在Linux 3.x上挂钩sys_execve() [英] Hooking sys_execve() on Linux 3.x
问题描述
我试图通过修改系统调用表来挂接Linux 3.x内核上的sys_execve()函数.问题在于,只有在执行不成功时,sys_execve()才应返回错误代码.使用我正在使用的包装函数(请参见下文),在有效的可执行文件上调用sys_execve()时,它执行得很好,并且一切正常.但是,如果在不存在的文件或其他导致错误情况的文件上调用它,则调用程序将崩溃,并显示以下信息:
I'm trying to hook the sys_execve() function on the Linux 3.x kernel by modifying the system call table. The problem is that sys_execve() is only supposed to return an error code if execution is unsuccessful. With the wrapper function that I'm using (see below), when sys_execve() is called on a valid executable, it executes fine and everything works out. However, when it's called on a nonexistent file or something else that causes an error condition, the calling program will crash with:
segfault at 3b ip 000000000000003b...
使用strace检查挂钩的sys_execve()的返回值会显示-1或ENOSYS而不是正确的错误代码,这使我感到困惑,因为我已经检查了包装函数的汇编以及sys_execve()的Linux源代码.为什么我的包装程序没有正确传递错误代码的任何建议?
Using strace to examine the return value from the hooked sys_execve() shows -1 or ENOSYS instead of the correct error code, which confuses me since I've checked the assembly of my wrapper function as well as the Linux source code for sys_execve(). Any suggestions on why my wrapper isn't properly passing the error code?
asmlinkage long new_execve(const char* name, const char const** argv, const char const** envp, struct pt_regs* regs) {
return orig_func(name, argv, envp, regs);
}
推荐答案
通过以x86_64上的sys_execve从stub_execve.因此,呼叫链为sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve ...看一下在LXR上的stub_execve .
You can't hook execve by modifying the system call table in a such a way as on x86_64 the sys_execve is called from the stub_execve. So the call chain is sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve ... Take a look at stub_execve on LXR.
这篇关于在Linux 3.x上挂钩sys_execve()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
