Hooking exec system call
From: rohan puri <hidden>
Date: 2011-09-26 07:27:35
On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar [off-list ref]wrote:
On 09/26/2011 12:26 PM, rohan puri wrote: On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar [off-list ref]wrote:quoted
On 09/23/2011 03:11 PM, rohan puri wrote: On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar [off-list ref]wrote:quoted
On 09/23/2011 02:04 PM, rohan puri wrote: On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar [off-list ref]wrote:quoted
On 09/23/2011 01:01 PM, Rajat Sharma wrote:quoted
Untidy way : -quoted
Yes, you can do that by registering a new binary format handler. Whenever exec is called, a list of registered binary format handlers is scanned, in the same way you can hook the load_binary& load_library function pointers of the already registered binary format handlers.Challenge with this untidy way is to identify the correct format, for example if you are interested in only hooking ELF format, there is no special signature withing the registered format handler to identify that, however if one format handler recognizes the file header, its load_binary will return 0. This can give you the hint that you are sitting on top of correct file format. Long time back I had written the similar module in Linux to do the same, but can't share the code :) -Rajat On Thu, Sep 22, 2011 at 3:14 PM, rohan puri[off-list ref] wrote:quoted
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.comquoted
wrote:quoted
hi list, Is there any way to hook the exec system call on Linux box apart from replacing the call in System Call table? Regards, Abhijit Pawar _______________________________________________ Kernelnewbies mailing list Kernelnewbies at kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbiesTidy way : - You can do that from LSM (Linux security module). Untidy way : - Yes, you can do that by registering a new binary format handler. Whenever exec is called, a list of registered binary format handlers is scanned, in the same way you can hook the load_binary& load_library function pointers of the already registered binary format handlers. Regards, Rohan Puri _______________________________________________ Kernelnewbies mailing list Kernelnewbies at kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies So If I use the binary format handler, then I can hook the execcall. however I need to register this. Does that mean that I need to return the negative value so as to have actual ELF handler to be loaded? Regards, Abhijit Pawar Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html thismight help Regards, Rohan Puri Thanks Rohan. I tried creating a hooking module on the similar line. I am able to load the module but whenever I am launching any application , its load_binary is not being called. here is the source for the module attached. Regards, Abhijit PawarHi Abhijit, I have made the change, try to compile and execute this code, it works. Also, I am just curious enough to know that where do you need to do this hooking. Regards, Rohan Puri Hi Rohan, I have been looking at Windows worlds ability to support DLL Injection and API hooking. I was just wondering if this could be something to be done in Linux as well. I am not sure if there is any special use of this module apart from learning the binary handler. May be it could be used as a security module for your own binary handler. Regards, Abhijit PawarHi Abhijit, I am not familiar with windows. Special use-case of this hacking is for security companies whitelisting software solutions, where they want to control execution of only authorized binaries on the system and deny the execution of others. Although this approach is untidy, since there is available LSM hooks in linux kernel which needs to be made use of for doing this. Regards, Rohan Puri Hi Rohan, Yes, this is a backdoor approach and I agree with you. I am learning more on LSM and their APIs so as to get insight into what goes on internally. May be you can refer me to some details as well. Thanks for all of your help on this. Regards, Abhijit Pawar
Hi Abhijit, There is one whitepaper of lsm available on internet by Greg Kroah-Hartman and others, its good to start with. Also, I am keen to now, do all these things you are studying are part of any project or just for knowledge. Regards, Rohan Puri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/a2bfb9b5/attachment.html