Malware System Calls

My motivation for writing this essay was a graduate project I built while studying security in Georgia Tech. An important part of the system is a program that relies on finite state automata to train deep learning models.

Each state is a system call. The following table lists the system calls I used for developing the Linux kernel modules.

In the first column there is the eax register value, followed by the system call name, source code and the ebx, ecx, edx register values. The register values are the arguments we need to pass into the system calls or in the case of hooking the system calls these register values must be read and passed along to the hook.

  • eax: 4, name: sys_write, ebx: unsigned int, ecx: const char *, edx: size_t
  • eax: 5, name: sys_open, ebx: const char *, ecx: int, edx: int
  • eax: 11, name: sys_execve, ebx: struct pt_regs
  • eax: 15, name: sys_chmod, ebx: const char *, ecx: mode_t
  • eax: 23, name: sys_setuid, ebx: uid_t
  • eax: 24, name: sys_getuid
  • eax: 33, name: sys_access, ebx: const char *, ecx: int