On 09/26/2011 12:57 PM, rohan puri wrote:
On Mon, Sep 26, 2011 at 12:29 PM, Abhijit
Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/26/2011 12:26 PM, rohan puri wrote:
On Mon, Sep 26, 2011 at 12:02
PM, Abhijit Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 03:11 PM, rohan puri
wrote:
On Fri, Sep 23,
2011 at 2:43 PM, Abhijit Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 02:04 PM,
rohan puri wrote:
On
Fri, Sep 23, 2011 at 2:00
PM, Abhijit Pawar <apawar.linux@xxxxxxxxx>
wrote:
On 09/23/2011 01:01
PM, Rajat Sharma
wrote:
Untidy way : -
Yes, you can do
that by
registering a new
binary format
handler. Whenever
exec is called, a
list of registered
binary format
handlers is
scanned, in
the same way you
can hook the
load_binary&
load_library
function pointers
of the already
registered binary
format handlers.
Challenge with this
untidy way is to
identify the correct
format, for
example if you are
interested in only
hooking ELF format,
there is no
special signature
withing the
registered format
handler to identify
that, however if one
format handler
recognizes the file
header, its
load_binary will
return 0. This can
give you the hint
that you are
sitting on top of
correct file format.
Long time back I had
written
the similar module
in Linux to do the
same, but can't
share the code
:)
-Rajat
On Thu, Sep 22, 2011
at 3:14 PM, rohan
puri<rohan.puri15@xxxxxxxxx>
wrote:
On Thu, Sep 22,
2011 at 1:53 PM,
Abhijit Pawar<apawar.linux@xxxxxxxxx>
wrote:
hi list,
Is there any way
to hook the exec
system call on
Linux box apart
from
replacing the
call in System
Call table?
Regards,
Abhijit Pawar
_______________________________________________
Kernelnewbies
mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Tidy way : -
You can do that
from LSM (Linux
security module).
Untidy way : -
Yes, you can do
that by
registering a new
binary format
handler. Whenever
exec is called, a
list of registered
binary format
handlers is
scanned, in
the same way you
can hook the
load_binary&
load_library
function pointers
of the already
registered binary
format handlers.
Regards,
Rohan Puri
_______________________________________________
Kernelnewbies
mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
So If I use the binary
format handler, then I can
hook the exec call.
however I need to register
this. Does that mean that
I need to return the
negative value so as to
have actual ELF handler to
be loaded?
Regards,
Abhijit Pawar
Regards,
Rohan Puri
Thanks Rohan. I tried creating a
hooking module on the similar line.
I am able to load the module but
whenever I am launching any
application , its load_binary is not
being called.
here is the source for the module
attached.
Regards,
Abhijit Pawar
Hi Abhijit,
I have made the change, try to compile and
execute this code, it works.
Also, I am just curious enough to know
that where do you need to do this hooking.
Regards,
Rohan Puri
Hi Rohan,
I have been looking at Windows worlds ability to
support DLL Injection and API hooking. I was
just wondering if this could be something to be
done in Linux as well. I am not sure if there
is any special use of this module apart from
learning the binary handler. May be it could be
used as a security module for your own binary
handler.
Regards,
Abhijit Pawar
Hi Abhijit,
I am not familiar with windows. Special use-case of
this hacking is for security companies whitelisting
software solutions, where they want to control
execution of only authorized binaries on the system
and deny the execution of others.
Although this approach is untidy, since there is
available LSM hooks in linux kernel which needs to be
made use of for doing this.
Regards,
Rohan Puri
Hi Rohan,
Yes, this is a backdoor approach and I agree with you. I am
learning more on LSM and their APIs so as to get insight
into what goes on internally. May be you can refer me to
some details as well.
Thanks for all of your help on this.
Regards,
Abhijit Pawar
Hi Abhijit,
There is one whitepaper of lsm available on internet by Greg
Kroah-Hartman and others, its good to start with.
Also, I am keen to now, do all these things you are studying are
part of any project or just for knowledge.
Regards,
Rohan Puri
Thanks Rohan. I will take a look at this paper. I am learning LSM
and hooking for Windows and its counterpart in Linux. this is purely
for getting knowledge but it would be good if i can do something
with this may be in future. :) .
Regards,
Abhijit Pawar
|
