Skip to content
/ fork_blink Public

Linux Kernel Module intercepting clone and execve system calls.

License

GPL-3.0 license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tbrintet/fork_blink

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
fork_blink.c
fork_blink.c
 
 

Repository files navigation

fork_blink

Linux Kernel Module intercepting clone and execve system calls.

System call arguments are logged to the kernel log buffer with printk, which gives you the ability to monitor process execution on your machine.

To get a visual indication of the number of processes being launched, you can configure a led to blink each time the clone system call is used.

Compilation

In order to build kernel modules, you need to have a proper Linux kernel development environment. You may need to install the linux-headers package, check your distro specific instructions.

make

Usage

sudo insmod fork_blink.ko

After module load:

Choose the LED in the /sys/class/leds/ directory. Check that it can actually be controlled by echo'ing a few 0 or 1 values to its brightness file. Finally, in a root shell (sudo does not work well with bash redirections), assign the fork_blink LED trigger with:

echo fork_blink > /sys/class/leds/$YOUR_LED_HERE/trigger

Configuring your led is not mandatory if you are only interested in the logs.

Use the following command to read the kernel ring buffer and access the logs:

sudo dmesg

Removal

To unload the module, use

sudo rmmod fork_blink

About

Linux Kernel Module intercepting clone and execve system calls.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages