From: rohan.puri15@gmail.com (rohan puri)
To: kernelnewbies@lists.kernelnewbies.org
Subject: Hooking exec system call
Date: Mon, 26 Sep 2011 12:26:11 +0530 [thread overview]
Message-ID: <CALJfu6PrYa1HPcrEEHFkp_3NjfEFKk7E3f0zFYDoYELs36Pi=A@mail.gmail.com> (raw)
In-Reply-To: <4E801C7D.2020100@gmail.com>
On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
> On 09/23/2011 03:11 PM, rohan puri wrote:
>
>
>
> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>
>> On 09/23/2011 02:04 PM, rohan puri wrote:
>>
>>
>>
>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <apawar.linux@gmail.com>wrote:
>>
>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>>
>>>> Untidy way : -
>>>>> Yes, you can do that by registering a new binary format handler.
>>>>> Whenever
>>>>> exec is called, a list of registered binary format handlers is scanned,
>>>>> in
>>>>> the same way you can hook the load_binary& load_library function
>>>>> pointers
>>>>> of the already registered binary format handlers.
>>>>>
>>>> Challenge with this untidy way is to identify the correct format, for
>>>> example if you are interested in only hooking ELF format, there is no
>>>> special signature withing the registered format handler to identify
>>>> that, however if one format handler recognizes the file header, its
>>>> load_binary will return 0. This can give you the hint that you are
>>>> sitting on top of correct file format. Long time back I had written
>>>> the similar module in Linux to do the same, but can't share the code
>>>> :)
>>>>
>>>> -Rajat
>>>>
>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> hi list,
>>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>>> replacing the call in System Call table?
>>>>>>
>>>>>> Regards,
>>>>>> Abhijit Pawar
>>>>>>
>>>>>> _______________________________________________
>>>>>> Kernelnewbies mailing list
>>>>>> Kernelnewbies at kernelnewbies.org
>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>>
>>>>> Tidy way : -
>>>>>
>>>>> You can do that from LSM (Linux security module).
>>>>>
>>>>> Untidy way : -
>>>>> Yes, you can do that by registering a new binary format handler.
>>>>> Whenever
>>>>> exec is called, a list of registered binary format handlers is scanned,
>>>>> in
>>>>> the same way you can hook the load_binary& load_library function
>>>>> pointers
>>>>> of the already registered binary format handlers.
>>>>>
>>>>> Regards,
>>>>> Rohan Puri
>>>>>
>>>>> _______________________________________________
>>>>> Kernelnewbies mailing list
>>>>> Kernelnewbies at kernelnewbies.org
>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>
>>>>>
>>>>> So If I use the binary format handler, then I can hook the exec
>>> call. however I need to register this. Does that mean that I need to return
>>> the negative value so as to have actual ELF handler to be loaded?
>>>
>>> Regards,
>>> Abhijit Pawar
>>>
>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
>> might help
>>
>> Regards,
>> Rohan Puri
>>
>> Thanks Rohan. I tried creating a hooking module on the similar line. I
>> am able to load the module but whenever I am launching any application , its
>> load_binary is not being called.
>> here is the source for the module attached.
>>
>> Regards,
>> Abhijit Pawar
>>
>>
>>
> Hi Abhijit,
>
> I have made the change, try to compile and execute this code, it works.
>
> Also, I am just curious enough to know that where do you need to do this
> hooking.
>
> Regards,
> Rohan Puri
>
> Hi Rohan,
> I have been looking at Windows worlds ability to support DLL Injection and
> API hooking. I was just wondering if this could be something to be done in
> Linux as well. I am not sure if there is any special use of this module
> apart from learning the binary handler. May be it could be used as a
> security module for your own binary handler.
>
> Regards,
> Abhijit Pawar
>
Hi Abhijit,
I am not familiar with windows. Special use-case of this hacking is for
security companies whitelisting software solutions, where they want to
control execution of only authorized binaries on the system and deny the
execution of others.
Although this approach is untidy, since there is available LSM hooks in
linux kernel which needs to be made use of for doing this.
Regards,
Rohan Puri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20110926/085cd816/attachment.html
next prev parent reply other threads:[~2011-09-26 6:56 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-22 8:23 Hooking exec system call Abhijit Pawar
2011-09-22 8:50 ` Christophe Hauser
2011-09-22 9:44 ` rohan puri
2011-09-23 7:31 ` Rajat Sharma
2011-09-23 8:30 ` Abhijit Pawar
2011-09-23 8:34 ` rohan puri
2011-09-23 9:13 ` Abhijit Pawar
2011-09-23 9:41 ` rohan puri
2011-09-26 6:32 ` Abhijit Pawar
2011-09-26 6:56 ` rohan puri [this message]
2011-09-26 6:59 ` Abhijit Pawar
2011-09-26 7:27 ` rohan puri
2011-09-26 7:30 ` Abhijit Pawar
2011-09-26 7:32 ` rohan puri
2011-09-22 16:57 ` Mulyadi Santosa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALJfu6PrYa1HPcrEEHFkp_3NjfEFKk7E3f0zFYDoYELs36Pi=A@mail.gmail.com' \
--to=rohan.puri15@gmail.com \
--cc=kernelnewbies@lists.kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.