From mboxrd@z Thu Jan 1 00:00:00 1970 From: apawar.linux@gmail.com (Abhijit Pawar) Date: Mon, 26 Sep 2011 12:02:29 +0530 Subject: Hooking exec system call In-Reply-To: References: <4E7AF090.6000402@gmail.com> <4E7C4389.7070405@gmail.com> <4E7C4DA2.4040903@gmail.com> Message-ID: <4E801C7D.2020100@gmail.com> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On 09/23/2011 03:11 PM, rohan puri wrote: > > > On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar > wrote: > > On 09/23/2011 02:04 PM, rohan puri wrote: >> >> >> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar >> > wrote: >> >> On 09/23/2011 01:01 PM, Rajat Sharma wrote: >> >> Untidy way : - >> Yes, you can do that by registering a new binary >> format handler. Whenever >> exec is called, a list of registered binary format >> handlers is scanned, in >> the same way you can hook the load_binary& >> load_library function pointers >> of the already registered binary format handlers. >> >> Challenge with this untidy way is to identify the correct >> format, for >> example if you are interested in only hooking ELF format, >> there is no >> special signature withing the registered format handler >> to identify >> that, however if one format handler recognizes the file >> header, its >> load_binary will return 0. This can give you the hint >> that you are >> sitting on top of correct file format. Long time back I >> had written >> the similar module in Linux to do the same, but can't >> share the code >> :) >> >> -Rajat >> >> On Thu, Sep 22, 2011 at 3:14 PM, rohan >> puri> > wrote: >> >> >> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit >> Pawar> > >> wrote: >> >> hi list, >> Is there any way to hook the exec system call on >> Linux box apart from >> replacing the call in System Call table? >> >> Regards, >> Abhijit Pawar >> >> _______________________________________________ >> Kernelnewbies mailing list >> Kernelnewbies at kernelnewbies.org >> >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> >> Tidy way : - >> >> You can do that from LSM (Linux security module). >> >> Untidy way : - >> Yes, you can do that by registering a new binary >> format handler. Whenever >> exec is called, a list of registered binary format >> handlers is scanned, in >> the same way you can hook the load_binary& >> load_library function pointers >> of the already registered binary format handlers. >> >> Regards, >> Rohan Puri >> >> _______________________________________________ >> Kernelnewbies mailing list >> Kernelnewbies at kernelnewbies.org >> >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> >> >> So If I use the binary format handler, then I can hook the >> exec call. however I need to register this. Does that mean >> that I need to return the negative value so as to have actual >> ELF handler to be loaded? >> >> Regards, >> Abhijit Pawar >> >> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html >> this >> might help >> >> Regards, >> Rohan Puri > Thanks Rohan. I tried creating a hooking module on the similar > line. I am able to load the module but whenever I am launching any > application , its load_binary is not being called. > here is the source for the module attached. > > Regards, > Abhijit Pawar > > > > Hi Abhijit, > > I have made the change, try to compile and execute this code, it works. > > Also, I am just curious enough to know that where do you need to do > this hooking. > > Regards, > Rohan Puri Hi Rohan, I have been looking at Windows worlds ability to support DLL Injection and API hooking. I was just wondering if this could be something to be done in Linux as well. I am not sure if there is any special use of this module apart from learning the binary handler. May be it could be used as a security module for your own binary handler. Regards, Abhijit Pawar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/08ab6ea5/attachment.html