<br><br><div class="gmail_quote">On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <span dir="ltr">&lt;<a href="mailto:apawar.linux@gmail.com">apawar.linux@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">

  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><div><div></div><div class="h5">
    On 09/26/2011 12:26 PM, rohan puri wrote:
    <blockquote type="cite"><br>
      <br>
      <div class="gmail_quote">On Mon, Sep 26, 2011 at 12:02 PM, Abhijit
        Pawar <span dir="ltr">&lt;<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>&gt;</span>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000">
            <div>
              <div> On 09/23/2011 03:11 PM, rohan puri wrote:
                <blockquote type="cite"><br>
                  <br>
                  <div class="gmail_quote">On Fri, Sep 23, 2011 at 2:43
                    PM, Abhijit Pawar <span dir="ltr">&lt;<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000">
                        <div>
                          <div> On 09/23/2011 02:04 PM, rohan puri
                            wrote:
                            <blockquote type="cite"><br>
                              <br>
                              <div class="gmail_quote">On Fri, Sep 23,
                                2011 at 2:00 PM, Abhijit Pawar <span dir="ltr">&lt;<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>&gt;</span>
                                wrote:<br>
                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                  <div>
                                    <div>On 09/23/2011 01:01 PM, Rajat
                                      Sharma wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                          Untidy way : -<br>
                                          Yes, you can do that by
                                          registering a new binary
                                          format handler. Whenever<br>
                                          exec is called, a list of
                                          registered binary format
                                          handlers is scanned, in<br>
                                          the same way you can hook the
                                          load_binary&amp;  load_library
                                          function pointers<br>
                                          of the already registered
                                          binary format handlers.<br>
                                        </blockquote>
                                        Challenge with this untidy way
                                        is to identify the correct
                                        format, for<br>
                                        example if you are interested in
                                        only hooking ELF format, there
                                        is no<br>
                                        special signature withing the
                                        registered format handler to
                                        identify<br>
                                        that, however if one format
                                        handler recognizes the file
                                        header, its<br>
                                        load_binary will return 0. This
                                        can give you the hint that you
                                        are<br>
                                        sitting on top of correct file
                                        format. Long time back I had
                                        written<br>
                                        the similar module in Linux to
                                        do the same, but can&#39;t share the
                                        code<br>
                                        :)<br>
                                        <br>
                                        -Rajat<br>
                                        <br>
                                        On Thu, Sep 22, 2011 at 3:14 PM,
                                        rohan puri&lt;<a href="mailto:rohan.puri15@gmail.com" target="_blank">rohan.puri15@gmail.com</a>&gt;


                                         wrote:<br>
                                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
                                          On Thu, Sep 22, 2011 at 1:53
                                          PM, Abhijit Pawar&lt;<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>&gt;<br>
                                          wrote:<br>
                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> hi
                                            list,<br>
                                            Is there any way to hook the
                                            exec system call on Linux
                                            box apart from<br>
                                            replacing the call in System
                                            Call table?<br>
                                            <br>
                                            Regards,<br>
                                            Abhijit Pawar<br>
                                            <br>
_______________________________________________<br>
                                            Kernelnewbies mailing list<br>
                                            <a href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
                                            <a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
                                          </blockquote>
                                          Tidy way : -<br>
                                          <br>
                                          You can do that from LSM
                                          (Linux security module).<br>
                                          <br>
                                          Untidy way : -<br>
                                          Yes, you can do that by
                                          registering a new binary
                                          format handler. Whenever<br>
                                          exec is called, a list of
                                          registered binary format
                                          handlers is scanned, in<br>
                                          the same way you can hook the
                                          load_binary&amp;  load_library
                                          function pointers<br>
                                          of the already registered
                                          binary format handlers.<br>
                                          <br>
                                          Regards,<br>
                                          Rohan Puri<br>
                                          <br>
_______________________________________________<br>
                                          Kernelnewbies mailing list<br>
                                          <a href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
                                          <a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
                                          <br>
                                          <br>
                                        </blockquote>
                                      </blockquote>
                                    </div>
                                  </div>
                                  So If I use the binary format handler,
                                  then I can hook the exec call. however
                                  I need to register this. Does that
                                  mean that I need to return the
                                  negative value so as to have actual
                                  ELF handler to be loaded?<br>
                                  <br>
                                  Regards,<br>
                                  <font color="#888888"> Abhijit Pawar<br>
                                    <br>
                                  </font></blockquote>
                              </div>
                              Read this, <a href="http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html" target="_blank">http://www.linux.it/~rubini/docs/binfmt/binfmt.html</a>
                              this might help<br>
                              <br>
                              Regards,<br>
                              Rohan Puri<br>
                            </blockquote>
                          </div>
                        </div>
                        Thanks Rohan. I tried creating a hooking module
                        on the similar line. I am able to load the
                        module but whenever I am launching any
                        application , its load_binary is not being
                        called.<br>
                        here is the source for the module attached.<br>
                        <br>
                        Regards,<br>
                        <font color="#888888"> Abhijit Pawar<br>
                          <br>
                          <br>
                        </font></div>
                    </blockquote>
                  </div>
                  <br>
                  Hi Abhijit,<br>
                  <br>
                  I have made the change, try to compile and execute
                  this code, it works.<br>
                  <br>
                  Also, I am just curious enough to know that where do
                  you need to do this hooking.<br>
                  <br>
                  Regards,<br>
                  Rohan Puri<br>
                </blockquote>
              </div>
            </div>
            Hi Rohan,<br>
            I have been looking at Windows worlds ability to support DLL
            Injection and API hooking. I was just wondering if this
            could be something to be done in Linux as well.  I am not
            sure if there is any special use of this module apart from
            learning the binary handler. May be it could be used as a
            security module for your own binary handler.<br>
            <br>
            Regards,<br>
            <font color="#888888"> Abhijit Pawar<br>
            </font></div>
        </blockquote>
      </div>
      <br>
      Hi Abhijit,<br>
      <br>
      I am not familiar with windows. Special use-case of this hacking
      is for security companies whitelisting software solutions, where
      they want to control execution of only authorized binaries on the
      system and deny the execution of others.<br>
      <br>
      <br>
      Although this approach is untidy, since there is available LSM
      hooks in linux kernel which needs to be made use of for doing
      this.<br>
      <br>
      Regards,<br>
      Rohan Puri<br>
    </blockquote></div></div>
    Hi Rohan,<br>
    Yes, this is a backdoor approach and I agree with you. I am learning
    more on LSM and their APIs so as to get insight into what goes on
    internally. May be you can refer me to some details as well.<br>
    <br>
    Thanks for all of your help on this.<br>
    <br>
    Regards,<br><font color="#888888">
    Abhijit Pawar<br>
  </font></div>

</blockquote></div><br>Hi Abhijit,<br><br>There is one whitepaper of lsm available on internet by Greg Kroah-Hartman and others, its good to start with.<br><br><br>Also, I am keen to now, do all these things you are studying are part of any project or just for knowledge.<br>
<br>Regards,<br>Rohan Puri<br>