Hooking exec system call

rohan puri rohan.puri15 at gmail.com
Fri Sep 23 04:34:06 EDT 2011


On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:

> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>
>> Untidy way : -
>>> Yes, you can do that by registering a new binary format handler. Whenever
>>> exec is called, a list of registered binary format handlers is scanned,
>>> in
>>> the same way you can hook the load_binary&  load_library function
>>> pointers
>>> of the already registered binary format handlers.
>>>
>> Challenge with this untidy way is to identify the correct format, for
>> example if you are interested in only hooking ELF format, there is no
>> special signature withing the registered format handler to identify
>> that, however if one format handler recognizes the file header, its
>> load_binary will return 0. This can give you the hint that you are
>> sitting on top of correct file format. Long time back I had written
>> the similar module in Linux to do the same, but can't share the code
>> :)
>>
>> -Rajat
>>
>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15 at gmail.com>
>>  wrote:
>>
>>>
>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux at gmail.com>
>>> wrote:
>>>
>>>> hi list,
>>>> Is there any way to hook the exec system call on Linux box apart from
>>>> replacing the call in System Call table?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> ______________________________**_________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.**org <Kernelnewbies at kernelnewbies.org>
>>>> http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies<http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>
>>>>
>>> Tidy way : -
>>>
>>> You can do that from LSM (Linux security module).
>>>
>>> Untidy way : -
>>> Yes, you can do that by registering a new binary format handler. Whenever
>>> exec is called, a list of registered binary format handlers is scanned,
>>> in
>>> the same way you can hook the load_binary&  load_library function
>>> pointers
>>> of the already registered binary format handlers.
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>> ______________________________**_________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.**org <Kernelnewbies at kernelnewbies.org>
>>> http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies<http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>
>>>
>>>
>>>  So If I use the binary format handler, then I can hook the exec call.
> however I need to register this. Does that mean that I need to return the
> negative value so as to have actual ELF handler to be loaded?
>
> Regards,
> Abhijit Pawar
>
> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this might
help

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e62f4990/attachment-0001.html 


More information about the Kernelnewbies mailing list