graph TD
A(内核加载) --> J["获取HOOK表、关闭写保护"];
J --> B[hook sys method];
B --> C[Write];
B --> D[Read];
B --> E["Unlink(Unlinkat)"];
B --> F["Mkdir(Mkdirat)"];
B --> G["Creat"];
B --> H["Rmdir"];
B --> I["Move"];
C --> K["开启写保护、保存原hook函数"];
D --> K["开启写保护、保存原hook函数"];
E --> K["开启写保护、保存原hook函数"];
F --> K["开启写保护、保存原hook函数"];
G --> K["开启写保护、保存原hook函数"];
H --> K["开启写保护、保存原hook函数"];
I --> K["开启写保护、保存原hook函数"];
K --> O["等待触发相关操作"];
O --> P{"根据传递的参数FD、Path和process确定权限"};
P --> |权限允许| Q[调用并返回原hook函数]
P -- 权限不允许 --> R["记录日志并返回-EACCESS"]