On 09/23/2011 01:01 PM, Rajat Sharma wrote: >> Untidy way : - >> Yes, you can do that by registering a new binary format handler. Whenever >> exec is called, a list of registered binary format handlers is scanned, in >> the same way you can hook the load_binary& load_library function pointers >> of the already registered binary format handlers. > Challenge with this untidy way is to identify the correct format, for > example if you are interested in only hooking ELF format, there is no > special signature withing the registered format handler to identify > that, however if one format handler recognizes the file header, its > load_binary will return 0. This can give you the hint that you are > sitting on top of correct file format. Long time back I had written > the similar module in Linux to do the same, but can't share the code > :) > > -Rajat > > On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@xxxxxxxxx> wrote: >> >> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@xxxxxxxxx> >> wrote: >>> hi list, >>> Is there any way to hook the exec system call on Linux box apart from >>> replacing the call in System Call table? >>> >>> Regards, >>> Abhijit Pawar >>> >>> _______________________________________________ >>> Kernelnewbies mailing list >>> Kernelnewbies@xxxxxxxxxxxxxxxxx >>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> Tidy way : - >> >> You can do that from LSM (Linux security module). >> >> Untidy way : - >> Yes, you can do that by registering a new binary format handler. Whenever >> exec is called, a list of registered binary format handlers is scanned, in >> the same way you can hook the load_binary& load_library function pointers >> of the already registered binary format handlers. >> >> Regards, >> Rohan Puri >> >> _______________________________________________ >> Kernelnewbies mailing list >> Kernelnewbies@xxxxxxxxxxxxxxxxx >> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> >> So If I use the binary format handler, then I can hook the exec call. however I need to register this. Does that mean that I need to return the negative value so as to have actual ELF handler to be loaded? Regards, Abhijit Pawar _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
