From mboxrd@z Thu Jan 1 00:00:00 1970 From: rohan.puri15@gmail.com (rohan puri) Date: Fri, 23 Sep 2011 14:04:06 +0530 Subject: Hooking exec system call In-Reply-To: <4E7C4389.7070405@gmail.com> References: <4E7AF090.6000402@gmail.com> <4E7C4389.7070405@gmail.com> Message-ID: To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar wrote: > On 09/23/2011 01:01 PM, Rajat Sharma wrote: > >> Untidy way : - >>> Yes, you can do that by registering a new binary format handler. Whenever >>> exec is called, a list of registered binary format handlers is scanned, >>> in >>> the same way you can hook the load_binary& load_library function >>> pointers >>> of the already registered binary format handlers. >>> >> Challenge with this untidy way is to identify the correct format, for >> example if you are interested in only hooking ELF format, there is no >> special signature withing the registered format handler to identify >> that, however if one format handler recognizes the file header, its >> load_binary will return 0. This can give you the hint that you are >> sitting on top of correct file format. Long time back I had written >> the similar module in Linux to do the same, but can't share the code >> :) >> >> -Rajat >> >> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri >> wrote: >> >>> >>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar >>> wrote: >>> >>>> hi list, >>>> Is there any way to hook the exec system call on Linux box apart from >>>> replacing the call in System Call table? >>>> >>>> Regards, >>>> Abhijit Pawar >>>> >>>> ______________________________**_________________ >>>> Kernelnewbies mailing list >>>> Kernelnewbies at kernelnewbies.**org >>>> http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies >>>> >>> Tidy way : - >>> >>> You can do that from LSM (Linux security module). >>> >>> Untidy way : - >>> Yes, you can do that by registering a new binary format handler. Whenever >>> exec is called, a list of registered binary format handlers is scanned, >>> in >>> the same way you can hook the load_binary& load_library function >>> pointers >>> of the already registered binary format handlers. >>> >>> Regards, >>> Rohan Puri >>> >>> ______________________________**_________________ >>> Kernelnewbies mailing list >>> Kernelnewbies at kernelnewbies.**org >>> http://lists.kernelnewbies.**org/mailman/listinfo/**kernelnewbies >>> >>> >>> So If I use the binary format handler, then I can hook the exec call. > however I need to register this. Does that mean that I need to return the > negative value so as to have actual ELF handler to be loaded? > > Regards, > Abhijit Pawar > > Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this might help Regards, Rohan Puri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110923/e62f4990/attachment-0001.html