From mboxrd@z Thu Jan 1 00:00:00 1970 From: apawar.linux@gmail.com (Abhijit Pawar) Date: Fri, 23 Sep 2011 14:43:06 +0530 Subject: Hooking exec system call In-Reply-To: References: <4E7AF090.6000402@gmail.com> <4E7C4389.7070405@gmail.com> Message-ID: <4E7C4DA2.4040903@gmail.com> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On 09/23/2011 02:04 PM, rohan puri wrote: > > > On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar > wrote: > > On 09/23/2011 01:01 PM, Rajat Sharma wrote: > > Untidy way : - > Yes, you can do that by registering a new binary format > handler. Whenever > exec is called, a list of registered binary format > handlers is scanned, in > the same way you can hook the load_binary& load_library > function pointers > of the already registered binary format handlers. > > Challenge with this untidy way is to identify the correct > format, for > example if you are interested in only hooking ELF format, > there is no > special signature withing the registered format handler to > identify > that, however if one format handler recognizes the file > header, its > load_binary will return 0. This can give you the hint that you are > sitting on top of correct file format. Long time back I had > written > the similar module in Linux to do the same, but can't share > the code > :) > > -Rajat > > On Thu, Sep 22, 2011 at 3:14 PM, rohan > puri> > wrote: > > > On Thu, Sep 22, 2011 at 1:53 PM, Abhijit > Pawar> > wrote: > > hi list, > Is there any way to hook the exec system call on Linux > box apart from > replacing the call in System Call table? > > Regards, > Abhijit Pawar > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > Tidy way : - > > You can do that from LSM (Linux security module). > > Untidy way : - > Yes, you can do that by registering a new binary format > handler. Whenever > exec is called, a list of registered binary format > handlers is scanned, in > the same way you can hook the load_binary& load_library > function pointers > of the already registered binary format handlers. > > Regards, > Rohan Puri > > _______________________________________________ > Kernelnewbies mailing list > Kernelnewbies at kernelnewbies.org > > http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > > > So If I use the binary format handler, then I can hook the exec > call. however I need to register this. Does that mean that I need > to return the negative value so as to have actual ELF handler to > be loaded? > > Regards, > Abhijit Pawar > > Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html > this might help > > Regards, > Rohan Puri Thanks Rohan. I tried creating a hooking module on the similar line. I am able to load the module but whenever I am launching any application , its load_binary is not being called. here is the source for the module attached. Regards, Abhijit Pawar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Hook.c Type: text/x-csrc Size: 1425 bytes Desc: not available Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.bin