search

milabs / khook

Linux Kernel hooking engine (x86)
GNU General Public License v2.0
327 stars 50 forks source link

Create POC with hooks of do_fork, elf loading and kill #6

Closed YanVugenfirer closed 5 years ago

YanVugenfirer commented 5 years ago

  1. Remove some sample code

  2. Hooking _do_fork: It looks that several syscalls related to process creation eventually call __do_fork. Therefore it is better to hook it rather than individual syscalls.

  3. Hooking sys_kill and x64_sys_kill: Newer kernels changed their prefix for syscalls there for x64_sys_kill should be tracked.

  4. Hooking load_elf_binary We are going to get executable name and additional information here after elf is loaded. Some of this useful info can be VM_AREAs of the task.

Signed-off-by: Yan Vugenfirer yan@bladerunner.io

YanVugenfirer commented 5 years ago

Sorry my mistake

milabs commented 5 years ago

Hey, I didn't get the point of this PR. Was it supposed to add something new?

YanVugenfirer commented 5 years ago

Sorry, it was sent by mistake...

On Jun 5, 2019, at 20:14, Ilya V. Matveychikov notifications@github.com wrote:

Hey, I didn't get the point of this PR. Was it supposed to add something new?

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.