LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Kernel (http://www.linuxquestions.org/questions/linux-kernel-70/)
-   -   location of syscall_table in Ubuntu 11.10 (http://www.linuxquestions.org/questions/linux-kernel-70/location-of-syscall_table-in-ubuntu-11-10-a-4175446516/)

omega341991 01-20-2013 08:53 PM

location of syscall_table in Ubuntu 11.10
 
I would like to know the location of the syscall_table.S file so that I can modify the system calls table. I found the pointer to system calls in the file unistd.h.
But from the information that i obtained, I also need the location of file syscall_table to modify/add system calls...Does anyone know the solution?

sundialsvcs 01-21-2013 07:46 AM

Solution: "Don't do that." Don't attempt to do that.

omega341991 01-21-2013 11:06 AM

that is not an option. This is my final year project. I am doing "Rootkit Detection" as the project and hence needs to modify the libraries and system calls to create the rootkit. Is there another way?

bsat 01-21-2013 11:09 AM

Be very careful if you want to add/modify system calls.Preferably do it on a test system and not on your main system

You can see the link below for the steps

http://tuxthink.blogspot.in/2012/01/...o-linux-3.html

omega341991 01-21-2013 11:16 AM

I am using a virtual machine to be safe. By the way, is it possible to execute multiple commands when only 1 command is actually invoked by modifying the system call table?
eg: calling open() calls open() and some other system call at the same time

Is is possible to implement the above said feature?

sundialsvcs 01-21-2013 08:48 PM

Then I would suggest putting in a kernel-module ... say a virtual device driver ... that can by some means (e.g. an "ioctl" call) install and remove the simulated-rootkit that you want to detect. The device doesn't have to do anything; cabbage the null-device. But you will need to have somewhere to vector the syscalls to, and the means to reflect the incoming call to the proper vector. It will, furthermore, need to do the swap atomically. Code that is "fully part of the kernel" can do that.

(I also suggest that you look around to see what others have already done.)


All times are GMT -5. The time now is 09:19 PM.