Hook file saving in Linux

How can i hook file saving in Linux systems (to show my programm dialog, opear开发者_高级运维ting with them then)?

Just use the inotify interface to get notification of file system changes. See: http://linux.die.net/man/7/inotify

You can try FILE_PRELOAD utility which generate C++ code with hooks, compile and LD_PRELOAD it. After short look at it you can feel how easy to hook linux. Start point is this tutorial.

For example, if you want to change 'open call' of file /tmp/some with /tmp/replace_with:

#: FILE_PRELOAD -C "A+f:/tmp/some:/tmp/replace_with" -- bash
#: echo "HaHa" >> /tmp/some
#: ll /tmp/some
  ls: cannot access /tmp/some: No such file or directory
#: cat /tmp/replace_with 
  HaHa

If you want to see the source of generated code just add "-p" to options.

#: FILE_PRELOAD -p -C "A+f:/tmp/some:/tmp/replace_with" -- bash

In additional all generated.cpp files you can find in /tmp/$USER/FILE_PRELOAD/cpp.

Have a nice play with linux hooks)

Generated code looks like this:

#include <sys/types.h>
#include <dlfcn.h>
#include <stdio.h>
#include <map>
#include <string>

#define I int
#define C char
#define S string
#define P printf
#define R return

using std::map;
using std::string;
typedef map<S,S> MAP;

static I (*old_open)(const C *p, I flags, mode_t mode);

extern "C" 
I open (const C *p, I flags, mode_t mode){
  old_open = dlsym(RTLD_NEXT, "open");
  P("open hook\n");

  MAP files;
  files[p]=p;
  files["/tmp/some"]="/tmp/replace_with";

  S newpath = files[S(p)]; 

  R old_open(newpath.c_str(), flags, mode);
}

# &compile
gcc -w -fpermissive -fPIC -c -Wall file.cpp
gcc -shared file.o -ldl -lstdc++ -o wrap_loadfile.so
LD_PRELOAD=./wrap_loadfile.so bash

nm -D /lib/libc.so.6 | grep open # we hook this syscall

If you can compile them you can link first against a custom library that provides open().

There's a stock way of doing it.

If you can't compile it, this works most of the time:

Write function _open_posthook that does syscall(NR_OPEN, ...)

Provide shared library libopenhook that provides your new open. Rembember you renamed open to _open_posthook() here unless you want recursion. Don't forget to also provide creat().

Load this library with LD_PRELOAD.

EDIT: if you're trying for security this won't work. You might be able to get away with using strace() but unless you are very careful a determined programmer can overcome that too.