On 09/26/2011 12:57 PM, rohan puri wrote:
On Mon, Sep 26, 2011 at 12:29 PM, Abhijit Pawar
<apawar.li...@gmail.com <mailto:apawar.li...@gmail.com>> wrote:
On 09/26/2011 12:26 PM, rohan puri wrote:
On Mon, Sep 26, 2011 at 12:02 PM, Abhijit Pawar
<apawar.li...@gmail.com <mailto:apawar.li...@gmail.com>> wrote:
On 09/23/2011 03:11 PM, rohan puri wrote:
On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar
<apawar.li...@gmail.com <mailto:apawar.li...@gmail.com>> wrote:
On 09/23/2011 02:04 PM, rohan puri wrote:
On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar
<apawar.li...@gmail.com
<mailto:apawar.li...@gmail.com>> wrote:
On 09/23/2011 01:01 PM, Rajat Sharma wrote:
Untidy way : -
Yes, you can do that by registering a new
binary format handler. Whenever
exec is called, a list of registered binary
format handlers is scanned, in
the same way you can hook the load_binary&
load_library function pointers
of the already registered binary format
handlers.
Challenge with this untidy way is to identify
the correct format, for
example if you are interested in only hooking
ELF format, there is no
special signature withing the registered format
handler to identify
that, however if one format handler recognizes
the file header, its
load_binary will return 0. This can give you
the hint that you are
sitting on top of correct file format. Long
time back I had written
the similar module in Linux to do the same, but
can't share the code
:)
-Rajat
On Thu, Sep 22, 2011 at 3:14 PM, rohan
puri<rohan.pur...@gmail.com
<mailto:rohan.pur...@gmail.com>> wrote:
On Thu, Sep 22, 2011 at 1:53 PM, Abhijit
Pawar<apawar.li...@gmail.com
<mailto:apawar.li...@gmail.com>>
wrote:
hi list,
Is there any way to hook the exec
system call on Linux box apart from
replacing the call in System Call table?
Regards,
Abhijit Pawar
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
<mailto:Kernelnewbies@kernelnewbies.org>
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Tidy way : -
You can do that from LSM (Linux security
module).
Untidy way : -
Yes, you can do that by registering a new
binary format handler. Whenever
exec is called, a list of registered binary
format handlers is scanned, in
the same way you can hook the load_binary&
load_library function pointers
of the already registered binary format
handlers.
Regards,
Rohan Puri
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
<mailto:Kernelnewbies@kernelnewbies.org>
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
So If I use the binary format handler, then I can
hook the exec call. however I need to register
this. Does that mean that I need to return the
negative value so as to have actual ELF handler to
be loaded?
Regards,
Abhijit Pawar
Read this,
http://www.linux.it/~rubini/docs/binfmt/binfmt.html
<http://www.linux.it/%7Erubini/docs/binfmt/binfmt.html>
this might help
Regards,
Rohan Puri
Thanks Rohan. I tried creating a hooking module on the
similar line. I am able to load the module but whenever
I am launching any application , its load_binary is not
being called.
here is the source for the module attached.
Regards,
Abhijit Pawar
Hi Abhijit,
I have made the change, try to compile and execute this
code, it works.
Also, I am just curious enough to know that where do you
need to do this hooking.
Regards,
Rohan Puri
Hi Rohan,
I have been looking at Windows worlds ability to support DLL
Injection and API hooking. I was just wondering if this could
be something to be done in Linux as well. I am not sure if
there is any special use of this module apart from learning
the binary handler. May be it could be used as a security
module for your own binary handler.
Regards,
Abhijit Pawar
Hi Abhijit,
I am not familiar with windows. Special use-case of this hacking
is for security companies whitelisting software solutions, where
they want to control execution of only authorized binaries on the
system and deny the execution of others.
Although this approach is untidy, since there is available LSM
hooks in linux kernel which needs to be made use of for doing this.
Regards,
Rohan Puri
Hi Rohan,
Yes, this is a backdoor approach and I agree with you. I am
learning more on LSM and their APIs so as to get insight into what
goes on internally. May be you can refer me to some details as well.
Thanks for all of your help on this.
Regards,
Abhijit Pawar
Hi Abhijit,
There is one whitepaper of lsm available on internet by Greg
Kroah-Hartman and others, its good to start with.
Also, I am keen to now, do all these things you are studying are part
of any project or just for knowledge.
Regards,
Rohan Puri
Thanks Rohan. I will take a look at this paper. I am learning LSM and
hooking for Windows and its counterpart in Linux. this is purely for
getting knowledge but it would be good if i can do something with this
may be in future. :) .
Regards,
Abhijit Pawar
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies