Menu
I'm trying to hook the sys_execve() function on the Linux 3.x kernel by modifying the system call table. The problem is that sys_execve() is only supposed to return an error code if execution is unsuccessful. With the wrapper function that I'm using (see below), when sys_execve() is called on a valid executable, it executes fine and everything works out. However, when it's called on a nonexistent file or something else that causes an error condition, the calling program will crash with:
segfault at 3b ip 000000000000003b...
Using strace to examine the return value from the hooked sys_execve() shows -1 or ENOSYS instead of the correct error code, which confuses me since I've checked the assembly of my wrapper function as well as the Linux source code for sys_execve(). Any suggestions on why my wrapper isn't properly passing the error code?
asmlinkage long new_execve(const char* name, const char const** argv, const char const** envp, struct pt_regs* regs) {
return orig_func(name, argv, envp, regs);
}
641
You can't hook execve by modifying the system call table in a such a way as on x86_64 the sys_execve is called from the stub_execve. So the call chain is sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve ... Take a look at stub_execve on LXR.
195
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
