Hi! I'm looking for some implementation advice on the following: I'd
like to build a general-purpose process auditing kernel module that
will communicate with a user-space daemon (I call it 'audit').
This is my idea: I say audit ./some-program
audit will activate the kernel module which will run the program in
single-step mode (sets TF in programs EFLAGS). After each instruction,
the module should supply the daemon with relevant process state
(registers, EIP). The daemon should be able to read and modify process'
internal state (registers, memory), perhaps with the help of a kernel
Basically I need advice on the following:
- the fastest way to communicate audit daemon <-> kernel module
- which operations must be implemented in kernel mode and which can be
left to user program (inspecting/setting process state, etc).
- would implementing such a thing via ptrace(2) be too slow
- any HOWTOs and examples on writing kernel modules