* Hooking exec system call
@ 2011-09-22 8:23 Abhijit Pawar
2011-09-22 8:50 ` Christophe Hauser
` (2 more replies)
0 siblings, 3 replies; 15+ messages in thread
From: Abhijit Pawar @ 2011-09-22 8:23 UTC (permalink / raw)
To: kernelnewbies
hi list,
Is there any way to hook the exec system call on Linux box apart from
replacing the call in System Call table?
Regards,
Abhijit Pawar
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-22 8:23 Hooking exec system call Abhijit Pawar
@ 2011-09-22 8:50 ` Christophe Hauser
2011-09-22 9:44 ` rohan puri
2011-09-22 16:57 ` Mulyadi Santosa
2 siblings, 0 replies; 15+ messages in thread
From: Christophe Hauser @ 2011-09-22 8:50 UTC (permalink / raw)
To: kernelnewbies
On Thu, Sep 22, 2011 at 01:53:44PM +0530, Abhijit Pawar wrote:
> hi list,
> Is there any way to hook the exec system call on Linux box apart from
> replacing the call in System Call table?
>
> Regards,
> Abhijit Pawar
Hi,
you can do that with LSM (CONFIG_SECURITY) using the bprm_set_creds hook (see
include/linux/security.h).
--
Christophe
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-22 8:23 Hooking exec system call Abhijit Pawar
2011-09-22 8:50 ` Christophe Hauser
@ 2011-09-22 9:44 ` rohan puri
2011-09-23 7:31 ` Rajat Sharma
2011-09-22 16:57 ` Mulyadi Santosa
2 siblings, 1 reply; 15+ messages in thread
From: rohan puri @ 2011-09-22 9:44 UTC (permalink / raw)
To: kernelnewbies
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> hi list,
> Is there any way to hook the exec system call on Linux box apart from
> replacing the call in System Call table?
>
> Regards,
> Abhijit Pawar
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
Tidy way : -
You can do that from LSM (Linux security module).
Untidy way : -
Yes, you can do that by registering a new binary format handler. Whenever
exec is called, a list of registered binary format handlers is scanned, in
the same way you can hook the load_binary & load_library function pointers
of the already registered binary format handlers.
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110922/ba5313b9/attachment-0001.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-22 8:23 Hooking exec system call Abhijit Pawar
2011-09-22 8:50 ` Christophe Hauser
2011-09-22 9:44 ` rohan puri
@ 2011-09-22 16:57 ` Mulyadi Santosa
2 siblings, 0 replies; 15+ messages in thread
From: Mulyadi Santosa @ 2011-09-22 16:57 UTC (permalink / raw)
To: kernelnewbies
On Thu, Sep 22, 2011 at 15:23, Abhijit Pawar <apawar.linux@gmail.com> wrote:
> hi list,
> Is there any way to hook the exec system call on Linux box apart from
> replacing the call in System Call table?
Try SystemTap....
--
regards,
Mulyadi Santosa
Freelance Linux trainer and consultant
blog: the-hydra.blogspot.com
training: mulyaditraining.blogspot.com
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-22 9:44 ` rohan puri
@ 2011-09-23 7:31 ` Rajat Sharma
2011-09-23 8:30 ` Abhijit Pawar
0 siblings, 1 reply; 15+ messages in thread
From: Rajat Sharma @ 2011-09-23 7:31 UTC (permalink / raw)
To: kernelnewbies
> Untidy way : -
> Yes, you can do that by registering a new binary format handler. Whenever
> exec is called, a list of registered binary format handlers is scanned, in
> the same way you can hook the load_binary & load_library function pointers
> of the already registered binary format handlers.
Challenge with this untidy way is to identify the correct format, for
example if you are interested in only hooking ELF format, there is no
special signature withing the registered format handler to identify
that, however if one format handler recognizes the file header, its
load_binary will return 0. This can give you the hint that you are
sitting on top of correct file format. Long time back I had written
the similar module in Linux to do the same, but can't share the code
:)
-Rajat
On Thu, Sep 22, 2011 at 3:14 PM, rohan puri <rohan.puri15@gmail.com> wrote:
>
>
> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar <apawar.linux@gmail.com>
> wrote:
>>
>> hi list,
>> Is there any way to hook the exec system call on Linux box apart from
>> replacing the call in System Call table?
>>
>> Regards,
>> Abhijit Pawar
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
> Tidy way : -
>
> You can do that from LSM (Linux security module).
>
> Untidy way : -
> Yes, you can do that by registering a new binary format handler. Whenever
> exec is called, a list of registered binary format handlers is scanned, in
> the same way you can hook the load_binary & load_library function pointers
> of the already registered binary format handlers.
>
> Regards,
> Rohan Puri
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-23 7:31 ` Rajat Sharma
@ 2011-09-23 8:30 ` Abhijit Pawar
2011-09-23 8:34 ` rohan puri
0 siblings, 1 reply; 15+ messages in thread
From: Abhijit Pawar @ 2011-09-23 8:30 UTC (permalink / raw)
To: kernelnewbies
On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>> Untidy way : -
>> Yes, you can do that by registering a new binary format handler. Whenever
>> exec is called, a list of registered binary format handlers is scanned, in
>> the same way you can hook the load_binary& load_library function pointers
>> of the already registered binary format handlers.
