Hi my friends
How I can hook interrupt 0x80 and sysenter via assembly code so that I can read cpu registers before interrupt execution?
Please help me andn if it's posible for u send me some approprate assembly code . sincerely u

i dont think you can hook an interrupt in a 32 bit os

tanx my friend
but i think it's possible but i don't know how ?
for example by write a module and replce it's address whit int 0x80 when system try to execute this interrupt first execute my module and after this handle interrupt.isn't it.
i need some assembly code that do this.
please guid me .

I do not really want to point you to certain sites as they may be deemed to be malicious and somewhat dubious however you may find valid information by searching for "system call hijacking","IDT","rootkit" and other related terms. What you are trying to do is a common approach for hackers and rootkit authors to try and gain privileged access to certain parts of a system. You may find out a lot by looking at the kernel source to see how the kernel initializes the IDT on boot up. Look at linux/arch/i386/{traps,head}.c in the kernel sources , amongst others.

As you can see this may be seen as being against forum rules and I trust the moderators will see that I am trying to be diplomatic and helpful here. Such topics should be of interest to anyone involved in Linux security and OS internals. This is not really a simple subject and you are best doing more research into this.

That vector is set up at boot time. If you want to hook it, you either have to compile your own kernel or write a plugin driver module that will do what you want to do, then invoke that driver module from a userspace program that presumably is running as root. You then could change the vector table.

All the documentation is available; it shouldn't be too tough to do.

And, yes. This is a technique that a cracker would use. But there are also legitimate uses for it.

hi jiml8
thank u . could u give me some useful document.