<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/26/2011 12:57 PM, rohan puri wrote:
<blockquote
cite="mid:CALJfu6O6iGGqEqSm5o4f9=xRFsRkGT90ahA2MkJVHQHWdgd4sg@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Mon, Sep 26, 2011 at 12:29 PM, Abhijit
Pawar <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:apawar.linux@gmail.com">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5"> On 09/26/2011 12:26 PM, rohan puri wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Mon, Sep 26, 2011 at 12:02
PM, Abhijit Pawar <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:apawar.linux@gmail.com"
target="_blank">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> On 09/23/2011 03:11 PM, rohan puri
wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Fri, Sep 23,
2011 at 2:43 PM, Abhijit Pawar <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:apawar.linux@gmail.com"
target="_blank">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> On 09/23/2011 02:04 PM,
rohan puri wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On
Fri, Sep 23, 2011 at 2:00
PM, Abhijit Pawar <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:apawar.linux@gmail.com"
target="_blank">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div>
<div>On 09/23/2011 01:01
PM, Rajat Sharma
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
Untidy way : -<br>
Yes, you can do
that by
registering a new
binary format
handler. Whenever<br>
exec is called, a
list of registered
binary format
handlers is
scanned, in<br>
the same way you
can hook the
load_binary&
load_library
function pointers<br>
of the already
registered binary
format handlers.<br>
</blockquote>
Challenge with this
untidy way is to
identify the correct
format, for<br>
example if you are
interested in only
hooking ELF format,
there is no<br>
special signature
withing the
registered format
handler to identify<br>
that, however if one
format handler
recognizes the file
header, its<br>
load_binary will
return 0. This can
give you the hint
that you are<br>
sitting on top of
correct file format.
Long time back I had
written<br>
the similar module
in Linux to do the
same, but can't
share the code<br>
:)<br>
<br>
-Rajat<br>
<br>
On Thu, Sep 22, 2011
at 3:14 PM, rohan
puri<<a
moz-do-not-send="true"
href="mailto:rohan.puri15@gmail.com" target="_blank">rohan.puri15@gmail.com</a>>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0 0
0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<br>
On Thu, Sep 22,
2011 at 1:53 PM,
Abhijit Pawar<<a
moz-do-not-send="true" href="mailto:apawar.linux@gmail.com"
target="_blank">apawar.linux@gmail.com</a>><br>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
hi list,<br>
Is there any way
to hook the exec
system call on
Linux box apart
from<br>
replacing the
call in System
Call table?<br>
<br>
Regards,<br>
Abhijit Pawar<br>
<br>
_______________________________________________<br>
Kernelnewbies
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies"
target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
</blockquote>
Tidy way : -<br>
<br>
You can do that
from LSM (Linux
security module).<br>
<br>
Untidy way : -<br>
Yes, you can do
that by
registering a new
binary format
handler. Whenever<br>
exec is called, a
list of registered
binary format
handlers is
scanned, in<br>
the same way you
can hook the
load_binary&
load_library
function pointers<br>
of the already
registered binary
format handlers.<br>
<br>
Regards,<br>
Rohan Puri<br>
<br>
_______________________________________________<br>
Kernelnewbies
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies"
target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
<br>
<br>
</blockquote>
</blockquote>
</div>
</div>
So If I use the binary
format handler, then I can
hook the exec call.
however I need to register
this. Does that mean that
I need to return the
negative value so as to
have actual ELF handler to
be loaded?<br>
<br>
Regards,<br>
<font color="#888888">
Abhijit Pawar<br>
<br>
</font></blockquote>
</div>
Read this, <a
moz-do-not-send="true"
href="http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html"
target="_blank">http://www.linux.it/~rubini/docs/binfmt/binfmt.html</a>
this might help<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote>
</div>
</div>
Thanks Rohan. I tried creating a
hooking module on the similar line.
I am able to load the module but
whenever I am launching any
application , its load_binary is not
being called.<br>
here is the source for the module
attached.<br>
<br>
Regards,<br>
<font color="#888888"> Abhijit Pawar<br>
<br>
<br>
</font></div>
</blockquote>
</div>
<br>
Hi Abhijit,<br>
<br>
I have made the change, try to compile and
execute this code, it works.<br>
<br>
Also, I am just curious enough to know
that where do you need to do this hooking.<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote>
</div>
</div>
Hi Rohan,<br>
I have been looking at Windows worlds ability to
support DLL Injection and API hooking. I was
just wondering if this could be something to be
done in Linux as well. I am not sure if there
is any special use of this module apart from
learning the binary handler. May be it could be
used as a security module for your own binary
handler.<br>
<br>
Regards,<br>
<font color="#888888"> Abhijit Pawar<br>
</font></div>
</blockquote>
</div>
<br>
Hi Abhijit,<br>
<br>
I am not familiar with windows. Special use-case of
this hacking is for security companies whitelisting
software solutions, where they want to control
execution of only authorized binaries on the system
and deny the execution of others.<br>
<br>
<br>
Although this approach is untidy, since there is
available LSM hooks in linux kernel which needs to be
made use of for doing this.<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote>
</div>
</div>
Hi Rohan,<br>
Yes, this is a backdoor approach and I agree with you. I am
learning more on LSM and their APIs so as to get insight
into what goes on internally. May be you can refer me to
some details as well.<br>
<br>
Thanks for all of your help on this.<br>
<br>
Regards,<br>
<font color="#888888"> Abhijit Pawar<br>
</font></div>
</blockquote>
</div>
<br>
Hi Abhijit,<br>
<br>
There is one whitepaper of lsm available on internet by Greg
Kroah-Hartman and others, its good to start with.<br>
<br>
<br>
Also, I am keen to now, do all these things you are studying are
part of any project or just for knowledge.<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote>
Thanks Rohan. I will take a look at this paper. I am learning LSM
and hooking for Windows and its counterpart in Linux. this is purely
for getting knowledge but it would be good if i can do something
with this may be in future. :) . <br>
<br>
Regards,<br>
Abhijit Pawar<br>
</body>
</html>