On Wed, Jun 18, 2008 at 02:14:49PM +0300, Dan Shimshoni wrote: > Is there a way to write an application/a kernel module which will > notice when a process named "xyz" starts ?
Yes, except that "process named xxx" is not very well defined. Briefly, you would need to do is hook into exec() (via a kernel module, ptrace, LD_PRELOAD, or you favorite hooking mechanism) and check argv[0]. > Can this be done at all? As mentioned elsewhere, it's trivial to fool this detection (e.g., by hardlinking the binary). Why do you want to do it? Perhaps there's a better way. Cheers, Muli ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
