Hooking exec system call
Abhijit Pawar
apawar.linux at gmail.com
Fri Sep 23 05:13:06 EDT 2011
On 09/23/2011 02:04 PM, rohan puri wrote:
>
>
> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux at gmail.com
> <mailto:apawar.linux at gmail.com>> wrote:
>
> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>
> Untidy way : -
> Yes, you can do that by registering a new binary format
> handler. Whenever
> exec is called, a list of registered binary format
> handlers is scanned, in
> the same way you can hook the load_binary& load_library
> function pointers
> of the already registered binary format handlers.
>
> Challenge with this untidy way is to identify the correct
> format, for
> example if you are interested in only hooking ELF format,
> there is no
> special signature withing the registered format handler to
> identify
> that, however if one format handler recognizes the file
> header, its
> load_binary will return 0. This can give you the hint that you are
> sitting on top of correct file format. Long time back I had
> written
> the similar module in Linux to do the same, but can't share
> the code
> :)
>
> -Rajat
>
> On Thu, Sep 22, 2011 at 3:14 PM, rohan
> puri<rohan.puri15 at gmail.com <mailto:rohan.puri15 at gmail.com>>
> wrote:
>
>
> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
> Pawar<apawar.linux at gmail.com <mailto:apawar.linux at gmail.com>>
> wrote:
>
> hi list,
> Is there any way to hook the exec system call on Linux
> box apart from
> replacing the call in System Call table?
>
> Regards,
> Abhijit Pawar
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> <mailto:Kernelnewbies at kernelnewbies.org>
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
> Tidy way : -
>
> You can do that from LSM (Linux security module).
>
> Untidy way : -
> Yes, you can do that by registering a new binary format
> handler. Whenever
> exec is called, a list of registered binary format
> handlers is scanned, in
> the same way you can hook the load_binary& load_library
> function pointers
> of the already registered binary format handlers.
>
> Regards,
> Rohan Puri
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> <mailto:Kernelnewbies at kernelnewbies.org>
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
> So If I use the binary format handler, then I can hook the exec
> call. however I need to register this. Does that mean that I need
> to return the negative value so as to have actual ELF handler to
> be loaded?
>
> Regards,
> Abhijit Pawar
>
> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html
> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html> this might help
>
> Regards,
> Rohan Puri
Thanks Rohan. I tried creating a hooking module on the similar line. I
am able to load the module but whenever I am launching any application ,
its load_binary is not being called.
here is the source for the module attached.
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Hook.c
Type: text/x-csrc
Size: 1425 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.bin
More information about the Kernelnewbies
mailing list