<br><br><div class="gmail_quote">On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <span dir="ltr"><<a href="mailto:apawar.linux@gmail.com">apawar.linux@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On 09/23/2011 01:01 PM, Rajat Sharma wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Untidy way : -<br>
Yes, you can do that by registering a new binary format handler. Whenever<br>
exec is called, a list of registered binary format handlers is scanned, in<br>
the same way you can hook the load_binary& load_library function pointers<br>
of the already registered binary format handlers.<br>
</blockquote>
Challenge with this untidy way is to identify the correct format, for<br>
example if you are interested in only hooking ELF format, there is no<br>
special signature withing the registered format handler to identify<br>
that, however if one format handler recognizes the file header, its<br>
load_binary will return 0. This can give you the hint that you are<br>
sitting on top of correct file format. Long time back I had written<br>
the similar module in Linux to do the same, but can't share the code<br>
:)<br>
<br>
-Rajat<br>
<br>
On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<<a href="mailto:rohan.puri15@gmail.com" target="_blank">rohan.puri15@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>><br>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
hi list,<br>
Is there any way to hook the exec system call on Linux box apart from<br>
replacing the call in System Call table?<br>
<br>
Regards,<br>
Abhijit Pawar<br>
<br>
______________________________<u></u>_________________<br>
Kernelnewbies mailing list<br>
<a href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.<u></u>org</a><br>
<a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" target="_blank">http://lists.kernelnewbies.<u></u>org/mailman/listinfo/<u></u>kernelnewbies</a><br>
</blockquote>
Tidy way : -<br>
<br>
You can do that from LSM (Linux security module).<br>
<br>
Untidy way : -<br>
Yes, you can do that by registering a new binary format handler. Whenever<br>
exec is called, a list of registered binary format handlers is scanned, in<br>
the same way you can hook the load_binary& load_library function pointers<br>
of the already registered binary format handlers.<br>
<br>
Regards,<br>
Rohan Puri<br>
<br>
______________________________<u></u>_________________<br>
Kernelnewbies mailing list<br>
<a href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.<u></u>org</a><br>
<a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" target="_blank">http://lists.kernelnewbies.<u></u>org/mailman/listinfo/<u></u>kernelnewbies</a><br>
<br>
<br>
</blockquote></blockquote></div></div>
So If I use the binary format handler, then I can hook the exec call. however I need to register this. Does that mean that I need to return the negative value so as to have actual ELF handler to be loaded?<br>
<br>
Regards,<br><font color="#888888">
Abhijit Pawar<br>
<br>
</font></blockquote></div>Read this, <a href="http://www.linux.it/~rubini/docs/binfmt/binfmt.html">http://www.linux.it/~rubini/docs/binfmt/binfmt.html</a> this might help<br><br>Regards,<br>Rohan Puri<br>