ddcc ddcc - 25 days ago 7
C Question

Hooking sys_execve() on Linux 3.x

I'm trying to hook the

sys_execve()
function on the Linux 3.x kernel by modifying the system call table. The problem is that
sys_execve()
is only supposed to return an error code if execution is unsuccessful. With the wrapper function that I'm using (see below), when
sys_execve()
is called on a valid executable, it executes fine and everything works out. However, when it's called on a nonexistent file or something else that causes an error condition, the calling program will crash with:

segfault at 3b ip 000000000000003b...


Using
strace
to examine the return value from the hooked
sys_execve()
shows -1 or
ENOSYS
instead of the correct error code, which confuses me since I've checked the assembly of my wrapper function as well as the Linux source code for
sys_execve()
. Any suggestions on why my wrapper isn't properly passing the error code?

asmlinkage long new_execve(const char* name, const char const** argv, const char const** envp, struct pt_regs* regs) {
return orig_func(name, argv, envp, regs);
}

Answer

You can't hook execve by modifying the system call table in a such a way as on x86_64 the sys_execve is called from the stub_execve. So the call chain is sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve ... Take a look at stub_execve on LXR.

Comments