search

bmax121 / KernelPatch

Patching and hooking the Linux kernel with only a stripped Linux kernel image.
GNU General Public License v2.0
719 stars 124 forks source link

syscall hook demo #87

Closed w296488320 closed 6 months ago

w296488320 commented 6 months ago

Can you provide an annotated, detailed syscall hook demo? In syscall-hook.md is a blank file, and can I use hook_wrap3 to do hook syscall? The code is similar to that of the one as follows.

orig_readlinkat = (typeof(orig_readlinkat))kallsyms_lookup_name("sys_readlinkat");
    if (!orig_readlinkat) {
        pr_err("runtime_kpm: failed to get sys_readlinkat address\n");
        return;
    }
    hook_err_t err = hook_wrap3((void *)orig_readlinkat, 0, new_readlinkat, 0);
    if (err) {
        pr_err("runtime_kpm: hooking readlinkat error: %d\n", err);
        return;
    }
    pr_info("runtime_kpm: readlinkat syscall hooked successfully\n");

What I don't quite understand is some difference between fp hook syscalln and hook_wrap3, better if you could write the difference in the method header file or some more notes in the demo.

bmax121 commented 6 months ago

fp hook means replace function pointer, system-call table is a function pointer table hook wrap is inline hook, and fp-hook and hook-wrap both support hook function multiple times, just like xposed, so that multiple modules can hook one function at the same times

w296488320 commented 6 months ago

Thanks again for your reply. If I can improve the document, I believe more people will learn and use apatch 。