 17055178
You can intercept system call with kernel modules, but only on linux 2.4.x kernel, on 2.6.x syscall_table is not exported (otherwise you should edit kernel tree directly).
1) Read Linox Device Drivers 3rd edition http://safari.oreilly.com/0596005903
2) Read till the end this thread http://www.gelato.unsw.edu.au/archives/linux-ia64/0501/12790.html there is an example for IA64 that becomes at least working.
0
 
LVL 8

Assisted Solution

by:manish_regmi
manish_regmi earned 100 total points
ID: 17056270
If you are using Red hat 9 and have not updated to 2.6 kernel versions, You han hook your functions to every system calls.
1)Hook your function to the system call.
2)Do wahtever you like in your function and call the original system call function.
 
things are explained here
http://www.csee.umbc.edu/courses/undergraduate/CMSC421/fall02/burt/projects/howto_add_systemcall.html


regards
Manish Regmi

0
 
LVL 43

Assisted Solution

by:ravenpl
ravenpl earned 100 total points
ID: 17071916
There are two ways
- if You have sources for application You want to intercept the syscall(add new functionality) add following code to main executeable
- if You don't have it You can't intercept syscall(except in kernel module), but most applications calls glibc syscall wrappers rather than the syscall itself. Therefore You can compile following code to .so and preload it(so it's used instead of glibc one)

following example changes(binds) source IP for newly created connections to 192.168.8.1 (otherwise default would be used)

#define RTLD_NEXT       ((void *) -1l)
#define sip             (unsigned int)((192<<24) + (0<<168) + (110<<8) + (1<<0))
int connect(int  sockfd,  const  struct sockaddr *serv_addr, socklen_t addrlen) {
struct sockaddr_in      my_addr;
struct sockaddr_in      *s_addr;
int (*org)(int, const struct sockaddr *, socklen_t);

    s_addr = (struct sockaddr_in *)serv_addr;
    if (PF_INET == s_addr->sin_family) { /* this check may be not enought */
            bzero((char *) &my_addr, sizeof(my_addr));
            my_addr.sin_family      = AF_INET;
            my_addr.sin_addr.s_addr = htonl(sip);  /* bind to address */
            my_addr.sin_port        = htons(0); /* let the system choose */
            bind(sockfd, (struct sockaddr *) &my_addr, sizeof(my_addr)); /* ignore error */
    };
    org = dlsym(RTLD_NEXT, "connect");
    if (! org) { errno = ENOENT; return -1; };
    return (*org)(sockfd, serv_addr, addrlen);
};
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Have you ever been frustrated by having to click seven times in order to retrieve a small bit of information from the web, always the same seven clicks, scrolling down and down until you reach your target? When you know the benefits of the command l…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now