> Challenge with this untidy way is to identify the correct format, for
> example if you are interested in only hooking ELF format, there is no
> special signature withing the registered format handler to identify
> that, however if one format handler recognizes the file header, its
> load_binary will return 0. This can give you the hint that you are
> sitting on top of correct file format. Long time back I had written
> the similar module in Linux to do the same, but can't share the code
> :)
>
> -Rajat
>
> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com> wrote:
>>
>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com>
>> wrote:
>>> hi list,
>>> Is there any way to hook the exec system call on Linux box apart from
>>> replacing the call in System Call table?
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>> Tidy way : -
>>
>> You can do that from LSM (Linux security module).
>>
>> Untidy way : -
>> Yes, you can do that by registering a new binary format handler. Whenever
>> exec is called, a list of registered binary format handlers is scanned, in
>> the same way you can hook the load_binary& load_library function pointers
>> of the already registered binary format handlers.
>>
>> Regards,
>> Rohan Puri
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>>
So If I use the binary format handler, then I can hook the exec call.
however I need to register this. Does that mean that I need to return
the negative value so as to have actual ELF handler to be loaded?
Regards,
Abhijit Pawar
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-23 8:30 ` Abhijit Pawar
@ 2011-09-23 8:34 ` rohan puri
2011-09-23 9:13 ` Abhijit Pawar
0 siblings, 1 reply; 15+ messages in thread
From: rohan puri @ 2011-09-23 8:34 UTC (permalink / raw)
To: kernelnewbies
On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>
>> Untidy way : -
>>> Yes, you can do that by registering a new binary format handler. Whenever
>>> exec is called, a list of registered binary format handlers is scanned,
>>> in
>>> the same way you can hook the load_binary& load_library function
>>> pointers
>>> of the already registered binary format handlers.
>>>
>> Challenge with this untidy way is to identify the correct format, for
>> example if you are interested in only hooking ELF format, there is no
>> special signature withing the registered format handler to identify
>> that, however if one format handler recognizes the file header, its
>> load_binary will return 0. This can give you the hint that you are
>> sitting on top of correct file format. Long time back I had written
>> the similar module in Linux to do the same, but can't share the code
>> :)
>>
>> -Rajat
>>
>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>
>> wrote:
>>
>>>
>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com>
>>> wrote:
>>>
>>>> hi list,
>>>> Is there any way to hook the exec system call on Linux box apart from
>>>> replacing the call in System Call table?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> ______________________________**_________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.**org <Kernelnewbies@kernelnewbies.org>
>>>> http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies<http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>
>>>>
>>> Tidy way : -
>>>
>>> You can do that from LSM (Linux security module).
>>>
>>> Untidy way : -
>>> Yes, you can do that by registering a new binary format handler. Whenever
>>> exec is called, a list of registered binary format handlers is scanned,
>>> in
>>> the same way you can hook the load_binary& load_library function
>>> pointers
>>> of the already registered binary format handlers.
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>> ______________________________**_________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.**org <Kernelnewbies@kernelnewbies.org>
>>> http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies<http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>
>>>
>>>
>>> So If I use the binary format handler, then I can hook the exec call.
> however I need to register this. Does that mean that I need to return the
> negative value so as to have actual ELF handler to be loaded?
>
> Regards,
> Abhijit Pawar
>
> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this might
help
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e62f4990/attachment-0001.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-23 8:34 ` rohan puri
@ 2011-09-23 9:13 ` Abhijit Pawar
2011-09-23 9:41 ` rohan puri
0 siblings, 1 reply; 15+ messages in thread
From: Abhijit Pawar @ 2011-09-23 9:13 UTC (permalink / raw)
To: kernelnewbies
On 09/23/2011 02:04 PM, rohan puri wrote:
>
>
> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com
> <mailto:apawar.linux@gmail.com>> wrote:
>
> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>
> Untidy way : -
> Yes, you can do that by registering a new binary format
> handler. Whenever
> exec is called, a list of registered binary format
> handlers is scanned, in
> the same way you can hook the load_binary& load_library
> function pointers
> of the already registered binary format handlers.
>
> Challenge with this untidy way is to identify the correct
> format, for
> example if you are interested in only hooking ELF format,
> there is no
> special signature withing the registered format handler to
> identify
> that, however if one format handler recognizes the file
> header, its
> load_binary will return 0. This can give you the hint that you are
> sitting on top of correct file format. Long time back I had
> written
> the similar module in Linux to do the same, but can't share
> the code
> :)
>
> -Rajat
>
> On Thu, Sep 22, 2011 at 3:14 PM, rohan
> puri<rohan.puri15 at gmail.com <mailto:rohan.puri15@gmail.com>>
> wrote:
>
>
> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
> Pawar<apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>>
> wrote:
>
> hi list,
> Is there any way to hook the exec system call on Linux
> box apart from
> replacing the call in System Call table?
>
> Regards,
> Abhijit Pawar
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> <mailto:Kernelnewbies@kernelnewbies.org>
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
> Tidy way : -
>
> You can do that from LSM (Linux security module).
