On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar <apawar.li...@gmail.com>wrote:
> On 09/26/2011 12:26 PM, rohan puri wrote: > > > > On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar <apawar.li...@gmail.com>wrote: > >> On 09/23/2011 03:11 PM, rohan puri wrote: >> >> >> >> On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <apawar.li...@gmail.com>wrote: >> >>> On 09/23/2011 02:04 PM, rohan puri wrote: >>> >>> >>> >>> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar >>> <apawar.li...@gmail.com>wrote: >>> >>>> On 09/23/2011 01:01 PM, Rajat Sharma wrote: >>>> >>>>> Untidy way : - >>>>>> Yes, you can do that by registering a new binary format handler. >>>>>> Whenever >>>>>> exec is called, a list of registered binary format handlers is >>>>>> scanned, in >>>>>> the same way you can hook the load_binary& load_library function >>>>>> pointers >>>>>> of the already registered binary format handlers. >>>>>> >>>>> Challenge with this untidy way is to identify the correct format, for >>>>> example if you are interested in only hooking ELF format, there is no >>>>> special signature withing the registered format handler to identify >>>>> that, however if one format handler recognizes the file header, its >>>>> load_binary will return 0. This can give you the hint that you are >>>>> sitting on top of correct file format. Long time back I had written >>>>> the similar module in Linux to do the same, but can't share the code >>>>> :) >>>>> >>>>> -Rajat >>>>> >>>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<rohan.pur...@gmail.com> >>>>> wrote: >>>>> >>>>>> >>>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<apawar.li...@gmail.com >>>>>> > >>>>>> wrote: >>>>>> >>>>>>> hi list, >>>>>>> Is there any way to hook the exec system call on Linux box apart from >>>>>>> replacing the call in System Call table? >>>>>>> >>>>>>> Regards, >>>>>>> Abhijit Pawar >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Kernelnewbies mailing list >>>>>>> Kernelnewbies@kernelnewbies.org >>>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>>>>> >>>>>> Tidy way : - >>>>>> >>>>>> You can do that from LSM (Linux security module). >>>>>> >>>>>> Untidy way : - >>>>>> Yes, you can do that by registering a new binary format handler. >>>>>> Whenever >>>>>> exec is called, a list of registered binary format handlers is >>>>>> scanned, in >>>>>> the same way you can hook the load_binary& load_library function >>>>>> pointers >>>>>> of the already registered binary format handlers. >>>>>> >>>>>> Regards, >>>>>> Rohan Puri >>>>>> >>>>>> _______________________________________________ >>>>>> Kernelnewbies mailing list >>>>>> Kernelnewbies@kernelnewbies.org >>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>>>>> >>>>>> >>>>>> So If I use the binary format handler, then I can hook the exec >>>> call. however I need to register this. Does that mean that I need to return >>>> the negative value so as to have actual ELF handler to be loaded? >>>> >>>> Regards, >>>> Abhijit Pawar >>>> >>>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this >>> might help >>> >>> Regards, >>> Rohan Puri >>> >>> Thanks Rohan. I tried creating a hooking module on the similar line. I >>> am able to load the module but whenever I am launching any application , its >>> load_binary is not being called. >>> here is the source for the module attached. >>> >>> Regards, >>> Abhijit Pawar >>> >>> >>> >> Hi Abhijit, >> >> I have made the change, try to compile and execute this code, it works. >> >> Also, I am just curious enough to know that where do you need to do this >> hooking. >> >> Regards, >> Rohan Puri >> >> Hi Rohan, >> I have been looking at Windows worlds ability to support DLL Injection and >> API hooking. I was just wondering if this could be something to be done in >> Linux as well. I am not sure if there is any special use of this module >> apart from learning the binary handler. May be it could be used as a >> security module for your own binary handler. >> >> Regards, >> Abhijit Pawar >> > > Hi Abhijit, > > I am not familiar with windows. Special use-case of this hacking is for > security companies whitelisting software solutions, where they want to > control execution of only authorized binaries on the system and deny the > execution of others. > > > Although this approach is untidy, since there is available LSM hooks in > linux kernel which needs to be made use of for doing this. > > Regards, > Rohan Puri > > Hi Rohan, > Yes, this is a backdoor approach and I agree with you. I am learning more > on LSM and their APIs so as to get insight into what goes on internally. May > be you can refer me to some details as well. > > Thanks for all of your help on this. > > Regards, > Abhijit Pawar > Hi Abhijit, There is one whitepaper of lsm available on internet by Greg Kroah-Hartman and others, its good to start with. Also, I am keen to now, do all these things you are studying are part of any project or just for knowledge. Regards, Rohan Puri
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies