On 09/23/2011 02:04 PM, rohan puri wrote:
On Fri, Sep 23, 2011 at 2:00 PM, Abhijit
Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 01:01 PM, Rajat Sharma wrote:
Untidy way : -
Yes, you can do that by registering a new binary
format handler. Whenever
exec is called, a list of registered binary format
handlers is scanned, in
the same way you can hook the load_binary&
load_library function pointers
of the already registered binary format handlers.
Challenge with this untidy way is to identify the
correct format, for
example if you are interested in only hooking ELF
format, there is no
special signature withing the registered format handler
to identify
that, however if one format handler recognizes the file
header, its
load_binary will return 0. This can give you the hint
that you are
sitting on top of correct file format. Long time back I
had written
the similar module in Linux to do the same, but can't
share the code
:)
-Rajat
On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.puri15@xxxxxxxxx>
wrote:
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.linux@xxxxxxxxx>
wrote:
hi list,
Is there any way to hook the exec system call on
Linux box apart from
replacing the call in System Call table?
Regards,
Abhijit Pawar
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Tidy way : -
You can do that from LSM (Linux security module).
Untidy way : -
Yes, you can do that by registering a new binary
format handler. Whenever
exec is called, a list of registered binary format
handlers is scanned, in
the same way you can hook the load_binary&
load_library function pointers
of the already registered binary format handlers.
Regards,
Rohan Puri
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
So If I use the binary format handler, then I can hook the
exec call. however I need to register this. Does that mean
that I need to return the negative value so as to have actual
ELF handler to be loaded?
Regards,
Abhijit Pawar
Regards,
Rohan Puri
Thanks Rohan. I tried creating a hooking module on the similar line.
I am able to load the module but whenever I am launching any
application , its load_binary is not being called.
here is the source for the module attached.
Regards,
Abhijit Pawar
|
#include <linux/module.h>
#include<linux/sched.h>
#include<linux/binfmts.h>
#include <linux/fs.h>
#include <linux/errno.h>
/*The Hooker function*/
static int load_hook(struct linux_binprm *bprm, struct pt_regs *regs)
{
printk("\nAbhijit::The file execution hooked");
printk("\nAbhijit::The file being launched is : %s", bprm->filename);
/*return search_binary_handler(bprm,regs);*/
return -ENOEXEC;
}
int hook_shlib(int fd)
{
printk("\nAbhijit::hooking shared lib ");
return -1;
};
int hook_core_dump(long signr, struct pt_regs * regs)
{
printk("\nAbhijit::hooking core dump");
return -1;
}
/*The structure to override the hook*/
struct linux_binfmt hook_format = {
.module = THIS_MODULE,
.load_binary = load_hook,
.load_shlib = hook_shlib,
.core_dump = hook_core_dump,
};
static int __init init_hooking_module(void)
{
printk("\nAbhijit::Registering the hooking module");
int err = 0;
err = register_binfmt(&hook_format);
printk("\nAbhijit::The format register returned %d", err);
return err;
}
static void __exit exit_hooking_module(void)
{
printk("\nAbhijit::unregistering the hooking module");
unregister_binfmt(&hook_format);
}
module_init(init_hooking_module);
module_exit(exit_hooking_module);
MODULE_AUTHOR("Abhijit Pawar <apawar.linux@xxxxxxxxx>");
MODULE_DESCRIPTION("A module to hook the application execution");
MODULE_LICENSE("GPL");_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
