Hooking exec system call
Abhijit Pawar
apawar.linux at gmail.com
Mon Sep 26 02:32:29 EDT 2011
On 09/23/2011 03:11 PM, rohan puri wrote:
>
>
> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux at gmail.com
> <mailto:apawar.linux at gmail.com>> wrote:
>
> On 09/23/2011 02:04 PM, rohan puri wrote:
>>
>>
>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
>> <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>>
>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>
>> Untidy way : -
>> Yes, you can do that by registering a new binary
>> format handler. Whenever
>> exec is called, a list of registered binary format
>> handlers is scanned, in
>> the same way you can hook the load_binary&
>> load_library function pointers
>> of the already registered binary format handlers.
>>
>> Challenge with this untidy way is to identify the correct
>> format, for
>> example if you are interested in only hooking ELF format,
>> there is no
>> special signature withing the registered format handler
>> to identify
>> that, however if one format handler recognizes the file
>> header, its
>> load_binary will return 0. This can give you the hint
>> that you are
>> sitting on top of correct file format. Long time back I
>> had written
>> the similar module in Linux to do the same, but can't
>> share the code
>> :)
>>
>> -Rajat
>>
>> On Thu, Sep 22, 2011 at 3:14 PM, rohan
>> puri<rohan.puri15 at gmail.com
>> <mailto:rohan.puri15 at gmail.com>> wrote:
>>
>>
>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
>> Pawar<apawar.linux at gmail.com
>> <mailto:apawar.linux at gmail.com>>
>> wrote:
>>
>> hi list,
>> Is there any way to hook the exec system call on
>> Linux box apart from
>> replacing the call in System Call table?
>>
>> Regards,
>> Abhijit Pawar
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> <mailto:Kernelnewbies at kernelnewbies.org>
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>> Tidy way : -
>>
>> You can do that from LSM (Linux security module).
>>
>> Untidy way : -
>> Yes, you can do that by registering a new binary
>> format handler. Whenever
>> exec is called, a list of registered binary format
>> handlers is scanned, in
>> the same way you can hook the load_binary&
>> load_library function pointers
>> of the already registered binary format handlers.
>>
>> Regards,
>> Rohan Puri
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> <mailto:Kernelnewbies at kernelnewbies.org>
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>>
>> So If I use the binary format handler, then I can hook the
>> exec call. however I need to register this. Does that mean
>> that I need to return the negative value so as to have actual
>> ELF handler to be loaded?
>>
>> Regards,
>> Abhijit Pawar
>>
>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html
>> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html> this
>> might help
>>
>> Regards,
>> Rohan Puri
> Thanks Rohan. I tried creating a hooking module on the similar
> line. I am able to load the module but whenever I am launching any
> application , its load_binary is not being called.
> here is the source for the module attached.
>
> Regards,
> Abhijit Pawar
>
>
>
> Hi Abhijit,
>
> I have made the change, try to compile and execute this code, it works.
>
> Also, I am just curious enough to know that where do you need to do
> this hooking.
>
> Regards,
> Rohan Puri
Hi Rohan,
I have been looking at Windows worlds ability to support DLL Injection
and API hooking. I was just wondering if this could be something to be
done in Linux as well. I am not sure if there is any special use of
this module apart from learning the binary handler. May be it could be
used as a security module for your own binary handler.
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/08ab6ea5/attachment.html
More information about the Kernelnewbies
mailing list