Charles Hooper

Thoughts and projects from a site reliability engineer

Finding the Linux System Call Table in 2.6 Series Kernels

I have been modifying Sebek to get it to work in more recent 2.6 series (~2.6.18) kernels and ran into some snags. Most notably, I could not intercept/redirect/wrap any system calls. As it turns out, Sebek couldn’t find the system call table. The code Sebek was using to find the system call table is 100% identical to the code found in an article on KernelTrap.

Unfortunately, that code is outdated as either loops_per_jiffy, boot_cpu_data, or sys_call_table appear to have been moved. I found that I could find the system call table between unlock_kernel and loops_per_jiffy and have modified the code as follows.

// -----------------------------------------------------------------------------   
// Sys Call Table Address  
unsigned long **find_sys_call_table(void)  {  
unsigned long **sctable;  
unsigned long ptr;  
extern int loops_per_jiffy;
      sctable = NULL;  
for (ptr = (unsigned long)&unlock_kernel; ptr < (unsigned long)&loops_per_jiffy; ptr  = sizeof(void *))    {  
unsigned long *p;  
p = (unsigned long *)ptr;  
if (p[__NR_close] == (unsigned long) sys_close)       {  
sctable = (unsigned long **)p;  
return &sctable[0];  
return NULL;