www.pudn.com > code.rar > ckexec.c
#ifndef MODULE #define MODULE #endif #ifndef __KERNEL__ #define __KERNEL__ #endif #include#include #include #include #include #include #include #include #include #include #include #include "acd_define.h" #include "fileinfo.c" #define REJECT -1 extern void* sys_call_table[]; /* we can access sys_call_table */ int (*orig_execve)(struct pt_regs regs);//the execve origin syscall int check_exec(struct pt_regs regs) {//use this funtion capture the execve system call int flag = 0; int error = 0;//define variable error because macro will use it int syscall_num = 11; char *para_ebx = NULL;//this is filename int cpid = 0;//current process id //and we want to know this program pid cpid=current->pid; //now we know eax=11,ebx=filename para_ebx=getname((char *)regs.ebx); error = PTR_ERR(para_ebx); if(IS_ERR(para_ebx)) goto out; //test eax and ebx value and pid //printk("\nFilename is %s, suid is %d\n",para_ebx,current->suid); //printk("\n+--------------------+-------+-------+---------+-------+-------+\n"); flag=transfer_para(syscall_num,para_ebx,cpid);//8110 entry point //printk("+--------------------+-------+-------+---------+-------+-------+\n"); if(flag == REJECT) goto out; error=do_execve(para_ebx,(char **)regs.ecx,(char **)regs.edx,®s); putname(para_ebx); out: return error; } int init_module() { orig_execve=sys_call_table[SYS_execve]; // save origin system call sys_call_table[SYS_execve]=check_exec; // check_exec replace SYS_execve return 0; } int cleanup_module() { sys_call_table[SYS_execve]=orig_execve; //set back syscall to orig_exec return 0; }