>
> Untidy way : -
> Yes, you can do that by registering a new binary format
> handler. Whenever
> exec is called, a list of registered binary format
> handlers is scanned, in
> the same way you can hook the load_binary& load_library
> function pointers
> of the already registered binary format handlers.
>
> Regards,
> Rohan Puri
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> <mailto:Kernelnewbies@kernelnewbies.org>
> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>
> So If I use the binary format handler, then I can hook the exec
> call. however I need to register this. Does that mean that I need
> to return the negative value so as to have actual ELF handler to
> be loaded?
>
> Regards,
> Abhijit Pawar
>
> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html
> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html> this might help
>
> Regards,
> Rohan Puri
Thanks Rohan. I tried creating a hooking module on the similar line. I
am able to load the module but whenever I am launching any application ,
its load_binary is not being called.
here is the source for the module attached.
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Hook.c
Type: text/x-csrc
Size: 1425 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/572dbc71/attachment.bin
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-23 9:13 ` Abhijit Pawar
@ 2011-09-23 9:41 ` rohan puri
2011-09-26 6:32 ` Abhijit Pawar
0 siblings, 1 reply; 15+ messages in thread
From: rohan puri @ 2011-09-23 9:41 UTC (permalink / raw)
To: kernelnewbies
On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> On 09/23/2011 02:04 PM, rohan puri wrote:
>
>
>
> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>
>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>
>>> Untidy way : -
>>>> Yes, you can do that by registering a new binary format handler.
>>>> Whenever
>>>> exec is called, a list of registered binary format handlers is scanned,
>>>> in
>>>> the same way you can hook the load_binary& load_library function
>>>> pointers
>>>> of the already registered binary format handlers.
>>>>
>>> Challenge with this untidy way is to identify the correct format, for
>>> example if you are interested in only hooking ELF format, there is no
>>> special signature withing the registered format handler to identify
>>> that, however if one format handler recognizes the file header, its
>>> load_binary will return 0. This can give you the hint that you are
>>> sitting on top of correct file format. Long time back I had written
>>> the similar module in Linux to do the same, but can't share the code
>>> :)
>>>
>>> -Rajat
>>>
>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>
>>> wrote:
>>>
>>>>
>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com>
>>>> wrote:
>>>>
>>>>> hi list,
>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>> replacing the call in System Call table?
>>>>>
>>>>> Regards,
>>>>> Abhijit Pawar
>>>>>
>>>>> _______________________________________________
>>>>> Kernelnewbies mailing list
>>>>> Kernelnewbies at kernelnewbies.org
>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>
>>>> Tidy way : -
>>>>
>>>> You can do that from LSM (Linux security module).
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new binary format handler.
>>>> Whenever
>>>> exec is called, a list of registered binary format handlers is scanned,
>>>> in
>>>> the same way you can hook the load_binary& load_library function
>>>> pointers
>>>> of the already registered binary format handlers.
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>> So If I use the binary format handler, then I can hook the exec call.
>> however I need to register this. Does that mean that I need to return the
>> negative value so as to have actual ELF handler to be loaded?
>>
>> Regards,
>> Abhijit Pawar
>>
>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
> might help
>
> Regards,
> Rohan Puri
>
> Thanks Rohan. I tried creating a hooking module on the similar line. I am
> able to load the module but whenever I am launching any application , its
> load_binary is not being called.
> here is the source for the module attached.
>
> Regards,
> Abhijit Pawar
>
>
>
Hi Abhijit,
I have made the change, try to compile and execute this code, it works.
Also, I am just curious enough to know that where do you need to do this
hooking.
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e525206b/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Hook.c
Type: text/x-csrc
Size: 1422 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e525206b/attachment-0001.bin
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-23 9:41 ` rohan puri
@ 2011-09-26 6:32 ` Abhijit Pawar
2011-09-26 6:56 ` rohan puri
0 siblings, 1 reply; 15+ messages in thread
From: Abhijit Pawar @ 2011-09-26 6:32 UTC (permalink / raw)
To: kernelnewbies
On 09/23/2011 03:11 PM, rohan puri wrote:
>
>
> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux@gmail.com
> <mailto:apawar.linux@gmail.com>> wrote:
>
> On 09/23/2011 02:04 PM, rohan puri wrote:
>>
>>
>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
>> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>>
>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>
>> Untidy way : -
>> Yes, you can do that by registering a new binary
>> format handler. Whenever
>> exec is called, a list of registered binary format
>> handlers is scanned, in
>> the same way you can hook the load_binary&
>> load_library function pointers
>> of the already registered binary format handlers.
>>
>> Challenge with this untidy way is to identify the correct
>> format, for
>> example if you are interested in only hooking ELF format,
>> there is no
>> special signature withing the registered format handler
>> to identify
>> that, however if one format handler recognizes the file
>> header, its
>> load_binary will return 0. This can give you the hint
>> that you are
>> sitting on top of correct file format. Long time back I
>> had written
>> the similar module in Linux to do the same, but can't
>> share the code
>> :)
>>
>> -Rajat
>>
>> On Thu, Sep 22, 2011 at 3:14 PM, rohan
>> puri<rohan.puri15@gmail.com
>> <mailto:rohan.puri15@gmail.com>> wrote:
>>
>>
>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
>> Pawar<apawar.linux@gmail.com
>> <mailto:apawar.linux@gmail.com>>
>> wrote:
>>
>> hi list,
>> Is there any way to hook the exec system call on
>> Linux box apart from
>> replacing the call in System Call table?
