替换Linux内核3中的系统调用 [英] Replace system call in linux kernel 3

问题描述

我有兴趣用将在Linux内核3中实现的自定义替换系统调用. 我了解到sys调用表不再公开.

I am interested in replacing a system call with a custom that I will implement in linux kernel 3. I read that the sys call table is no longer exposed.

有什么想法吗?

对此 http://www.linuxtopia.org/的任何引用online_books/linux_kernel/linux_kernel_module_programming_2.6/x978.html 示例，但对于内核3会很感激:)

any reference to this http://www.linuxtopia.org/online_books/linux_kernel/linux_kernel_module_programming_2.6/x978.html example but for kernel 3 will be appreciated :)

谢谢！

推荐答案

我建议对这种工作使用kprobes，您可以轻松中断任何内核地址(或符号...)并更改执行路径，所有在运行时使用内核模块，如果需要的话:)

I would recommend using kprobes for this kind of job, you can easily break on any kernel address (or symbol...) and alter the execution path, all of this at runtime, with a kernel module if you need to :)

Kprobes通过用中断(例如x86上的int3)动态替换一条指令(例如syscall条目的第一条指令)来工作.在do_int3处理程序内部，一个通知程序通知kprobes，后者又将执行传递给您的已注册函数，从那时起您几乎可以执行任何操作.

Kprobes work by dynamically replacing an instruction (e.g. first instruction of your syscall entry) by a break (e.g. int3 on x86). Inside the do_int3 handler, a notifier notifies kprobes, which in turn passes the execution to your registered function, from which point you can do almost anything.

Documentation/kprobes.txt 中提供了非常好的文档.作为 samples/kprobes/kprobes_example.c (在此示例中，它们在do_fork上中断以记录系统上的每个fork).它具有非常简单的API，并且如今非常易于移植.

A very good documentation is given in Documentation/kprobes.txt so as a tiny example in samples/kprobes/kprobes_example.c (in this example they break on do_fork to log each fork on the system). It has a very simple API and is very portable nowdays.

警告:如果您需要更改执行路径，请确保您的kprobes没有经过优化(即，对处理程序的jmp指令代替了中断的指令，而不是int3的指令)，否则您将赢了.不能真正真正地轻易改变执行方式(在退出功能后，系统调用功能仍将照常执行).如果您只对跟踪感兴趣，那么可以，可以放心地忽略此问题.

Warning: If you need to alter the execution path, make sure your kprobes are not optimized (i.e. a jmp instruction to your handler replaces the instruction you break onto instead of an int3) otherwize you won't be able to really alter the execution easily (after the ret of your function, the syscall function will still be executed as usual). If you are only interested in tracing, then this is fine and you can safely ignore this issue.

这篇关于替换Linux内核3中的系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！