1

I'm trying to hijack a system call with loadable kernel module in Linux Kernel v4.19.8.

I could find the virtual address of sys_call_table from /boot/System.map-4.19.8. However, when I tries to access to it, dmesg gives me the message below:

BUG : unable to handle kernel paging request at [address of sys_call_table]

So, here's my question.

  1. Is it even possible to hijack system call with loadable kernel module in Linux Kernel v4.19.8?
  2. If it is possible, how can I do it?

Thank you in advance.

Improve this question
1
  • As far as I remember, syscall table is write-protected. You need to disable that protection when modifying the table. There are a lot of examples in the net about that. Commented Dec 15, 2018 at 12:31

1 Answer 1

Reset to default
1

There are hooks you can use depending on the system call you're interested in. Often there's a callback that you can patch in with your module. So you might create a wrapper function and do some stuff then call the 'real' callback when you're done.

Check out this library: https://github.com/pmem/syscall_intercept

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.