Hooking exec system call

rohan puri rohan.puri15 at gmail.com
Mon Sep 26 03:27:35 EDT 2011


On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:

>  On 09/26/2011 12:26 PM, rohan puri wrote:
>
>
>
> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>
>>   On 09/23/2011 03:11 PM, rohan puri wrote:
>>
>>
>>
>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>>
>>>   On 09/23/2011 02:04 PM, rohan puri wrote:
>>>
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>>>
>>>>  On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>
>>>>>  Untidy way : -
>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>> Whenever
>>>>>> exec is called, a list of registered binary format handlers is
>>>>>> scanned, in
>>>>>> the same way you can hook the load_binary&  load_library function
>>>>>> pointers
>>>>>> of the already registered binary format handlers.
>>>>>>
>>>>> Challenge with this untidy way is to identify the correct format, for
>>>>> example if you are interested in only hooking ELF format, there is no
>>>>> special signature withing the registered format handler to identify
>>>>> that, however if one format handler recognizes the file header, its
>>>>> load_binary will return 0. This can give you the hint that you are
>>>>> sitting on top of correct file format. Long time back I had written
>>>>> the similar module in Linux to do the same, but can't share the code
>>>>> :)
>>>>>
>>>>> -Rajat
>>>>>
>>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15 at gmail.com>
>>>>>  wrote:
>>>>>
>>>>>>
>>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux at gmail.com
>>>>>> >
>>>>>> wrote:
>>>>>>
>>>>>>> hi list,
>>>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>>>> replacing the call in System Call table?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Abhijit Pawar
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Kernelnewbies mailing list
>>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>>
>>>>>> Tidy way : -
>>>>>>
>>>>>> You can do that from LSM (Linux security module).
>>>>>>
>>>>>> Untidy way : -
>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>> Whenever
>>>>>> exec is called, a list of registered binary format handlers is
>>>>>> scanned, in
>>>>>> the same way you can hook the load_binary&  load_library function
>>>>>> pointers
>>>>>> of the already registered binary format handlers.
>>>>>>
>>>>>> Regards,
>>>>>> Rohan Puri
>>>>>>
>>>>>> _______________________________________________
>>>>>> Kernelnewbies mailing list
>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>
>>>>>>
>>>>>>   So If I use the binary format handler, then I can hook the exec
>>>> call. however I need to register this. Does that mean that I need to return
>>>> the negative value so as to have actual ELF handler to be loaded?
>>>>
>>>> Regards,
>>>>  Abhijit Pawar
>>>>
>>>>  Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
>>> might help
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>>  Thanks Rohan. I tried creating a hooking module on the similar line. I
>>> am able to load the module but whenever I am launching any application , its
>>> load_binary is not being called.
>>> here is the source for the module attached.
>>>
>>> Regards,
>>>  Abhijit Pawar
>>>
>>>
>>>
>> Hi Abhijit,
>>
>> I have made the change, try to compile and execute this code, it works.
>>
>> Also, I am just curious enough to know that where do you need to do this
>> hooking.
>>
>> Regards,
>> Rohan Puri
>>
>>  Hi Rohan,
>> I have been looking at Windows worlds ability to support DLL Injection and
>> API hooking. I was just wondering if this could be something to be done in
>> Linux as well.  I am not sure if there is any special use of this module
>> apart from learning the binary handler. May be it could be used as a
>> security module for your own binary handler.
>>
>> Regards,
>>  Abhijit Pawar
>>
>
> Hi Abhijit,
>
> I am not familiar with windows. Special use-case of this hacking is for
> security companies whitelisting software solutions, where they want to
> control execution of only authorized binaries on the system and deny the
> execution of others.
>
>
> Although this approach is untidy, since there is available LSM hooks in
> linux kernel which needs to be made use of for doing this.
>
> Regards,
> Rohan Puri
>
> Hi Rohan,
> Yes, this is a backdoor approach and I agree with you. I am learning more
> on LSM and their APIs so as to get insight into what goes on internally. May
> be you can refer me to some details as well.
>
> Thanks for all of your help on this.
>
> Regards,
> Abhijit Pawar
>

Hi Abhijit,

There is one whitepaper of lsm available on internet by Greg Kroah-Hartman
and others, its good to start with.


Also, I am keen to now, do all these things you are studying are part of any
project or just for knowledge.

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/a2bfb9b5/attachment.html 


More information about the Kernelnewbies mailing list