From owner-freebsd-hackers@FreeBSD.ORG Mon Nov 17 04:53:28 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2707116A4CE for ; Mon, 17 Nov 2003 04:53:28 -0800 (PST) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 347CA43FCB for ; Mon, 17 Nov 2003 04:53:27 -0800 (PST) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id B03613ABB4E; Mon, 17 Nov 2003 13:51:41 +0100 (CET) Date: Mon, 17 Nov 2003 13:51:41 +0100 From: Pawel Jakub Dawidek To: Samy Al Bahra Message-ID: <20031117125141.GA511@garage.freebsd.pl> References: <20031116155330.42894.qmail@web21409.mail.yahoo.com> <20031116201323.GA26716@enderunix.org> <1069056130.3fb8808299d19@www.kerneled.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: <1069056130.3fb8808299d19@www.kerneled.com> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p13 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: Murat Balaban cc: freebsd-hackers@freebsd.org cc: Kai Zhu Subject: Re: Questions on intercepting execve syscall X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Nov 2003 12:53:28 -0000 --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 17, 2003 at 11:02:10AM +0300, Samy Al Bahra wrote: +> > See http://www.enderunix.org/murat/linux_subexec/linux_subexec.c for a= simple +> > example. +>=20 +> This is 4.X specific (proc usage). I would just like to note that there = is an=20 +> execve symbol which you can reference in your code directly (rather than= =20 +> creating your own pointer for deinitialization). +>=20 +> EX: +> -sysent[SYS_execve].sy_call =3D (sy_call_t *)oldexecve; +> +sysent[SYS_execve].sy_call =3D (sy_call_t *)execve; And if there are two modules that intercept execve(2)? Storing old value in dedicated pointer is correct. There still will be a problem when modules are loaded and unloaded in random order. Unload order have to be reverse load order, if not, invalid pointer (of module that was already unloaded) will be stored in sysent table. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBP7jEXT/PhmMH/Mf1AQEyzwP/UvhVFPSmgDJkpuDdBbPKi2CSrwlZkawL SHQNZPP6ihYJLqvv2FbSqNPZYjqIk4gbMSxBJh6EyZkNCDkTrX8ff7wiNf6Dy3jC PgLnh64vNsDEf3oK+yDwCA98yT9uu8PYzUsI+w8R968rj4W/U6TFkEeAnbnbsOyR 9WK6VOgATuM= =gqZy -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--