Hooking exec system call

rohan puri rohan.puri15 at gmail.com
Fri Sep 23 05:41:16 EDT 2011


On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:

>  On 09/23/2011 02:04 PM, rohan puri wrote:
>
>
>
> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>
>>  On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>
>>>  Untidy way : -
>>>> Yes, you can do that by registering a new binary format handler.
>>>> Whenever
>>>> exec is called, a list of registered binary format handlers is scanned,
>>>> in
>>>> the same way you can hook the load_binary&  load_library function
>>>> pointers
>>>> of the already registered binary format handlers.
>>>>
>>> Challenge with this untidy way is to identify the correct format, for
>>> example if you are interested in only hooking ELF format, there is no
>>> special signature withing the registered format handler to identify
>>> that, however if one format handler recognizes the file header, its
>>> load_binary will return 0. This can give you the hint that you are
>>> sitting on top of correct file format. Long time back I had written
>>> the similar module in Linux to do the same, but can't share the code
>>> :)
>>>
>>> -Rajat
>>>
>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15 at gmail.com>
>>>  wrote:
>>>
>>>>
>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux at gmail.com>
>>>> wrote:
>>>>
>>>>> hi list,
>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>> replacing the call in System Call table?
>>>>>
>>>>> Regards,
>>>>> Abhijit Pawar
>>>>>
>>>>> _______________________________________________
>>>>> Kernelnewbies mailing list
>>>>> Kernelnewbies at kernelnewbies.org
>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>
>>>> Tidy way : -
>>>>
>>>> You can do that from LSM (Linux security module).
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new binary format handler.
>>>> Whenever
>>>> exec is called, a list of registered binary format handlers is scanned,
>>>> in
>>>> the same way you can hook the load_binary&  load_library function
>>>> pointers
>>>> of the already registered binary format handlers.
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>>   So If I use the binary format handler, then I can hook the exec call.
>> however I need to register this. Does that mean that I need to return the
>> negative value so as to have actual ELF handler to be loaded?
>>
>> Regards,
>>  Abhijit Pawar
>>
>>  Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
> might help
>
> Regards,
> Rohan Puri
>
> Thanks Rohan. I tried creating a hooking module on the similar line. I am
> able to load the module but whenever I am launching any application , its
> load_binary is not being called.
> here is the source for the module attached.
>
> Regards,
> Abhijit Pawar
>
>
>
Hi Abhijit,

I have made the change, try to compile and execute this code, it works.

Also, I am just curious enough to know that where do you need to do this
hooking.

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e525206b/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Hook.c
Type: text/x-csrc
Size: 1422 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e525206b/attachment-0001.bin 


More information about the Kernelnewbies mailing list