intercepting execve syscall !

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi guys first a red flag: I am very (beyond imagination) new to the linux
kernel development world!  Now, i am writing a LKM that intercept execve
everytime someone tries to run a binary or a script.  The reason i wanna do
this is because i want to be able to call out to a user level program (like
tripwire) to check the integrity of the to be executed binary using hash
code.  I found execve to be the only reliable way of making sure that my
integrity check code get executed before the actual binary.  Having said
that, let me state my initial problem:

When i run the following code i don't see any text message printed out on
the console.

#define MODULE
#define __KERNEL__

#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/unistd.h>
#include <sys/syscall.h>
#include <asm/errno.h>

extern void* sys_call_table[];

/*must be defined because of syscall macro used below*/
int errno;

/Definition of my systemcall*/
int __NR_myexecve;

int (*orig_execve) (const char *, const char *[], const char *[]);

/*systemcall macro called with SYS_execve*/
int my_execve(const char *filename, const char *argv[], const char *envp[])
{
    long __res;
    __asm__ volatile ("int $0x80":"=a" (__res):"0"(__NR_myexecve),
"b"((long)
                     (filename)), "c"((long) (argv)),
"d"(
(long) (envp)));
    return (int) __res;
}


int changed_execve(const char *filename, const char *argv[], const char
*envp[])
{
  printk("Put the hash logic here !   [ok] \n");
 return my_execve(filename, argv, envp);
}

int init_module(void)
{
  printk("Kernel module inserting......");
 /*the following lines choose the systemcall number of my new myexecve*/
 __NR_myexecve = 200;
 while (__NR_myexecve != 0 && sys_call_table[__NR_myexecve] != 0)
  __NR_myexecve--;

 orig_execve = sys_call_table[SYS_execve];
 if (__NR_myexecve != 0)
 {
  sys_call_table[__NR_myexecve] = orig_execve;
  sys_call_table[SYS_execve] = (void *) changed_execve;
 }
 return 0;
}

void cleanup_module(void)
{
 if (sys_call_table[SYS_execve] != changed_execve)
 {
   printk("System Call already changed ");
   printk("System may be in unstable state.\n");
 } 
 sys_call_table[SYS_execve] = orig_execve;
}

Below is my makefile:

changed_execve.o:	changed_execve.C /usr/include/linux/version.h
			gcc -Wall -DLINUX -c changed_execve.C

Now another problem is version.h doesn't match the version of the kernel
that's is actually running on my machine.

If there is another quick and dirty of accomplishing this task kindly let me
know that as well.

I will really appriciate a response ASAP.

thx.

Khurram Chaudry
Security Engineer
AVITA
Northrop Grumman Information Technology
chaudry_khurram@prc.com

-
Kernelnewbies: Help each other learn about the Linux kernel.
Archive:       http://mail.nl.linux.org/kernelnewbies/
IRC Channel:   irc.openprojects.net / #kernelnewbies
Web Page:      http://www.kernelnewbies.org/
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux