为什么某些Linux x86_64系统调用需要存根?
[英]Why do certain Linux x86_64 system calls require a stub?
问题描述
If one tries to hook certain syscalls via sys_call_table -hooking, eg sys_execve this will fail, because they are indirectly called by a stub. 
如果有人试图通过sys_call_table -hooking钩住某些syscall,例如sys_execve它将失败,因为它们是由存根间接调用的。 For sys_execve this is stub_execve (compare assembly code on LXR ). 对于sys_execve这是stub_execve (比较LXR上的汇编代码)。
But what are these stubs good for? 但是这些存根有什么好处? Why do only certain system calls like execve(2) and fork(2) require a stub and how is this connected to x86_64? 为什么只有某些系统调用(例如execve(2)和fork(2)需要存根,并且该存根如何连接到x86_64? Is there a workaround to hook stubbed syscalls (in a Loadable Kernel Module)? 有没有解决方法来挂接存根的系统调用(在可加载内核模块中)?
1 个解决方案
解决方案1
2 2014-06-25 13:03:20
From here , it says: 从这里开始 ,它说:
"Certain special system calls that need to save a complete full stack frame."
And I think execve is just one of these special system calls. 而且我认为execve只是这些特殊系统调用之一。
From the code of stub_execve , If you want to hook it, at least you can try: 从stub_execve的代码中,如果要对其进行挂钩,至少可以尝试:
(1) Get to understand the meaning of those assembly code and do it by yourself, then you can call your own function in your own assembly code. (1)了解这些汇编代码的含义并自己完成,然后可以在自己的汇编代码中调用自己的函数。
(2) From the middle of the assembly code, it has a call sys_execve , you can replace the address of sys_execve to your own hook function. (2)从汇编代码的中间, call sys_execve ,您可以将sys_execve的地址替换为您自己的钩子函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.