graph TD A(内核加载) --> J["获取HOOK表、关闭写保护"]; J --> B[hook sys method]; B --> C[Write]; B --> D[Read]; B --> E["Unlink(Unlinkat)"]; B --> F["Mkdir(Mkdirat)"]; B --> G["Creat"]; B --> H["Rmdir"]; B --> I["Move"]; C --> K["开启写保护、保存原hook函数"]; D --> K["开启写保护、保存原hook函数"]; E --> K["开启写保护、保存原hook函数"]; F --> K["开启写保护、保存原hook函数"]; G --> K["开启写保护、保存原hook函数"]; H --> K["开启写保护、保存原hook函数"]; I --> K["开启写保护、保存原hook函数"]; K --> O["等待触发相关操作"]; O --> P{"根据传递的参数FD、Path和process确定权限"}; P --> |权限允许| Q[调用并返回原hook函数] P -- 权限不允许 --> R["记录日志并返回-EACCESS"]