6. Technical and Source Code

6.1. System Calls and the IDT

• Linux System Calls --- How to use the mechanism provided by the IA32 architecture for handling system calls: LJ75

  This article aims to give the reader, either a kernel novice or a seasoned programmer, a better understanding of the dynamics of system calls in Linux.

• Handling Interrupt Descriptor Table for Fun and Profit: l0t3k

  The article will demonstrate techniques for modifying the Interrupt Descriptor Table (IDT) on Linux/x86. Further on will the article explain how the same technique can be used to redirect system calls to achieve similar capability as with Loadable Kernel Modules (LKM).

6.2. /kmem

• Runtime kernel kmem patching:

  This paper documents runtime (on the fly) kernel patching on a running system under Linux using direct access to kernel memory. The same algorithms may equally be applicable to other systems. Examples of kernel patching for use by an attacker is provided showing patching of kernel structures to remove a lkm's visibility to lsmod and even the addition of kernel code a la loadable kernel modules (lkm) to a running system without native lkm support in the kernel.

6.3. Header Files

    /usr/include/sys/syscall.h
    /usr/src/linux/arch/i386/kernel/entry.S --- tells us we have 258 calls

6.4. Linux Kernel

• HTML (other formats from TLDP).

6.5. Linux LKMs

• Linux Kernel Module Programming Guide HTML (other formats from TLDP).
• A tutorial from The Linux Journal: Loadable Kernel Module Programming and System Call Interception: LJ82