Hooking exec system call

Abhijit Pawar apawar.linux at gmail.com
Mon Sep 26 03:30:29 EDT 2011


On 09/26/2011 12:57 PM, rohan puri wrote:
>
>
> On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar 
> <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>
>     On 09/26/2011 12:26 PM, rohan puri wrote:
>>
>>
>>     On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar
>>     <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>>
>>         On 09/23/2011 03:11 PM, rohan puri wrote:
>>>
>>>
>>>         On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar
>>>         <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>>>
>>>             On 09/23/2011 02:04 PM, rohan puri wrote:
>>>>
>>>>
>>>>             On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
>>>>             <apawar.linux at gmail.com
>>>>             <mailto:apawar.linux at gmail.com>> wrote:
>>>>
>>>>                 On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>
>>>>                         Untidy way : -
>>>>                         Yes, you can do that by registering a new
>>>>                         binary format handler. Whenever
>>>>                         exec is called, a list of registered binary
>>>>                         format handlers is scanned, in
>>>>                         the same way you can hook the load_binary&
>>>>                          load_library function pointers
>>>>                         of the already registered binary format
>>>>                         handlers.
>>>>
>>>>                     Challenge with this untidy way is to identify
>>>>                     the correct format, for
>>>>                     example if you are interested in only hooking
>>>>                     ELF format, there is no
>>>>                     special signature withing the registered format
>>>>                     handler to identify
>>>>                     that, however if one format handler recognizes
>>>>                     the file header, its
>>>>                     load_binary will return 0. This can give you
>>>>                     the hint that you are
>>>>                     sitting on top of correct file format. Long
>>>>                     time back I had written
>>>>                     the similar module in Linux to do the same, but
>>>>                     can't share the code
>>>>                     :)
>>>>
>>>>                     -Rajat
>>>>
>>>>                     On Thu, Sep 22, 2011 at 3:14 PM, rohan
>>>>                     puri<rohan.puri15 at gmail.com
>>>>                     <mailto:rohan.puri15 at gmail.com>>  wrote:
>>>>
>>>>
>>>>                         On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
>>>>                         Pawar<apawar.linux at gmail.com
>>>>                         <mailto:apawar.linux at gmail.com>>
>>>>                         wrote:
>>>>
>>>>                             hi list,
>>>>                             Is there any way to hook the exec
>>>>                             system call on Linux box apart from
>>>>                             replacing the call in System Call table?
>>>>
>>>>                             Regards,
>>>>                             Abhijit Pawar
>>>>
>>>>                             _______________________________________________
>>>>                             Kernelnewbies mailing list
>>>>                             Kernelnewbies at kernelnewbies.org
>>>>                             <mailto:Kernelnewbies at kernelnewbies.org>
>>>>                             http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>                         Tidy way : -
>>>>
>>>>                         You can do that from LSM (Linux security
>>>>                         module).
>>>>
>>>>                         Untidy way : -
>>>>                         Yes, you can do that by registering a new
>>>>                         binary format handler. Whenever
>>>>                         exec is called, a list of registered binary
>>>>                         format handlers is scanned, in
>>>>                         the same way you can hook the load_binary&
>>>>                          load_library function pointers
>>>>                         of the already registered binary format
>>>>                         handlers.
>>>>
>>>>                         Regards,
>>>>                         Rohan Puri
>>>>
>>>>                         _______________________________________________
>>>>                         Kernelnewbies mailing list
>>>>                         Kernelnewbies at kernelnewbies.org
>>>>                         <mailto:Kernelnewbies at kernelnewbies.org>
>>>>                         http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>>                 So If I use the binary format handler, then I can
>>>>                 hook the exec call. however I need to register
>>>>                 this. Does that mean that I need to return the
>>>>                 negative value so as to have actual ELF handler to
>>>>                 be loaded?
>>>>
>>>>                 Regards,
>>>>                 Abhijit Pawar
>>>>
>>>>             Read this,
>>>>             http://www.linux.it/~rubini/docs/binfmt/binfmt.html
>>>>             <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html>
>>>>             this might help
>>>>
>>>>             Regards,
>>>>             Rohan Puri
>>>             Thanks Rohan. I tried creating a hooking module on the
>>>             similar line. I am able to load the module but whenever
>>>             I am launching any application , its load_binary is not
>>>             being called.
>>>             here is the source for the module attached.
>>>
>>>             Regards,
>>>             Abhijit Pawar
>>>
>>>
>>>
>>>         Hi Abhijit,
>>>
>>>         I have made the change, try to compile and execute this
>>>         code, it works.
>>>
>>>         Also, I am just curious enough to know that where do you
>>>         need to do this hooking.
>>>
>>>         Regards,
>>>         Rohan Puri
>>         Hi Rohan,
>>         I have been looking at Windows worlds ability to support DLL
>>         Injection and API hooking. I was just wondering if this could
>>         be something to be done in Linux as well.  I am not sure if
>>         there is any special use of this module apart from learning
>>         the binary handler. May be it could be used as a security
>>         module for your own binary handler.
>>
>>         Regards,
>>         Abhijit Pawar
>>
>>
>>     Hi Abhijit,
>>
>>     I am not familiar with windows. Special use-case of this hacking
>>     is for security companies whitelisting software solutions, where
>>     they want to control execution of only authorized binaries on the
>>     system and deny the execution of others.
>>
>>
>>     Although this approach is untidy, since there is available LSM
>>     hooks in linux kernel which needs to be made use of for doing this.
>>
>>     Regards,
>>     Rohan Puri
>     Hi Rohan,
>     Yes, this is a backdoor approach and I agree with you. I am
>     learning more on LSM and their APIs so as to get insight into what
>     goes on internally. May be you can refer me to some details as well.
>
>     Thanks for all of your help on this.
>
>     Regards,
>     Abhijit Pawar
>
>
> Hi Abhijit,
>
> There is one whitepaper of lsm available on internet by Greg 
> Kroah-Hartman and others, its good to start with.
>
>
> Also, I am keen to now, do all these things you are studying are part 
> of any project or just for knowledge.
>
> Regards,
> Rohan Puri
Thanks Rohan. I will take a look at this paper. I am learning LSM and 
hooking for Windows and its counterpart in Linux. this is purely for 
getting knowledge but it would be good if i can do something with this 
may be in future. :) .

Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/0e508b25/attachment-0001.html 


More information about the Kernelnewbies mailing list