Re: How to intercept a sys call.

"Kasper Dupont"
<72993125347571397778@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:43AF0B0B.BDCAB31@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

> David Schwartz wrote:

>> However, you have to admit that it wouldn't be particularly difficult
>> to
>> resolve all of these problems and create a simple, supported way to hook
>> every system call.

> I guess the primary reason it hasn't been done is, that it
> would impose a performance penalty on *every* system call
> for no good reason.

The penalty would just be the time it takes to check a 'might_be_hooked'

>> At worst, it would require a check of a flag for system
>> calls that weren't every hooked.
> ?

In the system call handler, you check an array of 'might_be_hooked'
flags. If the flag is not set, meaning that function has never been hooked
or can't possibly be hooked now, you just call the function normally. The
code to hook a function first sets the 'might_be_hooked' flag.

>> The fact that this hasn't been done
>> reflects a conscious design choice to make it more difficult to do things
>> in
>> a "quick and dirty, work for me, but isn't right in principle" way.

> Who would want a change that slows down the system just to
> support poorly designed modules that only very few people
> use anyway?

The cost of checking a single almost-never-changed value in each system
call entry is nearly negligible. The fact that it doesn't even exist as a
configuration option despite demand shows that the real reason it doesn't
exist is a conscious choice not to provide this capability.

The "slows down the system" issue is just plain false. The "support
poorly designed modules" issue is the only real one.