Why do some Linux x86_64 system calls require stubs?

Question

Why do some Linux x86_64 system calls require stubs?

If you are trying to intercept some system calls using sys_call_table -hooking, for example. sys_execve this will not work, because they are indirectly caused by a stub. For sys_execve this is stub_execve (compare the LXR build code).

But what are these stubs for? Why only some system calls, such as execve(2) and fork(2) , require a stub and how is this related to x86_64? Is there a way around the cropped system calls (in the Loadable Kernel Module)?

+6

c x86-64 linux-kernel system-calls operating-system

Propantriol May 19 '14 at 9:26

source share

1 answer

zym · Answer 1 · 2014-06-25T13:03:20+0000

From here , it says:

"Some special system calls that need to keep a full full stack stack."

And I think execve is just one of these special system calls.

From stub_execve code, if you want to connect it, at least you can try:
(1) Know the meaning of this assembly code and do it yourself, then you can call your own function in your own assembler code.
(2) From the middle of the build code, it has call sys_execve , you can replace the sys_execve address with your own hook function.

Why do some Linux x86_64 system calls require stubs?

More articles: