Skip to content

Linux kernel module to trace and restrict access to system calls for specific processes

Notifications You must be signed in to change notification settings

saim29/tracer-module

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

tracer_module

This is a custom linux kernel module that can be used to trace system calls. The module is located under the module folder. A simple test file is located under the tests folder

module

The module uses kprobes to trace system calls. A device driver is included with the module. This is used to register specific processes with the module. The module only tracks processes that are registered with the module. The module currently only places kprobes on the first three syscalls in the syscall table on your system. This can be edited by changing the NUM_SYSCALLS macro in /module/tracer.c.

To run the module do the following under the module directory:

make
sudo insmod tracer.ko

To verify if the module has been correctly inserted do:

sudo lsmod | grep tracer

This should show the module/modules with the name tracer in them

To remove the module simply do:

sudo rmmod tracer.ko

tests

This directory contains a basic test that opens the device driver and registers a process with the module by using IOCTL. The test then requires the user to input a number (this is all to showcase how the linux kernel module captures sytem calls). The test then closes the device and proceeds to exit the program. To compile the test use:

make

under the tests folder.

To run the test use:

sudo ./test

Make sure the module is inserted before running the test otherwise the test will fail to open the device driver

About

Linux kernel module to trace and restrict access to system calls for specific processes

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published