<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    On 09/26/2011 12:57 PM, rohan puri wrote:
    <blockquote
cite="mid:CALJfu6O6iGGqEqSm5o4f9=xRFsRkGT90ahA2MkJVHQHWdgd4sg@mail.gmail.com"
      type="cite"><br>
      <br>
      <div class="gmail_quote">On Mon, Sep 26, 2011 at 12:29 PM, Abhijit
        Pawar <span dir="ltr">&lt;<a moz-do-not-send="true"
            href="mailto:apawar.linux@gmail.com">apawar.linux@gmail.com</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex;">
          <div bgcolor="#FFFFFF" text="#000000">
            <div>
              <div class="h5"> On 09/26/2011 12:26 PM, rohan puri wrote:
                <blockquote type="cite"><br>
                  <br>
                  <div class="gmail_quote">On Mon, Sep 26, 2011 at 12:02
                    PM, Abhijit Pawar <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:apawar.linux@gmail.com"
                        target="_blank">apawar.linux@gmail.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000">
                        <div>
                          <div> On 09/23/2011 03:11 PM, rohan puri
                            wrote:
                            <blockquote type="cite"><br>
                              <br>
                              <div class="gmail_quote">On Fri, Sep 23,
                                2011 at 2:43 PM, Abhijit Pawar <span
                                  dir="ltr">&lt;<a
                                    moz-do-not-send="true"
                                    href="mailto:apawar.linux@gmail.com"
                                    target="_blank">apawar.linux@gmail.com</a>&gt;</span>
                                wrote:<br>
                                <blockquote class="gmail_quote"
                                  style="margin:0 0 0
                                  .8ex;border-left:1px #ccc
                                  solid;padding-left:1ex">
                                  <div bgcolor="#FFFFFF" text="#000000">
                                    <div>
                                      <div> On 09/23/2011 02:04 PM,
                                        rohan puri wrote:
                                        <blockquote type="cite"><br>
                                          <br>
                                          <div class="gmail_quote">On
                                            Fri, Sep 23, 2011 at 2:00
                                            PM, Abhijit Pawar <span
                                              dir="ltr">&lt;<a
                                                moz-do-not-send="true"
                                                href="mailto:apawar.linux@gmail.com"
                                                target="_blank">apawar.linux@gmail.com</a>&gt;</span>
                                            wrote:<br>
                                            <blockquote
                                              class="gmail_quote"
                                              style="margin:0 0 0
                                              .8ex;border-left:1px #ccc
                                              solid;padding-left:1ex">
                                              <div>
                                                <div>On 09/23/2011 01:01
                                                  PM, Rajat Sharma
                                                  wrote:<br>
                                                  <blockquote
                                                    class="gmail_quote"
                                                    style="margin:0 0 0
                                                    .8ex;border-left:1px
                                                    #ccc
                                                    solid;padding-left:1ex">
                                                    <blockquote
                                                      class="gmail_quote"
                                                      style="margin:0 0
                                                      0
                                                      .8ex;border-left:1px
                                                      #ccc
                                                      solid;padding-left:1ex">
                                                      Untidy way : -<br>
                                                      Yes, you can do
                                                      that by
                                                      registering a new
                                                      binary format
                                                      handler. Whenever<br>
                                                      exec is called, a
                                                      list of registered
                                                      binary format
                                                      handlers is
                                                      scanned, in<br>
                                                      the same way you
                                                      can hook the
                                                      load_binary&amp;
                                                      &nbsp;load_library
                                                      function pointers<br>
                                                      of the already
                                                      registered binary
                                                      format handlers.<br>
                                                    </blockquote>
                                                    Challenge with this
                                                    untidy way is to
                                                    identify the correct
                                                    format, for<br>
                                                    example if you are
                                                    interested in only
                                                    hooking ELF format,
                                                    there is no<br>
                                                    special signature
                                                    withing the
                                                    registered format
                                                    handler to identify<br>
                                                    that, however if one
                                                    format handler
                                                    recognizes the file
                                                    header, its<br>
                                                    load_binary will
                                                    return 0. This can
                                                    give you the hint
                                                    that you are<br>
                                                    sitting on top of
                                                    correct file format.