>>
>> Regards,
>> Abhijit Pawar
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> <mailto:Kernelnewbies@kernelnewbies.org>
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>> Tidy way : -
>>
>> You can do that from LSM (Linux security module).
>>
>> Untidy way : -
>> Yes, you can do that by registering a new binary
>> format handler. Whenever
>> exec is called, a list of registered binary format
>> handlers is scanned, in
>> the same way you can hook the load_binary&
>> load_library function pointers
>> of the already registered binary format handlers.
>>
>> Regards,
>> Rohan Puri
>>
>> _______________________________________________
>> Kernelnewbies mailing list
>> Kernelnewbies at kernelnewbies.org
>> <mailto:Kernelnewbies@kernelnewbies.org>
>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>>
>> So If I use the binary format handler, then I can hook the
>> exec call. however I need to register this. Does that mean
>> that I need to return the negative value so as to have actual
>> ELF handler to be loaded?
>>
>> Regards,
>> Abhijit Pawar
>>
>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html
>> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html> this
>> might help
>>
>> Regards,
>> Rohan Puri
> Thanks Rohan. I tried creating a hooking module on the similar
> line. I am able to load the module but whenever I am launching any
> application , its load_binary is not being called.
> here is the source for the module attached.
>
> Regards,
> Abhijit Pawar
>
>
>
> Hi Abhijit,
>
> I have made the change, try to compile and execute this code, it works.
>
> Also, I am just curious enough to know that where do you need to do
> this hooking.
>
> Regards,
> Rohan Puri
Hi Rohan,
I have been looking at Windows worlds ability to support DLL Injection
and API hooking. I was just wondering if this could be something to be
done in Linux as well. I am not sure if there is any special use of
this module apart from learning the binary handler. May be it could be
used as a security module for your own binary handler.
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/08ab6ea5/attachment.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-26 6:32 ` Abhijit Pawar
@ 2011-09-26 6:56 ` rohan puri
2011-09-26 6:59 ` Abhijit Pawar
0 siblings, 1 reply; 15+ messages in thread
From: rohan puri @ 2011-09-26 6:56 UTC (permalink / raw)
To: kernelnewbies
On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> On 09/23/2011 03:11 PM, rohan puri wrote:
>
>
>
> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>
>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>
>>
>>
>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>
>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>
>>>> Untidy way : -
>>>>> Yes, you can do that by registering a new binary format handler.
>>>>> Whenever
>>>>> exec is called, a list of registered binary format handlers is scanned,
>>>>> in
>>>>> the same way you can hook the load_binary& load_library function
>>>>> pointers
>>>>> of the already registered binary format handlers.
>>>>>
>>>> Challenge with this untidy way is to identify the correct format, for
>>>> example if you are interested in only hooking ELF format, there is no
>>>> special signature withing the registered format handler to identify
>>>> that, however if one format handler recognizes the file header, its
>>>> load_binary will return 0. This can give you the hint that you are
>>>> sitting on top of correct file format. Long time back I had written
>>>> the similar module in Linux to do the same, but can't share the code
>>>> :)
>>>>
>>>> -Rajat
>>>>
>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> hi list,
>>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>>> replacing the call in System Call table?
>>>>>>
>>>>>> Regards,
>>>>>> Abhijit Pawar
>>>>>>
>>>>>> _______________________________________________
>>>>>> Kernelnewbies mailing list
>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>
>>>>> Tidy way : -
>>>>>
>>>>> You can do that from LSM (Linux security module).
>>>>>
>>>>> Untidy way : -
>>>>> Yes, you can do that by registering a new binary format handler.
>>>>> Whenever
>>>>> exec is called, a list of registered binary format handlers is scanned,
>>>>> in
>>>>> the same way you can hook the load_binary& load_library function
>>>>> pointers
>>>>> of the already registered binary format handlers.
>>>>>
>>>>> Regards,
>>>>> Rohan Puri
>>>>>
>>>>> _______________________________________________
>>>>> Kernelnewbies mailing list
>>>>> Kernelnewbies at kernelnewbies.org
>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>
>>>>>
>>>>> So If I use the binary format handler, then I can hook the exec
>>> call. however I need to register this. Does that mean that I need to return
>>> the negative value so as to have actual ELF handler to be loaded?
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
>> might help
>>
>> Regards,
>> Rohan Puri
>>
>> Thanks Rohan. I tried creating a hooking module on the similar line. I
>> am able to load the module but whenever I am launching any application , its
>> load_binary is not being called.
>> here is the source for the module attached.
>>
>> Regards,
>> Abhijit Pawar
>>
>>
>>
> Hi Abhijit,
>
> I have made the change, try to compile and execute this code, it works.
