Menu
If one tries to hook certain syscalls via sys_call_table-hooking, e.g. sys_execve this will fail, because they are indirectly called by a stub. For sys_execve this is stub_execve (compare assembly code on LXR).
But what are these stubs good for? Why do only certain system calls like execve(2) and fork(2) require a stub and how is this connected to x86_64? Is there a workaround to hook stubbed syscalls (in a Loadable Kernel Module)?
994
The system call stub functions provide a high-level language interface to a function whose main job is to generate the software interrupt (trap) needed to get the kernel's attention. These functions are often called wrappers. The stub functions on most operating systems do the same basic steps.
A system call is a function that allows a process to communicate with the Linux kernel. It's just a programmatic way for a computer program to order a facility from the operating system's kernel. System calls expose the operating system's resources to user programs through an API (Application Programming Interface).
The exit syscall is number 60 .
There can be a maximum of 6 system call parameters. Both the system call number and the parameters are stored in certain registers. For example, on 32bit x86 architecture, the system call identifier is stored in the EAX register, while parameters in registers EBX, ECX, EDX, ESI, EDI, EBP.
From here, it says:
"Certain special system calls that need to save a complete full stack frame."
And I think execve is just one of these special system calls.
From the code of stub_execve, If you want to hook it, at least you can try:
call sys_execve, you can replace the address of sys_execve to your own hook function.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