                                                    Long time back I had
                                                    written<br>
                                                    the similar module
                                                    in Linux to do the
                                                    same, but can't
                                                    share the code<br>
                                                    :)<br>
                                                    <br>
                                                    -Rajat<br>
                                                    <br>
                                                    On Thu, Sep 22, 2011
                                                    at 3:14 PM, rohan
                                                    puri&lt;<a
                                                      moz-do-not-send="true"
href="mailto:rohan.puri15@gmail.com" target="_blank">rohan.puri15@gmail.com</a>&gt;



                                                    &nbsp;wrote:<br>
                                                    <blockquote
                                                      class="gmail_quote"
                                                      style="margin:0 0
                                                      0
                                                      .8ex;border-left:1px
                                                      #ccc
                                                      solid;padding-left:1ex">
                                                      <br>
                                                      On Thu, Sep 22,
                                                      2011 at 1:53 PM,
                                                      Abhijit Pawar&lt;<a
moz-do-not-send="true" href="mailto:apawar.linux@gmail.com"
                                                        target="_blank">apawar.linux@gmail.com</a>&gt;<br>
                                                      wrote:<br>
                                                      <blockquote
                                                        class="gmail_quote"
                                                        style="margin:0
                                                        0 0
                                                        .8ex;border-left:1px
                                                        #ccc
                                                        solid;padding-left:1ex">
                                                        hi list,<br>
                                                        Is there any way
                                                        to hook the exec
                                                        system call on
                                                        Linux box apart
                                                        from<br>
                                                        replacing the
                                                        call in System
                                                        Call table?<br>
                                                        <br>
                                                        Regards,<br>
                                                        Abhijit Pawar<br>
                                                        <br>
_______________________________________________<br>
                                                        Kernelnewbies
                                                        mailing list<br>
                                                        <a
                                                          moz-do-not-send="true"
href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
                                                        <a
                                                          moz-do-not-send="true"
href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies"
                                                          target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
                                                      </blockquote>
                                                      Tidy way : -<br>
                                                      <br>
                                                      You can do that
                                                      from LSM (Linux
                                                      security module).<br>
                                                      <br>
                                                      Untidy way : -<br>
                                                      Yes, you can do
                                                      that by
                                                      registering a new
                                                      binary format
                                                      handler. Whenever<br>
                                                      exec is called, a
                                                      list of registered
                                                      binary format
                                                      handlers is
                                                      scanned, in<br>
                                                      the same way you
                                                      can hook the
                                                      load_binary&amp;
                                                      &nbsp;load_library
                                                      function pointers<br>
                                                      of the already
                                                      registered binary
                                                      format handlers.<br>
                                                      <br>
                                                      Regards,<br>
                                                      Rohan Puri<br>
                                                      <br>
_______________________________________________<br>
                                                      Kernelnewbies
                                                      mailing list<br>
                                                      <a
                                                        moz-do-not-send="true"
href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
                                                      <a
                                                        moz-do-not-send="true"
href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies"
                                                        target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
                                                      <br>
                                                      <br>
                                                    </blockquote>
                                                  </blockquote>
                                                </div>
                                              </div>
                                              So If I use the binary
                                              format handler, then I can
                                              hook the exec call.
                                              however I need to register
                                              this. Does that mean that
                                              I need to return the
                                              negative value so as to
                                              have actual ELF handler to
                                              be loaded?<br>
                                              <br>
                                              Regards,<br>
                                              <font color="#888888">
                                                Abhijit Pawar<br>
                                                <br>
                                              </font></blockquote>
                                          </div>
                                          Read this, <a
                                            moz-do-not-send="true"
                                            href="http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html"
                                            target="_blank">http://www.linux.it/~rubini/docs/binfmt/binfmt.html</a>
                                          this might help<br>
                                          <br>
                                          Regards,<br>
                                          Rohan Puri<br>
                                        </blockquote>
                                      </div>
                                    </div>
                                    Thanks Rohan. I tried creating a
                                    hooking module on the similar line.
                                    I am able to load the module but
                                    whenever I am launching any
                                    application , its load_binary is not
                                    being called.<br>
                                    here is the source for the module
                                    attached.<br>
                                    <br>
                                    Regards,<br>
                                    <font color="#888888"> Abhijit Pawar<br>
                                      <br>
                                      <br>
                                    </font></div>
                                </blockquote>
                              </div>
                              <br>
                              Hi Abhijit,<br>
                              <br>
                              I have made the change, try to compile and
                              execute this code, it works.<br>
                              <br>
                              Also, I am just curious enough to know
                              that where do you need to do this hooking.<br>
                              <br>
                              Regards,<br>
                              Rohan Puri<br>
                            </blockquote>
                          </div>
                        </div>
                        Hi Rohan,<br>
                        I have been looking at Windows worlds ability to
                        support DLL Injection and API hooking. I was
                        just wondering if this could be something to be
                        done in Linux as well.&nbsp; I am not sure if there
                        is any special use of this module apart from
                        learning the binary handler. May be it could be
                        used as a security module for your own binary
                        handler.<br>
                        <br>
                        Regards,<br>
                        <font color="#888888"> Abhijit Pawar<br>
                        </font></div>
                    </blockquote>
                  </div>
                  <br>
                  Hi Abhijit,<br>
                  <br>
                  I am not familiar with windows. Special use-case of
                  this hacking is for security companies whitelisting
                  software solutions, where they want to control
                  execution of only authorized binaries on the system
                  and deny the execution of others.<br>
                  <br>
                  <br>
                  Although this approach is untidy, since there is
                  available LSM hooks in linux kernel which needs to be
                  made use of for doing this.<br>
                  <br>
                  Regards,<br>
                  Rohan Puri<br>
                </blockquote>
              </div>
            </div>
            Hi Rohan,<br>
            Yes, this is a backdoor approach and I agree with you. I am
            learning more on LSM and their APIs so as to get insight
            into what goes on internally. May be you can refer me to
            some details as well.<br>
            <br>
            Thanks for all of your help on this.<br>
            <br>
            Regards,<br>
            <font color="#888888"> Abhijit Pawar<br>
            </font></div>
        </blockquote>
      </div>
      <br>
      Hi Abhijit,<br>
      <br>
      There is one whitepaper of lsm available on internet by Greg
      Kroah-Hartman and others, its good to start with.<br>
      <br>
      <br>
      Also, I am keen to now, do all these things you are studying are
      part of any project or just for knowledge.<br>
      <br>
      Regards,<br>
      Rohan Puri<br>
    </blockquote>
    Thanks Rohan. I will take a look at this paper. I am learning LSM
    and hooking for Windows and its counterpart in Linux. this is purely
    for getting knowledge but it would be good if i can do something
    with this may be in future. :) . <br>
    <br>
    Regards,<br>
    Abhijit Pawar<br>
  </body>
</html>