accessing system calls information

netwizio · 02-17-2004, 02:16 PM

Hello i want to count the important system calls execuetd with in a time interval in linux. How can i do that . I have not worked much with the system calls . Further is there any library which can give me such information or so.

Eventually i want to block any malicious system call. How can i do this sort of hooking

every sort of help tutorials web sites links are welcomed

regards

jtshaw · 02-17-2004, 04:55 PM

I am not sure you can count the system calls in a given interval without directly modifying the kernel to do so.

Also.... How are you going to determine what system calls are made maliciously? You pretty much have to assume if something makes a syscall and there are no permission issues to block it that you have to let it work. Otherwise you could seriously break the system.

infamous41md · 02-17-2004, 06:05 PM

hooking system calls is pretty simple, see here:
http://ouah.kernsh.org/kernel-hijack.txt
i can explain it to u if u like.

netwizio · 02-17-2004, 10:29 PM

jtshaw wrote
"I am not sure you can count the system calls in a given interval without directly modifying the kernel to do so.

Also.... How are you going to determine what system calls are made maliciously? You pretty much have to assume if something makes a syscall and there are no permission issues to block it that you have to let it work. Otherwise you could seriously break the system."

actually i m making some seperate program to decide upon the maliciousness of the system calls by checking their probability of existence based on their previous occurences

infamous41md · 02-18-2004, 12:53 AM

if you have a separeate program, then you are going to have to somehow forward requests from kernel space to user space, EVERYTIME A SYSTEM CALL IS MADE. i think that is slowdown you might notice. i just realized that the link i gave you isn't exactly what you need... you said you wanted to screen ALL system calls?? in that case, if you used the above method i posted, you'd have to hijack all 250+ individiually, which prolly isnt waht you want. i think, and im speculating here, that you could instead replace the interrupt vector 0x80 and screen calls from there instead. makes more sense that way, but i've never tried hackin up the interrupt vectors yet.