>
> Also, I am just curious enough to know that where do you need to do this
> hooking.
>
> Regards,
> Rohan Puri
>
> Hi Rohan,
> I have been looking at Windows worlds ability to support DLL Injection and
> API hooking. I was just wondering if this could be something to be done in
> Linux as well. I am not sure if there is any special use of this module
> apart from learning the binary handler. May be it could be used as a
> security module for your own binary handler.
>
> Regards,
> Abhijit Pawar
>
Hi Abhijit,
I am not familiar with windows. Special use-case of this hacking is for
security companies whitelisting software solutions, where they want to
control execution of only authorized binaries on the system and deny the
execution of others.
Although this approach is untidy, since there is available LSM hooks in
linux kernel which needs to be made use of for doing this.
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/085cd816/attachment.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-26 6:56 ` rohan puri
@ 2011-09-26 6:59 ` Abhijit Pawar
2011-09-26 7:27 ` rohan puri
0 siblings, 1 reply; 15+ messages in thread
From: Abhijit Pawar @ 2011-09-26 6:59 UTC (permalink / raw)
To: kernelnewbies
On 09/26/2011 12:26 PM, rohan puri wrote:
>
>
> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar
> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>
> On 09/23/2011 03:11 PM, rohan puri wrote:
>>
>>
>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar
>> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>>
>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
>>> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>>>
>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>
>>> Untidy way : -
>>> Yes, you can do that by registering a new binary
>>> format handler. Whenever
>>> exec is called, a list of registered binary
>>> format handlers is scanned, in
>>> the same way you can hook the load_binary&
>>> load_library function pointers
>>> of the already registered binary format handlers.
>>>
>>> Challenge with this untidy way is to identify the
>>> correct format, for
>>> example if you are interested in only hooking ELF
>>> format, there is no
>>> special signature withing the registered format
>>> handler to identify
>>> that, however if one format handler recognizes the
>>> file header, its
>>> load_binary will return 0. This can give you the
>>> hint that you are
>>> sitting on top of correct file format. Long time
>>> back I had written
>>> the similar module in Linux to do the same, but
>>> can't share the code
>>> :)
>>>
>>> -Rajat
>>>
>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan
>>> puri<rohan.puri15@gmail.com
>>> <mailto:rohan.puri15@gmail.com>> wrote:
>>>
>>>
>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
>>> Pawar<apawar.linux@gmail.com
>>> <mailto:apawar.linux@gmail.com>>
>>> wrote:
>>>
>>> hi list,
>>> Is there any way to hook the exec system
>>> call on Linux box apart from
>>> replacing the call in System Call table?
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> <mailto:Kernelnewbies@kernelnewbies.org>
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
>>> Tidy way : -
>>>
>>> You can do that from LSM (Linux security module).
>>>
>>> Untidy way : -
>>> Yes, you can do that by registering a new binary
>>> format handler. Whenever
>>> exec is called, a list of registered binary
>>> format handlers is scanned, in
>>> the same way you can hook the load_binary&
>>> load_library function pointers
>>> of the already registered binary format handlers.
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>> _______________________________________________
>>> Kernelnewbies mailing list
>>> Kernelnewbies at kernelnewbies.org
>>> <mailto:Kernelnewbies@kernelnewbies.org>
>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
>>>
>>> So If I use the binary format handler, then I can hook
>>> the exec call. however I need to register this. Does
>>> that mean that I need to return the negative value so as
>>> to have actual ELF handler to be loaded?
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>> Read this,
>>> http://www.linux.it/~rubini/docs/binfmt/binfmt.html
>>> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html> this
>>> might help
>>>
>>> Regards,
>>> Rohan Puri
>> Thanks Rohan. I tried creating a hooking module on the
>> similar line. I am able to load the module but whenever I am
>> launching any application , its load_binary is not being called.
>> here is the source for the module attached.
>>
>> Regards,
>> Abhijit Pawar
>>
>>
>>
>> Hi Abhijit,
>>
>> I have made the change, try to compile and execute this code, it
>> works.
>>
>> Also, I am just curious enough to know that where do you need to
>> do this hooking.
>>
>> Regards,
>> Rohan Puri
> Hi Rohan,
> I have been looking at Windows worlds ability to support DLL
> Injection and API hooking. I was just wondering if this could be
> something to be done in Linux as well. I am not sure if there is
> any special use of this module apart from learning the binary
> handler. May be it could be used as a security module for your own
> binary handler.
>
> Regards,
> Abhijit Pawar
>
>
> Hi Abhijit,
>
> I am not familiar with windows. Special use-case of this hacking is
> for security companies whitelisting software solutions, where they
> want to control execution of only authorized binaries on the system
> and deny the execution of others.
>
>
> Although this approach is untidy, since there is available LSM hooks
> in linux kernel which needs to be made use of for doing this.
>
> Regards,
> Rohan Puri
Hi Rohan,
Yes, this is a backdoor approach and I agree with you. I am learning
more on LSM and their APIs so as to get insight into what goes on
internally. May be you can refer me to some details as well.
Thanks for all of your help on this.
