#include void **sys_calls_table;

#ifndef HIDDEN_SCT

extern void *sys_call_table[];

#endif

#if defined(HIDDEN_SCT)

#ifdef NO_SYS_CLOSE

unsigned long sys_close_ = SYS_CLOSE_ADDR;

#else

unsigned int sys_close_ = (unsigned long )sys_close;

#endif

void ** get_sys_call_table_addr(void)

{

unsigned long ptr;

extern int loops_per_jiffy;

unsigned long *p;

for (ptr=(unsigned long)&loops_per_jiffy ; ptr {

p = (unsigned long *)ptr;

if (p[6] == sys_close_)

{

return (void **)p;

}

}

return NULL;

}

#endif

static asmlinkage int (*old_sys_execve)(struct pt_regs regs);

asmlinkage int new_sys_execve(struct pt_regs regs)

{

int error;

char * filename;

filename = getname((char *) regs.ebx);

error = PTR_ERR(filename);

if (IS_ERR(filename))

goto out;

error = do_execve(filename, (char **) regs.ecx, (char **) regs.edx, &regs);

if (error == 0)

current->ptrace &= ~PT_DTRACE;

putname(filename);

out:

return error;

}

int Monitor_intercept_calls (void)

{

/* execve() */

old_sys_execve = sys_calls_table[__NR_execve];

sys_calls_table[__NR_execve] = new_sys_execve;

printk("old_exec = %lu, new_exec = %lu\n", (unsigned long)old_sys_execve, (unsigned long)new_sys_execve);

return 0;

}

int Monitor_restore_calls (void)

{

/* Restore open() call */

if ( sys_calls_table[__NR_execve] != new_sys_execve)

return 1;

sys_calls_table[__NR_execve] = old_sys_execve;

return 0;

}

int init_module()

{

lock_kernel();

#ifdef HIDDEN_SCT

sys_calls_table = get_sys_call_table_addr();

#else

sys_calls_table = sys_call_table;

#endif

unlock_kernel();

if (!sys_calls_table) {

printk("System calls table can't be found\n");

return -EPERM;

}

printk("Load CMD_EXEC_CONTROLOR MODULE\n");

Monitor_intercept_calls();

return 0;

}

int cleanup_module()

{

Monitor_restore_calls();

return 0;

}

MODULE_LICENSE("GPL");

红帽系统是在vmare中安装的。运行7小时后，top结果如图所示：

请教各位高人，不胜感激！！！