From mboxrd@z Thu Jan 1 00:00:00 1970 From: apawar.linux@gmail.com (Abhijit Pawar) Date: Mon, 26 Sep 2011 13:00:29 +0530 Subject: Hooking exec system call In-Reply-To: References: <4E7AF090.6000402@gmail.com> <4E7C4389.7070405@gmail.com> <4E7C4DA2.4040903@gmail.com> <4E801C7D.2020100@gmail.com> <4E8022C9.1040508@gmail.com> Message-ID: <4E802A15.6000007@gmail.com> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On 09/26/2011 12:57 PM, rohan puri wrote: > > > On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar > > wrote: > > On 09/26/2011 12:26 PM, rohan puri wrote: >> >> >> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar >> > wrote: >> >> On 09/23/2011 03:11 PM, rohan puri wrote: >>> >>> >>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar >>> > wrote: >>> >>> On 09/23/2011 02:04 PM, rohan puri wrote: >>>> >>>> >>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar >>>> >>> > wrote: >>>> >>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote: >>>> >>>> Untidy way : - >>>> Yes, you can do that by registering a new >>>> binary format handler. Whenever >>>> exec is called, a list of registered binary >>>> format handlers is scanned, in >>>> the same way you can hook the load_binary& >>>> load_library function pointers >>>> of the already registered binary format >>>> handlers. >>>> >>>> Challenge with this untidy way is to identify >>>> the correct format, for >>>> example if you are interested in only hooking >>>> ELF format, there is no >>>> special signature withing the registered format >>>> handler to identify >>>> that, however if one format handler recognizes >>>> the file header, its >>>> load_binary will return 0. This can give you >>>> the hint that you are >>>> sitting on top of correct file format. Long >>>> time back I had written >>>> the similar module in Linux to do the same, but >>>> can't share the code >>>> :) >>>> >>>> -Rajat >>>> >>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan >>>> puri>>> > wrote: >>>> >>>> >>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit >>>> Pawar>>> > >>>> wrote: >>>> >>>> hi list, >>>> Is there any way to hook the exec >>>> system call on Linux box apart from >>>> replacing the call in System Call table? >>>> >>>> Regards, >>>> Abhijit Pawar >>>> >>>> _______________________________________________ >>>> Kernelnewbies mailing list >>>> Kernelnewbies at kernelnewbies.org >>>> >>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>> >>>> Tidy way : - >>>> >>>> You can do that from LSM (Linux security >>>> module). >>>> >>>> Untidy way : - >>>> Yes, you can do that by registering a new >>>> binary format handler. Whenever >>>> exec is called, a list of registered binary >>>> format handlers is scanned, in >>>> the same way you can hook the load_binary& >>>> load_library function pointers >>>> of the already registered binary format >>>> handlers. >>>> >>>> Regards, >>>> Rohan Puri >>>> >>>> _______________________________________________ >>>> Kernelnewbies mailing list >>>> Kernelnewbies at kernelnewbies.org >>>> >>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>> >>>> >>>> So If I use the binary format handler, then I can >>>> hook the exec call. however I need to register >>>> this. Does that mean that I need to return the >>>> negative value so as to have actual ELF handler to >>>> be loaded? >>>> >>>> Regards, >>>> Abhijit Pawar >>>> >>>> Read this, >>>> http://www.linux.it/~rubini/docs/binfmt/binfmt.html >>>> >>>> this might help >>>> >>>> Regards, >>>> Rohan Puri >>> Thanks Rohan. I tried creating a hooking module on the >>> similar line. I am able to load the module but whenever >>> I am launching any application , its load_binary is not >>> being called. >>> here is the source for the module attached. >>> >>> Regards, >>> Abhijit Pawar >>> >>> >>> >>> Hi Abhijit, >>> >>> I have made the change, try to compile and execute this >>> code, it works. >>> >>> Also, I am just curious enough to know that where do you >>> need to do this hooking. >>> >>> Regards, >>> Rohan Puri >> Hi Rohan, >> I have been looking at Windows worlds ability to support DLL >> Injection and API hooking. I was just wondering if this could >> be something to be done in Linux as well. I am not sure if >> there is any special use of this module apart from learning >> the binary handler. May be it could be used as a security >> module for your own binary handler. >> >> Regards, >> Abhijit Pawar >> >> >> Hi Abhijit, >> >> I am not familiar with windows. Special use-case of this hacking >> is for security companies whitelisting software solutions, where >> they want to control execution of only authorized binaries on the >> system and deny the execution of others. >> >> >> Although this approach is untidy, since there is available LSM >> hooks in linux kernel which needs to be made use of for doing this. >> >> Regards, >> Rohan Puri > Hi Rohan, > Yes, this is a backdoor approach and I agree with you. I am > learning more on LSM and their APIs so as to get insight into what > goes on internally. May be you can refer me to some details as well. > > Thanks for all of your help on this. > > Regards, > Abhijit Pawar > > > Hi Abhijit, > > There is one whitepaper of lsm available on internet by Greg > Kroah-Hartman and others, its good to start with. > > > Also, I am keen to now, do all these things you are studying are part > of any project or just for knowledge. > > Regards, > Rohan Puri Thanks Rohan. I will take a look at this paper. I am learning LSM and hooking for Windows and its counterpart in Linux. this is purely for getting knowledge but it would be good if i can do something with this may be in future. :) . Regards, Abhijit Pawar -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/0e508b25/attachment-0001.html