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/3defe60c/attachment-0001.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-26 6:59 ` Abhijit Pawar
@ 2011-09-26 7:27 ` rohan puri
2011-09-26 7:30 ` Abhijit Pawar
0 siblings, 1 reply; 15+ messages in thread
From: rohan puri @ 2011-09-26 7:27 UTC (permalink / raw)
To: kernelnewbies
On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> On 09/26/2011 12:26 PM, rohan puri wrote:
>
>
>
> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>
>> On 09/23/2011 03:11 PM, rohan puri wrote:
>>
>>
>>
>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>
>>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>>
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>>
>>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>
>>>>> Untidy way : -
>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>> Whenever
>>>>>> exec is called, a list of registered binary format handlers is
>>>>>> scanned, in
>>>>>> the same way you can hook the load_binary& load_library function
>>>>>> pointers
>>>>>> of the already registered binary format handlers.
>>>>>>
>>>>> Challenge with this untidy way is to identify the correct format, for
>>>>> example if you are interested in only hooking ELF format, there is no
>>>>> special signature withing the registered format handler to identify
>>>>> that, however if one format handler recognizes the file header, its
>>>>> load_binary will return 0. This can give you the hint that you are
>>>>> sitting on top of correct file format. Long time back I had written
>>>>> the similar module in Linux to do the same, but can't share the code
>>>>> :)
>>>>>
>>>>> -Rajat
>>>>>
>>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com
>>>>>> >
>>>>>> wrote:
>>>>>>
>>>>>>> hi list,
>>>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>>>> replacing the call in System Call table?
>>>>>>>
>>>>>>> Regards,
>>>>>>> Abhijit Pawar
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Kernelnewbies mailing list
>>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>>
>>>>>> Tidy way : -
>>>>>>
>>>>>> You can do that from LSM (Linux security module).
>>>>>>
>>>>>> Untidy way : -
>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>> Whenever
>>>>>> exec is called, a list of registered binary format handlers is
>>>>>> scanned, in
>>>>>> the same way you can hook the load_binary& load_library function
>>>>>> pointers
>>>>>> of the already registered binary format handlers.
>>>>>>
>>>>>> Regards,
>>>>>> Rohan Puri
>>>>>>
>>>>>> _______________________________________________
>>>>>> Kernelnewbies mailing list
>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>
>>>>>>
>>>>>> So If I use the binary format handler, then I can hook the exec
>>>> call. however I need to register this. Does that mean that I need to return
>>>> the negative value so as to have actual ELF handler to be loaded?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
>>> might help
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>> Thanks Rohan. I tried creating a hooking module on the similar line. I
>>> am able to load the module but whenever I am launching any application , its
>>> load_binary is not being called.
>>> here is the source for the module attached.
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>>
>>>
>> Hi Abhijit,
>>
>> I have made the change, try to compile and execute this code, it works.
>>
>> Also, I am just curious enough to know that where do you need to do this
>> hooking.
>>
>> Regards,
>> Rohan Puri
>>
>> Hi Rohan,
>> I have been looking at Windows worlds ability to support DLL Injection and
>> API hooking. I was just wondering if this could be something to be done in
>> Linux as well. I am not sure if there is any special use of this module
>> apart from learning the binary handler. May be it could be used as a
>> security module for your own binary handler.
>>
>> Regards,
>> Abhijit Pawar
>>
>
> Hi Abhijit,
>
> I am not familiar with windows. Special use-case of this hacking is for
> security companies whitelisting software solutions, where they want to
> control execution of only authorized binaries on the system and deny the
> execution of others.
>
>
> Although this approach is untidy, since there is available LSM hooks in
> linux kernel which needs to be made use of for doing this.
>
> Regards,
> Rohan Puri
>
> Hi Rohan,
> Yes, this is a backdoor approach and I agree with you. I am learning more
> on LSM and their APIs so as to get insight into what goes on internally. May
> be you can refer me to some details as well.
>
> Thanks for all of your help on this.
>
> Regards,
> Abhijit Pawar
>
Hi Abhijit,
There is one whitepaper of lsm available on internet by Greg Kroah-Hartman
and others, its good to start with.
Also, I am keen to now, do all these things you are studying are part of any
project or just for knowledge.
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/a2bfb9b5/attachment.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-26 7:27 ` rohan puri
@ 2011-09-26 7:30 ` Abhijit Pawar
2011-09-26 7:32 ` rohan puri
0 siblings, 1 reply; 15+ messages in thread
From: Abhijit Pawar @ 2011-09-26 7:30 UTC (permalink / raw)
To: kernelnewbies
On 09/26/2011 12:57 PM, rohan puri wrote:
>
>
> On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar
> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>
> On 09/26/2011 12:26 PM, rohan puri wrote:
>>
>>
>> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar
>> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>>
>> On 09/23/2011 03:11 PM, rohan puri wrote:
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar
>>> <apawar.linux at gmail.com <mailto:apawar.linux@gmail.com>> wrote:
>>>
>>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>>>
>>>>
>>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
>>>> <apawar.linux@gmail.com
>>>> <mailto:apawar.linux@gmail.com>> wrote:
>>>>
>>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new
>>>> binary format handler. Whenever
>>>> exec is called, a list of registered binary
>>>> format handlers is scanned, in
>>>> the same way you can hook the load_binary&
>>>> load_library function pointers
>>>> of the already registered binary format
>>>> handlers.
