Thread (15 messages) 15 messages, 5 authors, 2011-09-26

Hooking exec system call

From: rohan puri <hidden>
Date: 2011-09-23 08:34:06 

On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar [off-list ref]wrote:

On 09/23/2011 01:01 PM, Rajat Sharma wrote:
quoted
Untidy way : -
quoted
Yes, you can do that by registering a new binary format handler. Whenever
exec is called, a list of registered binary format handlers is scanned,
in
the same way you can hook the load_binary&  load_library function
pointers
of the already registered binary format handlers.
Challenge with this untidy way is to identify the correct format, for
example if you are interested in only hooking ELF format, there is no
special signature withing the registered format handler to identify
that, however if one format handler recognizes the file header, its
load_binary will return 0. This can give you the hint that you are
sitting on top of correct file format. Long time back I had written
the similar module in Linux to do the same, but can't share the code
:)

-Rajat

On Thu, Sep 22, 2011 at 3:14 PM, rohan puri[off-list ref]
 wrote:
quoted
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar[off-list ref]
wrote:
quoted
hi list,
Is there any way to hook the exec system call on Linux box apart from
replacing the call in System Call table?

Regards,
Abhijit Pawar

______________________________**_________________
Kernelnewbies mailing list
Kernelnewbies at kernelnewbies.**org [off-list ref]
http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies<http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>
Tidy way : -

You can do that from LSM (Linux security module).

Untidy way : -
Yes, you can do that by registering a new binary format handler. Whenever
exec is called, a list of registered binary format handlers is scanned,
in
the same way you can hook the load_binary&  load_library function
pointers
of the already registered binary format handlers.

Regards,
Rohan Puri

______________________________**_________________
Kernelnewbies mailing list
Kernelnewbies at kernelnewbies.**org [off-list ref]
http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies<http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>


 So If I use the binary format handler, then I can hook the exec call.
however I need to register this. Does that mean that I need to return the
negative value so as to have actual ELF handler to be loaded?

Regards,
Abhijit Pawar

Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this might
help

Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e62f4990/attachment-0001.html
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help