<br><br><div class="gmail_quote">On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <span dir="ltr"><<a href="mailto:apawar.linux@gmail.com">apawar.linux@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF" text="#000000"><div><div></div><div class="h5">
On 09/26/2011 12:26 PM, rohan puri wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Mon, Sep 26, 2011 at 12:02 PM, Abhijit
Pawar <span dir="ltr"><<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> On 09/23/2011 03:11 PM, rohan puri wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Fri, Sep 23, 2011 at 2:43
PM, Abhijit Pawar <span dir="ltr"><<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> On 09/23/2011 02:04 PM, rohan puri
wrote:
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Fri, Sep 23,
2011 at 2:00 PM, Abhijit Pawar <span dir="ltr"><<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>On 09/23/2011 01:01 PM, Rajat
Sharma wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Untidy way : -<br>
Yes, you can do that by
registering a new binary
format handler. Whenever<br>
exec is called, a list of
registered binary format
handlers is scanned, in<br>
the same way you can hook the
load_binary& load_library
function pointers<br>
of the already registered
binary format handlers.<br>
</blockquote>
Challenge with this untidy way
is to identify the correct
format, for<br>
example if you are interested in
only hooking ELF format, there
is no<br>
special signature withing the
registered format handler to
identify<br>
that, however if one format
handler recognizes the file
header, its<br>
load_binary will return 0. This
can give you the hint that you
are<br>
sitting on top of correct file
format. Long time back I had
written<br>
the similar module in Linux to
do the same, but can't share the
code<br>
:)<br>
<br>
-Rajat<br>
<br>
On Thu, Sep 22, 2011 at 3:14 PM,
rohan puri<<a href="mailto:rohan.puri15@gmail.com" target="_blank">rohan.puri15@gmail.com</a>>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br>
On Thu, Sep 22, 2011 at 1:53
PM, Abhijit Pawar<<a href="mailto:apawar.linux@gmail.com" target="_blank">apawar.linux@gmail.com</a>><br>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> hi
list,<br>
Is there any way to hook the
exec system call on Linux
box apart from<br>
replacing the call in System
Call table?<br>
<br>
Regards,<br>
Abhijit Pawar<br>
<br>
_______________________________________________<br>
Kernelnewbies mailing list<br>
<a href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
<a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
</blockquote>
Tidy way : -<br>
<br>
You can do that from LSM
(Linux security module).<br>
<br>
Untidy way : -<br>
Yes, you can do that by
registering a new binary
format handler. Whenever<br>
exec is called, a list of
registered binary format
handlers is scanned, in<br>
the same way you can hook the
load_binary& load_library
function pointers<br>
of the already registered
binary format handlers.<br>
<br>
Regards,<br>
Rohan Puri<br>
<br>
_______________________________________________<br>
Kernelnewbies mailing list<br>
<a href="mailto:Kernelnewbies@kernelnewbies.org" target="_blank">Kernelnewbies@kernelnewbies.org</a><br>
<a href="http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies" target="_blank">http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies</a><br>
<br>
<br>
</blockquote>
</blockquote>
</div>
</div>
So If I use the binary format handler,
then I can hook the exec call. however
I need to register this. Does that
mean that I need to return the
negative value so as to have actual
ELF handler to be loaded?<br>
<br>
Regards,<br>
<font color="#888888"> Abhijit Pawar<br>
<br>
</font></blockquote>
</div>
Read this, <a href="http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html" target="_blank">http://www.linux.it/~rubini/docs/binfmt/binfmt.html</a>
this might help<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote>
</div>
</div>
Thanks Rohan. I tried creating a hooking module
on the similar line. I am able to load the
module but whenever I am launching any
application , its load_binary is not being
called.<br>
here is the source for the module attached.<br>
<br>
Regards,<br>
<font color="#888888"> Abhijit Pawar<br>
<br>
<br>
</font></div>
</blockquote>
</div>
<br>
Hi Abhijit,<br>
<br>
I have made the change, try to compile and execute
this code, it works.<br>
<br>
Also, I am just curious enough to know that where do
you need to do this hooking.<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote>
</div>
</div>
Hi Rohan,<br>
I have been looking at Windows worlds ability to support DLL
Injection and API hooking. I was just wondering if this
could be something to be done in Linux as well. I am not
sure if there is any special use of this module apart from
learning the binary handler. May be it could be used as a
security module for your own binary handler.<br>
<br>
Regards,<br>
<font color="#888888"> Abhijit Pawar<br>
</font></div>
</blockquote>
</div>
<br>
Hi Abhijit,<br>
<br>
I am not familiar with windows. Special use-case of this hacking
is for security companies whitelisting software solutions, where
they want to control execution of only authorized binaries on the
system and deny the execution of others.<br>
<br>
<br>
Although this approach is untidy, since there is available LSM
hooks in linux kernel which needs to be made use of for doing
this.<br>
<br>
Regards,<br>
Rohan Puri<br>
</blockquote></div></div>
Hi Rohan,<br>
Yes, this is a backdoor approach and I agree with you. I am learning
more on LSM and their APIs so as to get insight into what goes on
internally. May be you can refer me to some details as well.<br>
<br>
Thanks for all of your help on this.<br>
<br>
Regards,<br><font color="#888888">
Abhijit Pawar<br>
</font></div>
</blockquote></div><br>Hi Abhijit,<br><br>There is one whitepaper of lsm available on internet by Greg Kroah-Hartman and others, its good to start with.<br><br><br>Also, I am keen to now, do all these things you are studying are part of any project or just for knowledge.<br>
<br>Regards,<br>Rohan Puri<br>