From mboxrd@z Thu Jan 1 00:00:00 1970 From: rohan.puri15@gmail.com (rohan puri) Date: Mon, 26 Sep 2011 13:02:43 +0530 Subject: Hooking exec system call In-Reply-To: <4E802A15.6000007@gmail.com> References: <4E7AF090.6000402@gmail.com> <4E7C4389.7070405@gmail.com> <4E7C4DA2.4040903@gmail.com> <4E801C7D.2020100@gmail.com> <4E8022C9.1040508@gmail.com> <4E802A15.6000007@gmail.com> Message-ID: To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Mon, Sep 26, 2011 at 1:00 PM, Abhijit Pawar wrote: > On 09/26/2011 12:57 PM, rohan puri wrote: > > > > On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar wrote: > >> On 09/26/2011 12:26 PM, rohan puri wrote: >> >> >> >> On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar wrote: >> >>> On 09/23/2011 03:11 PM, rohan puri wrote: >>> >>> >>> >>> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar wrote: >>> >>>> On 09/23/2011 02:04 PM, rohan puri wrote: >>>> >>>> >>>> >>>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar wrote: >>>> >>>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote: >>>>> >>>>>> Untidy way : - >>>>>>> Yes, you can do that by registering a new binary format handler. >>>>>>> Whenever >>>>>>> exec is called, a list of registered binary format handlers is >>>>>>> scanned, in >>>>>>> the same way you can hook the load_binary& load_library function >>>>>>> pointers >>>>>>> of the already registered binary format handlers. >>>>>>> >>>>>> Challenge with this untidy way is to identify the correct format, for >>>>>> example if you are interested in only hooking ELF format, there is no >>>>>> special signature withing the registered format handler to identify >>>>>> that, however if one format handler recognizes the file header, its >>>>>> load_binary will return 0. This can give you the hint that you are >>>>>> sitting on top of correct file format. Long time back I had written >>>>>> the similar module in Linux to do the same, but can't share the code >>>>>> :) >>>>>> >>>>>> -Rajat >>>>>> >>>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar< >>>>>>> apawar.linux at gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> hi list, >>>>>>>> Is there any way to hook the exec system call on Linux box apart >>>>>>>> from >>>>>>>> replacing the call in System Call table? >>>>>>>> >>>>>>>> Regards, >>>>>>>> Abhijit Pawar >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Kernelnewbies mailing list >>>>>>>> Kernelnewbies at kernelnewbies.org >>>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>>>>>> >>>>>>> Tidy way : - >>>>>>> >>>>>>> You can do that from LSM (Linux security module). >>>>>>> >>>>>>> Untidy way : - >>>>>>> Yes, you can do that by registering a new binary format handler. >>>>>>> Whenever >>>>>>> exec is called, a list of registered binary format handlers is >>>>>>> scanned, in >>>>>>> the same way you can hook the load_binary& load_library function >>>>>>> pointers >>>>>>> of the already registered binary format handlers. >>>>>>> >>>>>>> Regards, >>>>>>> Rohan Puri >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Kernelnewbies mailing list >>>>>>> Kernelnewbies at kernelnewbies.org >>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>>>>> >>>>>>> >>>>>>> So If I use the binary format handler, then I can hook the exec >>>>> call. however I need to register this. Does that mean that I need to return >>>>> the negative value so as to have actual ELF handler to be loaded? >>>>> >>>>> Regards, >>>>> Abhijit Pawar >>>>> >>>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this >>>> might help >>>> >>>> Regards, >>>> Rohan Puri >>>> >>>> Thanks Rohan. I tried creating a hooking module on the similar line. I >>>> am able to load the module but whenever I am launching any application , its >>>> load_binary is not being called. >>>> here is the source for the module attached. >>>> >>>> Regards, >>>> Abhijit Pawar >>>> >>>> >>>> >>> Hi Abhijit, >>> >>> I have made the change, try to compile and execute this code, it works. >>> >>> Also, I am just curious enough to know that where do you need to do this >>> hooking. >>> >>> Regards, >>> Rohan Puri >>> >>> Hi Rohan, >>> I have been looking at Windows worlds ability to support DLL Injection >>> and API hooking. I was just wondering if this could be something to be done >>> in Linux as well. I am not sure if there is any special use of this module >>> apart from learning the binary handler. May be it could be used as a >>> security module for your own binary handler. >>> >>> Regards, >>> Abhijit Pawar >>> >> >> Hi Abhijit, >> >> I am not familiar with windows. Special use-case of this hacking is for >> security companies whitelisting software solutions, where they want to >> control execution of only authorized binaries on the system and deny the >> execution of others. >> >> >> Although this approach is untidy, since there is available LSM hooks in >> linux kernel which needs to be made use of for doing this. >> >> Regards, >> Rohan Puri >> >> Hi Rohan, >> Yes, this is a backdoor approach and I agree with you. I am learning more >> on LSM and their APIs so as to get insight into what goes on internally. May >> be you can refer me to some details as well. >> >> Thanks for all of your help on this. >> >> Regards, >> Abhijit Pawar >> > > Hi Abhijit, > > There is one whitepaper of lsm available on internet by Greg Kroah-Hartman > and others, its good to start with. > > > Also, I am keen to now, do all these things you are studying are part of > any project or just for knowledge. > > Regards, > Rohan Puri > > Thanks Rohan. I will take a look at this paper. I am learning LSM and > hooking for Windows and its counterpart in Linux. this is purely for getting > knowledge but it would be good if i can do something with this may be in > future. :) . > > Regards, > Abhijit Pawar > Cool!!! Regards, Rohan Puri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/70a7c681/attachment.html