>>>>
>>>> Challenge with this untidy way is to identify
>>>> the correct format, for
>>>> example if you are interested in only hooking
>>>> ELF format, there is no
>>>> special signature withing the registered format
>>>> handler to identify
>>>> that, however if one format handler recognizes
>>>> the file header, its
>>>> load_binary will return 0. This can give you
>>>> the hint that you are
>>>> sitting on top of correct file format. Long
>>>> time back I had written
>>>> the similar module in Linux to do the same, but
>>>> can't share the code
>>>> :)
>>>>
>>>> -Rajat
>>>>
>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan
>>>> puri<rohan.puri15@gmail.com
>>>> <mailto:rohan.puri15@gmail.com>> wrote:
>>>>
>>>>
>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
>>>> Pawar<apawar.linux@gmail.com
>>>> <mailto:apawar.linux@gmail.com>>
>>>> wrote:
>>>>
>>>> hi list,
>>>> Is there any way to hook the exec
>>>> system call on Linux box apart from
>>>> replacing the call in System Call table?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> <mailto:Kernelnewbies@kernelnewbies.org>
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>> Tidy way : -
>>>>
>>>> You can do that from LSM (Linux security
>>>> module).
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new
>>>> binary format handler. Whenever
>>>> exec is called, a list of registered binary
>>>> format handlers is scanned, in
>>>> the same way you can hook the load_binary&
>>>> load_library function pointers
>>>> of the already registered binary format
>>>> handlers.
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> Kernelnewbies at kernelnewbies.org
>>>> <mailto:Kernelnewbies@kernelnewbies.org>
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>> So If I use the binary format handler, then I can
>>>> hook the exec call. however I need to register
>>>> this. Does that mean that I need to return the
>>>> negative value so as to have actual ELF handler to
>>>> be loaded?
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>> Read this,
>>>> http://www.linux.it/~rubini/docs/binfmt/binfmt.html
>>>> <http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html>
>>>> this might help
>>>>
>>>> Regards,
>>>> Rohan Puri
>>> Thanks Rohan. I tried creating a hooking module on the
>>> similar line. I am able to load the module but whenever
>>> I am launching any application , its load_binary is not
>>> being called.
>>> here is the source for the module attached.
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>>
>>>
>>> Hi Abhijit,
>>>
>>> I have made the change, try to compile and execute this
>>> code, it works.
>>>
>>> Also, I am just curious enough to know that where do you
>>> need to do this hooking.
>>>
>>> Regards,
>>> Rohan Puri
>> Hi Rohan,
>> I have been looking at Windows worlds ability to support DLL
>> Injection and API hooking. I was just wondering if this could
>> be something to be done in Linux as well. I am not sure if
>> there is any special use of this module apart from learning
>> the binary handler. May be it could be used as a security
>> module for your own binary handler.
>>
>> Regards,
>> Abhijit Pawar
>>
>>
>> Hi Abhijit,
>>
>> I am not familiar with windows. Special use-case of this hacking
>> is for security companies whitelisting software solutions, where
>> they want to control execution of only authorized binaries on the
>> system and deny the execution of others.
>>
>>
>> Although this approach is untidy, since there is available LSM
>> hooks in linux kernel which needs to be made use of for doing this.
>>
>> Regards,
>> Rohan Puri
> Hi Rohan,
> Yes, this is a backdoor approach and I agree with you. I am
> learning more on LSM and their APIs so as to get insight into what
> goes on internally. May be you can refer me to some details as well.
>
> Thanks for all of your help on this.
>
> Regards,
> Abhijit Pawar
>
>
> Hi Abhijit,
>
> There is one whitepaper of lsm available on internet by Greg
> Kroah-Hartman and others, its good to start with.
>
>
> Also, I am keen to now, do all these things you are studying are part
> of any project or just for knowledge.
>
> Regards,
> Rohan Puri
Thanks Rohan. I will take a look at this paper. I am learning LSM and
hooking for Windows and its counterpart in Linux. this is purely for
getting knowledge but it would be good if i can do something with this
may be in future. :) .
Regards,
Abhijit Pawar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/0e508b25/attachment-0001.html
^ permalink raw reply [flat|nested] 15+ messages in thread
* Hooking exec system call
2011-09-26 7:30 ` Abhijit Pawar
@ 2011-09-26 7:32 ` rohan puri
0 siblings, 0 replies; 15+ messages in thread
From: rohan puri @ 2011-09-26 7:32 UTC (permalink / raw)
To: kernelnewbies
On Mon, Sep 26, 2011 at 1:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> On 09/26/2011 12:57 PM, rohan puri wrote:
>
>
>
> On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>
>> On 09/26/2011 12:26 PM, rohan puri wrote:
>>
>>
>>
>> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>
>>> On 09/23/2011 03:11 PM, rohan puri wrote:
>>>
>>>
>>>
>>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>>
>>>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>>>
>>>>
>>>>
>>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>>>
>>>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>>>
>>>>>> Untidy way : -
>>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>>> Whenever
>>>>>>> exec is called, a list of registered binary format handlers is
>>>>>>> scanned, in
>>>>>>> the same way you can hook the load_binary& load_library function
>>>>>>> pointers
>>>>>>> of the already registered binary format handlers.
