LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices

Reply
 
LinkBack Search this Thread
Old 01-20-2013, 08:53 PM   #1
omega341991
Member
 
Registered: May 2012
Posts: 39

Rep: Reputation: Disabled
location of syscall_table in Ubuntu 11.10


I would like to know the location of the syscall_table.S file so that I can modify the system calls table. I found the pointer to system calls in the file unistd.h.
But from the information that i obtained, I also need the location of file syscall_table to modify/add system calls...Does anyone know the solution?
 
Old 01-21-2013, 07:46 AM   #2
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,049

Rep: Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953
Solution: "Don't do that." Don't attempt to do that.
 
Old 01-21-2013, 11:06 AM   #3
omega341991
Member
 
Registered: May 2012
Posts: 39

Original Poster
Rep: Reputation: Disabled
that is not an option. This is my final year project. I am doing "Rootkit Detection" as the project and hence needs to modify the libraries and system calls to create the rootkit. Is there another way?
 
Old 01-21-2013, 11:09 AM   #4
bsat
Member
 
Registered: Feb 2009
Posts: 346

Rep: Reputation: 72
Be very careful if you want to add/modify system calls.Preferably do it on a test system and not on your main system

You can see the link below for the steps

http://tuxthink.blogspot.in/2012/01/...o-linux-3.html
 
Old 01-21-2013, 11:16 AM   #5
omega341991
Member
 
Registered: May 2012
Posts: 39

Original Poster
Rep: Reputation: Disabled
I am using a virtual machine to be safe. By the way, is it possible to execute multiple commands when only 1 command is actually invoked by modifying the system call table?
eg: calling open() calls open() and some other system call at the same time

Is is possible to implement the above said feature?
 
Old 01-21-2013, 08:48 PM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,049

Rep: Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953
Then I would suggest putting in a kernel-module ... say a virtual device driver ... that can by some means (e.g. an "ioctl" call) install and remove the simulated-rootkit that you want to detect. The device doesn't have to do anything; cabbage the null-device. But you will need to have somewhere to vector the syscalls to, and the means to reflect the incoming call to the proper vector. It will, furthermore, need to do the swap atomically. Code that is "fully part of the kernel" can do that.

(I also suggest that you look around to see what others have already done.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Location of GNOME user menus in Ubuntu Raevyn Linux - Desktop 2 03-24-2011 03:40 PM
Download location for Ubuntu andy.l Ubuntu 3 12-14-2007 11:48 AM
Default Ubuntu boot location rahian2k Ubuntu 2 06-08-2007 08:52 PM
how to install file syscall_table.S on redhat 9 2.4.20 kernels. umavarma Linux - Software 1 04-27-2007 09:20 AM
Ubuntu: Network Settings -> Location General_Tso Ubuntu 0 04-18-2005 04:54 PM


All times are GMT -5. The time now is 09:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration