----- Original Message -----
From: "venktesh narayan rao takkalki" <venk_rcr@rediffmail.com>
To: <vijoeyz@rediffmail.com>
Sent: Friday, March 19, 2004 2:29 PM
Subject: hello vijay
Venkatesh -
> hello vijay
>
> this is venktesh.t,
>
I am sorry for the delayed reply. Actually, you sent
mail to the id which I read less frequently. Anyway,
here is my answer ..
> I read the project and it is really interesting, but
> i want to clear my doubt,
>
> see u said that the whole project u insert into module
> using insmod command thats fine but
>
> for ex. if i am tracking one system call say unlink then
> usually between system call and table(sys call table )
> how ur module is called i think u understood my question.
Yes, I understood your question.
>
> how the module is come to know to kernel is there anyway
> u people done this, because by just inserting the module
> kernel will not come to now about the tracking module and
> call it automatically.
>
It's true that just because we have inserted the module does not mean that
it's ready to work. We have to do proper setup in the module so that the
system call request passes through our module. Observe the following points:
* Whenever a system call is invoked, a trap is generated. It is also
called as an interrupt.
* All the system calls (ex: read, write etc.) are actually C library
wrappers. For example, in your program, for a statement like this:
unlink ( "abc.txt" );
the library generates code like following on 80X86 machines:
...
mov eax, __NR_unlink
int 0x80 ; interrupt number for a system call
...
* During the system initialization phase, the kernel sets up the
interrupt vector table for all possible interrupts. The assembly
function, system_call, defined in the file arch/i386/kernel/entry.S.
Following is a snippet from arch/i386/kernel/traps.c:
#define SYSCALL_VECTOR 0x80
...
/* set other interrupt handlers */
set_system_gate(SYSCALL_VECTOR,&system_call);
* Now, whenever a system call is invoked, it is served by the sytem call
handler, i.e., system_call (). Following are the stpes taken by this
handler:
+ Register eax contains the system call number.
+ Multiply eax by 4. The product is an offset into the
sys_call_table.
+ The entry sys_call_table[eax*4] is the real system call
function.
* We replace the entry sys_call_table[eax*4] by our function, and save
the original pointer. So, whenever the particular system call is
invoked, our function gets called. The rest details are implementation
specific.
> give me the detailed answer, i am engineer and completed
> in c.s as branch, i have nearly two years of exp in IT field,
> i red ur project and got this doubt.
>
> thank u vijay
>
> looking forward ur mail
>
>
> venktesh.t
>