How to Hook Kernel Functions Safely on Modern Linux Systems

Hooking a function that is already loaded in memory by redirecting execution flow to custom logic is an old technique, but many online tricks no longer work because modern CPUs and operating systems enforce protections such as non‑writable executable sections, non‑executable memory buffers, and non‑executable stacks.

To perform a legitimate hook in the kernel, the author assumes root access and the ability to compile and insert a kernel module. The solution is to modify the page‑table entry of the target function so its physical memory becomes writable, write a jmp instruction that jumps to the custom function, and then restore the read‑only mapping.

The required steps are:

Remap the physical memory of the target function as writable.

Replace the original instructions with a jmp to the hook.

Remove the writable mapping.

Linux already provides text_poke / text_poke_smp helpers that perform the remapping and instruction replacement.

For buffers that are allocated on the heap or stack and are marked non‑executable, a similar approach can be used: create a stub function, overwrite the stub with the desired code using the same remapping technique, and then call the stub via a function pointer.

The article includes a diagram illustrating the process (kept below).

A complete kernel module example is provided, showing the inclusion of necessary headers, definition of saved_op and jump_op buffers, lookup of text_poke_smp via kallsyms_lookup_name, calculation of relative offsets, and the actual calls to ptr_poke_smp to install and later remove the hook.

The author also discusses why the original first five bytes of ipv4_conntrack_in can be omitted (the first instruction is a callq that immediately transfers control), and presents a more robust method that saves a variable‑length instruction sequence based on opcode length before inserting the jump.