Hooking exec system call
From: Abhijit Pawar <hidden>
Date: 2011-09-23 09:13:06
On 09/23/2011 02:04 PM, rohan puri wrote:
On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com
<mailto:apawar.linux@gmail.com>> wrote:
On 09/23/2011 01:01 PM, Rajat Sharma wrote:
Untidy way : -
Yes, you can do that by registering a new binary format
handler. Whenever
exec is called, a list of registered binary format
handlers is scanned, in
the same way you can hook the load_binary& load_library
function pointers
of the already registered binary format handlers.
Challenge with this untidy way is to identify the correct
format, for
example if you are interested in only hooking ELF format,
there is no
special signature withing the registered format handler to
identify
that, however if one format handler recognizes the file
header, its
load_binary will return 0. This can give you the hint that you are
sitting on top of correct file format. Long time back I had
written
the similar module in Linux to do the same, but can't share
the code
:)
-Rajat
On Thu, Sep 22, 2011 at 3:14 PM, rohan
puri<rohan.puri15 at gmail.com <mailto:rohan.puri15@gmail.com>>
wrote:
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
Pawar<apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>>
wrote:
hi list,
Is there any way to hook the exec system call on Linux
box apart from
replacing the call in System Call table?
Regards,
Abhijit Pawar
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies at kernelnewbies.org
<mailto:Kernelnewbies@kernelnewbies.org>
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Tidy way : -
You can do that from LSM (Linux security module).
Untidy way : -
Yes, you can do that by registering a new binary format
handler. Whenever
exec is called, a list of registered binary format
handlers is scanned, in
the same way you can hook the load_binary& load_library
function pointers
of the already registered binary format handlers.
Regards,
Rohan Puri
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies at kernelnewbies.org
<mailto:Kernelnewbies@kernelnewbies.org>
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
So If I use the binary format handler, then I can hook the exec
call. however I need to register this. Does that mean that I need
to return the negative value so as to have actual ELF handler to
be loaded?
Regards,
Abhijit Pawar
Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html
<http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html> this might help
Regards,
Rohan PuriThanks Rohan. I tried creating a hooking module on the similar line. I am able to load the module but whenever I am launching any application , its load_binary is not being called. here is the source for the module attached. Regards, Abhijit Pawar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Hook.c Type: text/x-csrc Size: 1425 bytes Desc: not available Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.bin