From owner-freebsd-hackers@FreeBSD.ORG Mon Nov 17 00:02:29 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8366E16A4CE for ; Mon, 17 Nov 2003 00:02:29 -0800 (PST) Received: from host.server-23.net (host.server-23.net [64.191.95.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4590643FE3 for ; Mon, 17 Nov 2003 00:02:28 -0800 (PST) (envelope-from samy@kerneled.com) Received: from cpanel by host.server-23.net with local (Exim 4.24) id 1ALeKo-0005iE-OI; Mon, 17 Nov 2003 00:02:10 -0800 Received: from 212.138.47.26 ([212.138.47.26]) by www.kerneled.com (IMP) with HTTP for ; Mon, 17 Nov 2003 11:02:10 +0300 Message-ID: <1069056130.3fb8808299d19@www.kerneled.com> Date: Mon, 17 Nov 2003 11:02:10 +0300 From: Samy Al Bahra To: Murat Balaban References: <20031116155330.42894.qmail@web21409.mail.yahoo.com> <20031116201323.GA26716@enderunix.org> In-Reply-To: <20031116201323.GA26716@enderunix.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 212.138.47.26 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - host.server-23.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [32001 32001] / [47 12] X-AntiAbuse: Sender Address Domain - kerneled.com cc: freebsd-hackers@freebsd.org cc: Kai Zhu Subject: Re: Questions on intercepting execve syscall X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 08:02:29 -0000 Quoting Murat Balaban : > It might be that you have some bad address in the execve index of sysent > array. This is likely. He could add a printf statement before calling the original execve just to be sure. > See http://www.enderunix.org/murat/linux_subexec/linux_subexec.c for a simple > example. This is 4.X specific (proc usage). I would just like to note that there is an execve symbol which you can reference in your code directly (rather than creating your own pointer for deinitialization). EX: -sysent[SYS_execve].sy_call = (sy_call_t *)oldexecve; +sysent[SYS_execve].sy_call = (sy_call_t *)execve; On Sun, Nov 16, 2003 at 07:53:30AM -0800, Kai Zhu wrote: [...] > > As you can see, I first just want to make sure that my_execve won't affect > the original execve, then I will add some new logic in my_execve before > returning to execve(). How exactly are you modifying the system call entry table? Are you modifying sysent even? -- +-----------------------------------+ | Samy Al Bahra | samy@kerneled.com | |-----------------------------------| | B3A7 F5BE B2AE 67B1 AC4B | | 0983 956D 1F4A AA54 47CB | |-----------------------------------| | http://www.kerneled.com | +-----------------------------------+