Hooking exec system call

rohan puri rohan.puri15 at gmail.com
Mon Sep 26 03:32:43 EDT 2011


On Mon, Sep 26, 2011 at 1:00 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:

>  On 09/26/2011 12:57 PM, rohan puri wrote:
>
>
>
> On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>
>>   On 09/26/2011 12:26 PM, rohan puri wrote:
>>
>>
>>
>> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>>
>>>   On 09/23/2011 03:11 PM, rohan puri wrote:
>>>
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>>>
>>>>   On 09/23/2011 02:04 PM, rohan puri wrote:
>>>>
>>>>
>>>>
>>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux at gmail.com>wrote:
>>>>
>>>>>  On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>>
>>>>>>  Untidy way : -
>>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>>> Whenever
>>>>>>> exec is called, a list of registered binary format handlers is
>>>>>>> scanned, in
>>>>>>> the same way you can hook the load_binary&  load_library function
>>>>>>> pointers
>>>>>>> of the already registered binary format handlers.
>>>>>>>
>>>>>> Challenge with this untidy way is to identify the correct format, for
>>>>>> example if you are interested in only hooking ELF format, there is no
>>>>>> special signature withing the registered format handler to identify
>>>>>> that, however if one format handler recognizes the file header, its
>>>>>> load_binary will return 0. This can give you the hint that you are
>>>>>> sitting on top of correct file format. Long time back I had written
>>>>>> the similar module in Linux to do the same, but can't share the code
>>>>>> :)
>>>>>>
>>>>>> -Rajat
>>>>>>
>>>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15 at gmail.com>
>>>>>>  wrote:
>>>>>>
>>>>>>>
>>>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<
>>>>>>> apawar.linux at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> hi list,
>>>>>>>> Is there any way to hook the exec system call on Linux box apart
>>>>>>>> from
>>>>>>>> replacing the call in System Call table?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Abhijit Pawar
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Kernelnewbies mailing list
>>>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>>>
>>>>>>> Tidy way : -
>>>>>>>
>>>>>>> You can do that from LSM (Linux security module).
>>>>>>>
>>>>>>> Untidy way : -
>>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>>> Whenever
>>>>>>> exec is called, a list of registered binary format handlers is
>>>>>>> scanned, in
>>>>>>> the same way you can hook the load_binary&  load_library function
>>>>>>> pointers
>>>>>>> of the already registered binary format handlers.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Rohan Puri
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Kernelnewbies mailing list
>>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>>
>>>>>>>
>>>>>>>   So If I use the binary format handler, then I can hook the exec
>>>>> call. however I need to register this. Does that mean that I need to return
>>>>> the negative value so as to have actual ELF handler to be loaded?
>>>>>
>>>>> Regards,
>>>>>  Abhijit Pawar
>>>>>
>>>>>  Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
>>>> might help
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>>  Thanks Rohan. I tried creating a hooking module on the similar line. I
>>>> am able to load the module but whenever I am launching any application , its
>>>> load_binary is not being called.
>>>> here is the source for the module attached.
>>>>
>>>> Regards,
>>>>  Abhijit Pawar
>>>>
>>>>
>>>>
>>> Hi Abhijit,
>>>
>>> I have made the change, try to compile and execute this code, it works.
>>>
>>> Also, I am just curious enough to know that where do you need to do this
>>> hooking.
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>>  Hi Rohan,
>>> I have been looking at Windows worlds ability to support DLL Injection
>>> and API hooking. I was just wondering if this could be something to be done
>>> in Linux as well.  I am not sure if there is any special use of this module
>>> apart from learning the binary handler. May be it could be used as a
>>> security module for your own binary handler.
>>>
>>> Regards,
>>>  Abhijit Pawar
>>>
>>
>> Hi Abhijit,
>>
>> I am not familiar with windows. Special use-case of this hacking is for
>> security companies whitelisting software solutions, where they want to
>> control execution of only authorized binaries on the system and deny the
>> execution of others.
>>
>>
>> Although this approach is untidy, since there is available LSM hooks in
>> linux kernel which needs to be made use of for doing this.
>>
>> Regards,
>> Rohan Puri
>>
>>  Hi Rohan,
>> Yes, this is a backdoor approach and I agree with you. I am learning more
>> on LSM and their APIs so as to get insight into what goes on internally. May
>> be you can refer me to some details as well.
>>
>> Thanks for all of your help on this.
>>
>> Regards,
>>  Abhijit Pawar
>>
>
> Hi Abhijit,
>
> There is one whitepaper of lsm available on internet by Greg Kroah-Hartman
> and others, its good to start with.
>
>
> Also, I am keen to now, do all these things you are studying are part of
> any project or just for knowledge.
>
> Regards,
> Rohan Puri
>
> Thanks Rohan. I will take a look at this paper. I am learning LSM and
> hooking for Windows and its counterpart in Linux. this is purely for getting
> knowledge but it would be good if i can do something with this may be in
> future. :) .
>
> Regards,
> Abhijit Pawar
>

Cool!!!

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/70a7c681/attachment.html 


More information about the Kernelnewbies mailing list