I wrote a simple hook that changes the pointer of the sys_call_table and points the execve function to my function the hook work just fine on ubuntu in kernel 4.15 but when I tried it on centos 8 system in kernel 4.18 it filed and rebooting the system. how can it be done in new kernels?
this is my code:
static int lkm_example_init(void)
{
write_cr0(read_cr0() & (~ 0x10000));
sys_call_table = (void*)kallsyms_lookup_name("sys_call_table");
original_call = sys_call_table[__NR_kill];
sys_call_table[__NR_kill] = our_sys_kill;
execl = sys_call_table[__NR_execve];
sys_call_table[__NR_execve] = our_execl;
}
