----- Original Message -----
From: "venktesh narayan rao takkalki" <venk_rcr@rediffmail.com>
To: <vijoeyz@rediffmail.com>
Sent: Friday, March 19, 2004 2:29 PM
Subject: hello vijay

Venkatesh -

> hello vijay
>
> this is venktesh.t,
>

I am sorry for the delayed reply.  Actually, you sent
mail to the id which I read less frequently.  Anyway,
here is my answer ..


> I read the project and it is really interesting, but
> i want to clear my doubt,
>
> see u said that the whole project u insert into module
> using insmod command thats fine but
>
> for ex. if i am tracking one system call say unlink then
> usually between system call and table(sys call table )
> how ur module is called i think u understood my question.

Yes, I understood your question.

>
> how the module is come to know to kernel is there anyway
> u people done this, because by just inserting the module
> kernel will not come to now about the tracking module and
> call it automatically.
>

It's true that just because we have inserted the module does not mean that
it's ready to work.  We have to do proper setup in the module so that the
system call request passes through our module.  Observe the following points:

    *   Whenever a system call is invoked, a trap is generated.  It is also
        called as an interrupt.

    *   All the system calls (ex: read, write etc.) are actually C library
        wrappers.  For example, in your program, for a statement like this:

            unlink ( "abc.txt" );

        the library generates code like following on 80X86 machines:

            ...
            mov eax, __NR_unlink
            int 0x80        ; interrupt number for a system call
            ...

    *   During the system initialization phase, the kernel sets up the
        interrupt vector table for all possible interrupts.  The assembly
        function, system_call, defined in the file arch/i386/kernel/entry.S.
        Following is a snippet from arch/i386/kernel/traps.c:

            #define SYSCALL_VECTOR  0x80
            ...
            /* set other interrupt handlers */
            set_system_gate(SYSCALL_VECTOR,&system_call);

    *   Now, whenever a system call is invoked, it is served by the sytem call
        handler, i.e., system_call ().  Following are the stpes taken by this
        handler:

            +   Register eax contains the system call number.
            +   Multiply eax by 4.  The product is an offset into the
                sys_call_table.
            +   The entry sys_call_table[eax*4] is the real system call
                function.

    *   We replace the entry sys_call_table[eax*4] by our function, and save
        the original pointer.  So, whenever the particular system call is
        invoked, our function gets called.  The rest details are implementation
        specific.

> give me the detailed answer, i am engineer and completed
> in c.s as branch, i have nearly two years of exp in IT field,
> i red ur project and got this doubt.
>
> thank u vijay
>
> looking forward ur mail
>
>
> venktesh.t
>