Hooking exec system call
Abhijit Pawar
apawar.linux at gmail.com
Mon Sep 26 03:30:29 EDT 2011
On 09/26/2011 12:57 PM, rohan puri wrote:
>
>
> On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar
> <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>
> On 09/26/2011 12:26 PM, rohan puri wrote:
>>
>>
>> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar
>> <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>>
>> On 09/23/2011 03:11 PM, rohan puri wrote:
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar
>>> <apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>> wrote:
>>>
>>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>>>
>>>>
>>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
>>>> <apawar.linux at gmail.com
>>>> <mailto:apawar.linux at gmail.com>> wrote:
>>>>
>>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new
>>>> binary format handler. Whenever
>>>> exec is called, a list of registered binary
>>>> format handlers is scanned, in
>>>> the same way you can hook the load_binary&
>>>> load_library function pointers
>>>> of the already registered binary format
>>>> handlers.
>>>>
>>>> Challenge with this untidy way is to identify
>>>> the correct format, for
>>>> example if you are interested in only hooking
>>>> ELF format, there is no
>>>> special signature withing the registered format
>>>> handler to identify
>>>> that, however if one format handler recognizes
>>>> the file header, its
>>>> load_binary will return 0. This can give you
>>>> the hint that you are
>>>> sitting on top of correct file format. Long
>>>> time back I had written
>>>> the similar module in Linux to do the same, but
>>>> can't share the code
>>>> :)
>>>>
>>>> -Rajat
>>>>
>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan
>>>> puri<rohan.puri15 at gmail.com
>>>> <mailto:rohan.puri15 at gmail.com>> wrote:
>>>>
>>>>
>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
>>>> Pawar<apawar.linux at gmail.com
>>>> <mailto:apawar.linux at gmail.com>>
>>>> wrote:
>>>>
>>>> hi list,
>>>> Is there any way to hook the exec
>>>> system call on Linux box apart from
>>>> replacing the call in System Call table?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> <mailto:Kernelnewbies at kernelnewbies.org>
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>> Tidy way : -
>>>>
>>>> You can do that from LSM (Linux security
>>>> module).
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new
>>>> binary format handler. Whenever
>>>> exec is called, a list of registered binary
>>>> format handlers is scanned, in
>>>> the same way you can hook the load_binary&
>>>> load_library function pointers
>>>> of the already registered binary format
>>>> handlers.
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> <mailto:Kernelnewbies at kernelnewbies.org>
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>> So If I use the binary format handler, then I can
>>>> hook the exec call. however I need to register
>>>> this. Does that mean that I need to return the
>>>> negative value so as to have actual ELF handler to
>>>> be loaded?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> Read this,
>>>> http://www.linux.it/~rubini/docs/binfmt/binfmt.html
>>>> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html>
>>>> this might help
>>>>
>>>> Regards,
>>>> Rohan Puri
>>> Thanks Rohan. I tried creating a hooking module on the
>>> similar line. I am able to load the module but whenever
>>> I am launching any application , its load_binary is not
>>> being called.
>>> here is the source for the module attached.
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>>
>>>
>>> Hi Abhijit,
>>>
>>> I have made the change, try to compile and execute this
>>> code, it works.
>>>
>>> Also, I am just curious enough to know that where do you
>>> need to do this hooking.
>>>
>>> Regards,
>>> Rohan Puri
>> Hi Rohan,
>> I have been looking at Windows worlds ability to support DLL
>> Injection and API hooking. I was just wondering if this could
>> be something to be done in Linux as well. I am not sure if
>> there is any special use of this module apart from learning
>> the binary handler. May be it could be used as a security
>> module for your own binary handler.
>>
>> Regards,
>> Abhijit Pawar
>>
>>
>> Hi Abhijit,
>>
>> I am not familiar with windows. Special use-case of this hacking
>> is for security companies whitelisting software solutions, where
>> they want to control execution of only authorized binaries on the
>> system and deny the execution of others.
>>
>>
>> Although this approach is untidy, since there is available LSM
>> hooks in linux kernel which needs to be made use of for doing this.
>>
>> Regards,
>> Rohan Puri
> Hi Rohan,
> Yes, this is a backdoor approach and I agree with you. I am
> learning more on LSM and their APIs so as to get insight into what
> goes on internally. May be you can refer me to some details as well.
>
> Thanks for all of your help on this.
>
> Regards,
> Abhijit Pawar
>
>
> Hi Abhijit,
>
> There is one whitepaper of lsm available on internet by Greg
> Kroah-Hartman and others, its good to start with.
>
>
> Also, I am keen to now, do all these things you are studying are part
> of any project or just for knowledge.
>
> Regards,
> Rohan Puri
Thanks Rohan. I will take a look at this paper. I am learning LSM and
hooking for Windows and its counterpart in Linux. this is purely for
getting knowledge but it would be good if i can do something with this
may be in future. :) .
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/0e508b25/attachment-0001.html
More information about the Kernelnewbies
mailing list