ddcc ddcc - 3 months ago 63
C Question

Hooking sys_execve() on Linux 3.x

I'm trying to hook the

function on the Linux 3.x kernel by modifying the system call table. The problem is that
is only supposed to return an error code if execution is unsuccessful. With the wrapper function that I'm using (see below), when
is called on a valid executable, it executes fine and everything works out. However, when it's called on a nonexistent file or something else that causes an error condition, the calling program will crash with:

segfault at 3b ip 000000000000003b...

to examine the return value from the hooked
shows -1 or
instead of the correct error code, which confuses me since I've checked the assembly of my wrapper function as well as the Linux source code for
. Any suggestions on why my wrapper isn't properly passing the error code?

asmlinkage long new_execve(const char* name, const char const** argv, const char const** envp, struct pt_regs* regs) {
return orig_func(name, argv, envp, regs);


You can't hook execve by modifying the system call table in a such a way as on x86_64 the sys_execve is called from the stub_execve. So the call chain is sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve ... Take a look at stub_execve on LXR.