在Linux 3.x上挂钩sys_execve() [英] Hooking sys_execve() on Linux 3.x
问题描述
我试图通过修改系统调用表来挂接Linux 3.x内核上的sys_execve()
函数.问题在于,只有在执行不成功时,sys_execve()
才应返回错误代码.使用我正在使用的包装函数(请参见下文),在有效的可执行文件上调用sys_execve()
时,它执行得很好,并且一切正常.但是,如果在不存在的文件或其他导致错误情况的文件上调用它,则调用程序将崩溃,并显示以下信息:
I'm trying to hook the sys_execve()
function on the Linux 3.x kernel by modifying the system call table. The problem is that sys_execve()
is only supposed to return an error code if execution is unsuccessful. With the wrapper function that I'm using (see below), when sys_execve()
is called on a valid executable, it executes fine and everything works out. However, when it's called on a nonexistent file or something else that causes an error condition, the calling program will crash with:
segfault at 3b ip 000000000000003b...
使用strace
检查挂钩的sys_execve()
的返回值会显示-1或ENOSYS
而不是正确的错误代码,这使我感到困惑,因为我已经检查了包装函数的汇编以及sys_execve()
的Linux源代码.为什么我的包装程序没有正确传递错误代码的任何建议?
Using strace
to examine the return value from the hooked sys_execve()
shows -1 or ENOSYS
instead of the correct error code, which confuses me since I've checked the assembly of my wrapper function as well as the Linux source code for sys_execve()
. Any suggestions on why my wrapper isn't properly passing the error code?
asmlinkage long new_execve(const char* name, const char const** argv, const char const** envp, struct pt_regs* regs) {
return orig_func(name, argv, envp, regs);
}
推荐答案
通过以x86_64
上的sys_execve
从stub_execve
.因此,呼叫链为sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve
...看一下在LXR上的stub_execve .
You can't hook execve
by modifying the system call table in a such a way as on x86_64
the sys_execve
is called from the stub_execve
. So the call chain is sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve
... Take a look at stub_execve on LXR.
这篇关于在Linux 3.x上挂钩sys_execve()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!