>>>>>>>
>>>>>> Challenge with this untidy way is to identify the correct format, for
>>>>>> example if you are interested in only hooking ELF format, there is no
>>>>>> special signature withing the registered format handler to identify
>>>>>> that, however if one format handler recognizes the file header, its
>>>>>> load_binary will return 0. This can give you the hint that you are
>>>>>> sitting on top of correct file format. Long time back I had written
>>>>>> the similar module in Linux to do the same, but can't share the code
>>>>>> :)
>>>>>>
>>>>>> -Rajat
>>>>>>
>>>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<
>>>>>>> apawar.linux at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> hi list,
>>>>>>>> Is there any way to hook the exec system call on Linux box apart
>>>>>>>> from
>>>>>>>> replacing the call in System Call table?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Abhijit Pawar
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Kernelnewbies mailing list
>>>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>>>
>>>>>>> Tidy way : -
>>>>>>>
>>>>>>> You can do that from LSM (Linux security module).
>>>>>>>
>>>>>>> Untidy way : -
>>>>>>> Yes, you can do that by registering a new binary format handler.
>>>>>>> Whenever
>>>>>>> exec is called, a list of registered binary format handlers is
>>>>>>> scanned, in
>>>>>>> the same way you can hook the load_binary& load_library function
>>>>>>> pointers
>>>>>>> of the already registered binary format handlers.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Rohan Puri
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Kernelnewbies mailing list
>>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>>
>>>>>>>
>>>>>>> So If I use the binary format handler, then I can hook the exec
>>>>> call. however I need to register this. Does that mean that I need to return
>>>>> the negative value so as to have actual ELF handler to be loaded?
>>>>>
>>>>> Regards,
>>>>> Abhijit Pawar
>>>>>
>>>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
>>>> might help
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>> Thanks Rohan. I tried creating a hooking module on the similar line. I
>>>> am able to load the module but whenever I am launching any application , its
>>>> load_binary is not being called.
>>>> here is the source for the module attached.
>>>>
>>>> Regards,
>>>> Abhijit Pawar
>>>>
>>>>
>>>>
>>> Hi Abhijit,
>>>
>>> I have made the change, try to compile and execute this code, it works.
>>>
>>> Also, I am just curious enough to know that where do you need to do this
>>> hooking.
>>>
>>> Regards,
>>> Rohan Puri
>>>
>>> Hi Rohan,
>>> I have been looking at Windows worlds ability to support DLL Injection
>>> and API hooking. I was just wondering if this could be something to be done
>>> in Linux as well. I am not sure if there is any special use of this module
>>> apart from learning the binary handler. May be it could be used as a
>>> security module for your own binary handler.
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>
>> Hi Abhijit,
>>
>> I am not familiar with windows. Special use-case of this hacking is for
>> security companies whitelisting software solutions, where they want to
>> control execution of only authorized binaries on the system and deny the
>> execution of others.
>>
>>
>> Although this approach is untidy, since there is available LSM hooks in
>> linux kernel which needs to be made use of for doing this.
>>
>> Regards,
>> Rohan Puri
>>
>> Hi Rohan,
>> Yes, this is a backdoor approach and I agree with you. I am learning more
>> on LSM and their APIs so as to get insight into what goes on internally. May
>> be you can refer me to some details as well.
>>
>> Thanks for all of your help on this.
>>
>> Regards,
>> Abhijit Pawar
>>
>
> Hi Abhijit,
>
> There is one whitepaper of lsm available on internet by Greg Kroah-Hartman
> and others, its good to start with.
>
>
> Also, I am keen to now, do all these things you are studying are part of
> any project or just for knowledge.
>
> Regards,
> Rohan Puri
>
> Thanks Rohan. I will take a look at this paper. I am learning LSM and
> hooking for Windows and its counterpart in Linux. this is purely for getting
> knowledge but it would be good if i can do something with this may be in
> future. :) .
>
> Regards,
> Abhijit Pawar
>
Cool!!!
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/70a7c681/attachment.html
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2011-09-26 7:32 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-22 8:23 Hooking exec system call Abhijit Pawar
2011-09-22 8:50 ` Christophe Hauser
2011-09-22 9:44 ` rohan puri
2011-09-23 7:31 ` Rajat Sharma
2011-09-23 8:30 ` Abhijit Pawar
2011-09-23 8:34 ` rohan puri
2011-09-23 9:13 ` Abhijit Pawar
2011-09-23 9:41 ` rohan puri
2011-09-26 6:32 ` Abhijit Pawar
2011-09-26 6:56 ` rohan puri
2011-09-26 6:59 ` Abhijit Pawar
2011-09-26 7:27 ` rohan puri
2011-09-26 7:30 ` Abhijit Pawar
2011-09-26 7:32 ` rohan puri
2011-09-22 16:57 ` Mulyadi Santosa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.