On 09/26/2011 12:26 PM, rohan puri wrote:
On Mon, Sep 26, 2011 at 12:02 PM, Abhijit
Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 03:11 PM, rohan puri wrote:
On Fri, Sep 23, 2011 at 2:43
PM, Abhijit Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 02:04 PM, rohan puri
wrote:
On Fri, Sep 23,
2011 at 2:00 PM, Abhijit Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 01:01 PM, Rajat
Sharma wrote:
Untidy way : -
Yes, you can do that by
registering a new binary
format handler. Whenever
exec is called, a list of
registered binary format
handlers is scanned, in
the same way you can hook the
load_binary& load_library
function pointers
of the already registered
binary format handlers.
Challenge with this untidy way
is to identify the correct
format, for
example if you are interested in
only hooking ELF format, there
is no
special signature withing the
registered format handler to
identify
that, however if one format
handler recognizes the file
header, its
load_binary will return 0. This
can give you the hint that you
are
sitting on top of correct file
format. Long time back I had
written
the similar module in Linux to
do the same, but can't share the
code
:)
-Rajat
On Thu, Sep 22, 2011 at 3:14 PM,
rohan puri<rohan.puri15@xxxxxxxxx>
wrote:
On Thu, Sep 22, 2011 at 1:53
PM, Abhijit Pawar<apawar.linux@xxxxxxxxx>
wrote:
hi
list,
Is there any way to hook the
exec system call on Linux
box apart from
replacing the call in System
Call table?
Regards,
Abhijit Pawar
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Tidy way : -
You can do that from LSM
(Linux security module).
Untidy way : -
Yes, you can do that by
registering a new binary
format handler. Whenever
exec is called, a list of
registered binary format
handlers is scanned, in
the same way you can hook the
load_binary& load_library
function pointers
of the already registered
binary format handlers.
Regards,
Rohan Puri
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
So If I use the binary format handler,
then I can hook the exec call. however
I need to register this. Does that
mean that I need to return the
negative value so as to have actual
ELF handler to be loaded?
Regards,
Abhijit Pawar
Regards,
Rohan Puri
Thanks Rohan. I tried creating a hooking module
on the similar line. I am able to load the
module but whenever I am launching any
application , its load_binary is not being
called.
here is the source for the module attached.
Regards,
Abhijit Pawar
Hi Abhijit,
I have made the change, try to compile and execute
this code, it works.
Also, I am just curious enough to know that where do
you need to do this hooking.
Regards,
Rohan Puri
Hi Rohan,
I have been looking at Windows worlds ability to support DLL
Injection and API hooking. I was just wondering if this
could be something to be done in Linux as well. I am not
sure if there is any special use of this module apart from
learning the binary handler. May be it could be used as a
security module for your own binary handler.
Regards,
Abhijit Pawar
Hi Abhijit,
I am not familiar with windows. Special use-case of this hacking
is for security companies whitelisting software solutions, where
they want to control execution of only authorized binaries on the
system and deny the execution of others.
Although this approach is untidy, since there is available LSM
hooks in linux kernel which needs to be made use of for doing
this.
Regards,
Rohan Puri
Hi Rohan,
Yes, this is a backdoor approach and I agree with you. I am learning
more on LSM and their APIs so as to get insight into what goes on
internally. May be you can refer me to some details as well.
Thanks for all of your help on this.
Regards,
Abhijit Pawar
|
