On Fri, Sep 23, 2011 at 2:43 PM, Abhijit Pawar <[email protected]>wrote:
> On 09/23/2011 02:04 PM, rohan puri wrote:
>
>
>
> On Fri, Sep 23, 2011 at 2:00 PM, Abhijit Pawar <[email protected]>wrote:
>
>> On 09/23/2011 01:01 PM, Rajat Sharma wrote:
>>
>>> Untidy way : -
>>>> Yes, you can do that by registering a new binary format handler.
>>>> Whenever
>>>> exec is called, a list of registered binary format handlers is scanned,
>>>> in
>>>> the same way you can hook the load_binary& load_library function
>>>> pointers
>>>> of the already registered binary format handlers.
>>>>
>>> Challenge with this untidy way is to identify the correct format, for
>>> example if you are interested in only hooking ELF format, there is no
>>> special signature withing the registered format handler to identify
>>> that, however if one format handler recognizes the file header, its
>>> load_binary will return 0. This can give you the hint that you are
>>> sitting on top of correct file format. Long time back I had written
>>> the similar module in Linux to do the same, but can't share the code
>>> :)
>>>
>>> -Rajat
>>>
>>> On Thu, Sep 22, 2011 at 3:14 PM, rohan puri<[email protected]>
>>> wrote:
>>>
>>>>
>>>> On Thu, Sep 22, 2011 at 1:53 PM, Abhijit Pawar<[email protected]>
>>>> wrote:
>>>>
>>>>> hi list,
>>>>> Is there any way to hook the exec system call on Linux box apart from
>>>>> replacing the call in System Call table?
>>>>>
>>>>> Regards,
>>>>> Abhijit Pawar
>>>>>
>>>>> _______________________________________________
>>>>> Kernelnewbies mailing list
>>>>> [email protected]
>>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>>
>>>> Tidy way : -
>>>>
>>>> You can do that from LSM (Linux security module).
>>>>
>>>> Untidy way : -
>>>> Yes, you can do that by registering a new binary format handler.
>>>> Whenever
>>>> exec is called, a list of registered binary format handlers is scanned,
>>>> in
>>>> the same way you can hook the load_binary& load_library function
>>>> pointers
>>>> of the already registered binary format handlers.
>>>>
>>>> Regards,
>>>> Rohan Puri
>>>>
>>>> _______________________________________________
>>>> Kernelnewbies mailing list
>>>> [email protected]
>>>> http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>>
>>>>
>>>> So If I use the binary format handler, then I can hook the exec call.
>> however I need to register this. Does that mean that I need to return the
>> negative value so as to have actual ELF handler to be loaded?
>>
>> Regards,
>> Abhijit Pawar
>>
>> Read this, http://www.linux.it/~rubini/docs/binfmt/binfmt.html this
> might help
>
> Regards,
> Rohan Puri
>
> Thanks Rohan. I tried creating a hooking module on the similar line. I am
> able to load the module but whenever I am launching any application , its
> load_binary is not being called.
> here is the source for the module attached.
>
> Regards,
> Abhijit Pawar
>
>
>
Hi Abhijit,
I have made the change, try to compile and execute this code, it works.
Also, I am just curious enough to know that where do you need to do this
hooking.
Regards,
Rohan Puri
#include <linux/module.h>
#include<linux/sched.h>
#include<linux/binfmts.h>
#include <linux/fs.h>
#include <linux/errno.h>
/*The Hooker function*/
static int load_hook(struct linux_binprm *bprm, struct pt_regs *regs)
{
printk("\nAbhijit::The file execution hooked");
printk("\nAbhijit::The file being launched is : %s", bprm->filename);
/*return search_binary_handler(bprm,regs);*/
return -ENOEXEC;
}
int hook_shlib(int fd)
{
printk("\nAbhijit::hooking shared lib ");
return -1;
};
int hook_core_dump(long signr, struct pt_regs * regs)
{
printk("\nAbhijit::hooking core dump");
return -1;
}
/*The structure to override the hook*/
struct linux_binfmt hook_format = {
.module = THIS_MODULE,
.load_binary = load_hook,
.load_shlib = hook_shlib,
.core_dump = hook_core_dump,
};
static int __init init_hooking_module(void)
{
printk("\nAbhijit::Registering the hooking module");
int err = 0;
err = insert_binfmt(&hook_format);
printk("\nAbhijit::The format register returned %d", err);
return err;
}
static void __exit exit_hooking_module(void)
{
printk("\nAbhijit::unregistering the hooking module");
unregister_binfmt(&hook_format);
}
module_init(init_hooking_module);
module_exit(exit_hooking_module);
MODULE_AUTHOR("Abhijit Pawar <[email protected]>");
MODULE_DESCRIPTION("A module to hook the application execution");
MODULE_LICENSE("GPL");
_______________________________________________
Kernelnewbies mailing list
[email protected]
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
