On Wed, Nov 12, 2008 at 8:56 PM, <[EMAIL PROTECTED]> wrote: > > Myself I'm trying to hook execve syscall, but I have problems with it. What > I need is after calling execve by user program just do a simple check of > file name (by kernel - strstr) and then proceed to normal execution. > > Without debug registers. > Any hints would be greatly appreciated. > Or maybe someone would direct me to some up to date introductory material > about kernel space / user space transition ? >
There is something called system call notification: http://lkml.org/lkml/2008/9/8/76 using the method of self-ptracing. -- Regards, Peter Teoh -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to [EMAIL PROTECTED] Please read the FAQ at http://kernelnewbies.org/FAQ
