From mboxrd@z Thu Jan 1 00:00:00 1970 From: rohan.puri15@gmail.com (rohan puri) Date: Mon, 26 Sep 2011 12:57:35 +0530 Subject: Hooking exec system call In-Reply-To: <4E8022C9.1040508@gmail.com> References: <4E7AF090.6000402@gmail.com> <4E7C4389.7070405@gmail.com> <4E7C4DA2.4040903@gmail.com> <4E801C7D.2020100@gmail.com> <4E8022C9.1040508@gmail.com> Message-ID: To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar wrote: > On 09/26/2011 12:26 PM, rohan puri wrote: > > > > On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar wrote: > >> On 09/23/2011 03:11 PM, rohan puri wrote: >> >> >> >> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar wrote: >> >>> On 09/23/2011 02:04 PM, rohan puri wrote: >>> >>> >>> >>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar wrote: >>> >>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote: >>>> >>>>> Untidy way : - >>>>>> Yes, you can do that by registering a new binary format handler. >>>>>> Whenever >>>>>> exec is called, a list of registered binary format handlers is >>>>>> scanned, in >>>>>> the same way you can hook the load_binary& load_library function >>>>>> pointers >>>>>> of the already registered binary format handlers. >>>>>> >>>>> Challenge with this untidy way is to identify the correct format, for >>>>> example if you are interested in only hooking ELF format, there is no >>>>> special signature withing the registered format handler to identify >>>>> that, however if one format handler recognizes the file header, its >>>>> load_binary will return 0. This can give you the hint that you are >>>>> sitting on top of correct file format. Long time back I had written >>>>> the similar module in Linux to do the same, but can't share the code >>>>> :) >>>>> >>>>> -Rajat >>>>> >>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri >>>>> wrote: >>>>> >>>>>> >>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar>>>>> > >>>>>> wrote: >>>>>> >>>>>>> hi list, >>>>>>> Is there any way to hook the exec system call on Linux box apart from >>>>>>> replacing the call in System Call table? >>>>>>> >>>>>>> Regards, >>>>>>> Abhijit Pawar >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Kernelnewbies mailing list >>>>>>> Kernelnewbies at kernelnewbies.org >>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>>>>> >>>>>> Tidy way : - >>>>>> >>>>>> You can do that from LSM (Linux security module). >>>>>> >>>>>> Untidy way : - >>>>>> Yes, you can do that by registering a new binary format handler. >>>>>> Whenever >>>>>> exec is called, a list of registered binary format handlers is >>>>>> scanned, in >>>>>> the same way you can hook the load_binary& load_library function >>>>>> pointers >>>>>> of the already registered binary format handlers. >>>>>> >>>>>> Regards, >>>>>> Rohan Puri >>>>>> >>>>>> _______________________________________________ >>>>>> Kernelnewbies mailing list >>>>>> Kernelnewbies at kernelnewbies.org >>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>>>> >>>>>> >>>>>> So If I use the binary format handler, then I can hook the exec >>>> call. however I need to register this. Does that mean that I need to return >>>> the negative value so as to have actual ELF handler to be loaded? >>>> >>>> Regards, >>>> Abhijit Pawar >>>> >>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this >>> might help >>> >>> Regards, >>> Rohan Puri >>> >>> Thanks Rohan. I tried creating a hooking module on the similar line. I >>> am able to load the module but whenever I am launching any application , its >>> load_binary is not being called. >>> here is the source for the module attached. >>> >>> Regards, >>> Abhijit Pawar >>> >>> >>> >> Hi Abhijit, >> >> I have made the change, try to compile and execute this code, it works. >> >> Also, I am just curious enough to know that where do you need to do this >> hooking. >> >> Regards, >> Rohan Puri >> >> Hi Rohan, >> I have been looking at Windows worlds ability to support DLL Injection and >> API hooking. I was just wondering if this could be something to be done in >> Linux as well. I am not sure if there is any special use of this module >> apart from learning the binary handler. May be it could be used as a >> security module for your own binary handler. >> >> Regards, >> Abhijit Pawar >> > > Hi Abhijit, > > I am not familiar with windows. Special use-case of this hacking is for > security companies whitelisting software solutions, where they want to > control execution of only authorized binaries on the system and deny the > execution of others. > > > Although this approach is untidy, since there is available LSM hooks in > linux kernel which needs to be made use of for doing this. > > Regards, > Rohan Puri > > Hi Rohan, > Yes, this is a backdoor approach and I agree with you. I am learning more > on LSM and their APIs so as to get insight into what goes on internally. May > be you can refer me to some details as well. > > Thanks for all of your help on this. > > Regards, > Abhijit Pawar > Hi Abhijit, There is one whitepaper of lsm available on internet by Greg Kroah-Hartman and others, its good to start with. Also, I am keen to now, do all these things you are studying are part of any project or just for knowledge. Regards, Rohan Puri -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/a2bfb9b5/attachment.html