From mboxrd@z Thu Jan  1 00:00:00 1970
From: apawar.linux@gmail.com (Abhijit Pawar)
Date: Fri, 23 Sep 2011 14:00:01 +0530
Subject: Hooking exec system call
In-Reply-To: <CAAYFAvripkzWdc7XSwmz11Z5QhtB2vhEFKcXFNJ746d_EdBh7w@mail.gmail.com>
References: <4E7AF090.6000402@gmail.com>
	<CALJfu6MyUSAsmLGUJtmEGK+X4BwvayZ++715OSrr8T_GzWcJOg@mail.gmail.com>
	<CAAYFAvripkzWdc7XSwmz11Z5QhtB2vhEFKcXFNJ746d_EdBh7w@mail.gmail.com>
Message-ID: <4E7C4389.7070405@gmail.com>
To: kernelnewbies@lists.kernelnewbies.org
List-Id: kernelnewbies.lists.kernelnewbies.org

On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>> Untidy way : -
>> Yes, you can do that by registering a new binary format handler. Whenever
>> exec is called, a list of registered binary format handlers is scanned, in
>> the same way you can hook the load_binary&  load_library function pointers
>> of the already registered binary format handlers.
> Challenge with this untidy way is to identify the correct format, for
> example if you are interested in only hooking ELF format, there is no
> special signature withing the registered format handler to identify
> that, however if one format handler recognizes the file header, its
> load_binary will return 0. This can give you the hint that you are
> sitting on top of correct file format. Long time back I had written
> the similar module in Linux to do the same, but can't share the code
> :)
>
> -Rajat
>
> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>  wrote:
>>
>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com>
>> wrote:
>>> hi list,
>>> Is there any way to hook the exec system call on Linux box apart from
>>> replacing the call in System Call table?
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>> Tidy way : -
>>
>> You can do that from LSM (Linux security module).
>>
>> Untidy way : -
>> Yes, you can do that by registering a new binary format handler. Whenever
>> exec is called, a list of registered binary format handlers is scanned, in
>> the same way you can hook the load_binary&  load_library function pointers
>> of the already registered binary format handlers.
>>
>> Regards,
>> Rohan Puri
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>>
So If I use the binary format handler, then I can hook the exec call. 
however I need to register this. Does that mean that I need to return 
the negative value so as to have actual ELF handler to be loaded?

Regards,
Abhijit Pawar