Capture sys_execve () on Linux 3.x

Question

Capture sys_execve () on Linux 3.x

I am trying to connect the sys_execve() function to the Linux 3.x kernel by modifying the system call table. The problem is that sys_execve() should only return an error code if execution fails. Using the wrapper function that I use (see below), when sys_execve() is called in a valid executable, it runs fine and everything works. However, when it calls a nonexistent file or something else that causes an error condition, the calling program crashes with:

 segfault at 3b ip 000000000000003b...

Using strace to check the return value from a hooked sys_execve() shows -1 or ENOSYS instead of the correct error code, which bothers me since I checked the assembly of my wrapper function as well as the Linux source code for sys_execve() . Any suggestions on why my wrapper doesn't pass a missed error code?

 asmlinkage long new_execve(const char* name, const char const** argv, const char const** envp, struct pt_regs* regs) { return orig_func(name, argv, envp, regs); }

+4

c linux-kernel operating-system exec

ddcc Dec 04 '11 at 2:57

source share

2 answers

Binding system calls in the Linux kernel was a simpler task in the past, but assembly nodes were added to system calls in new kernels. To solve this problem, I fix kernel memory on the fly.

You can view my complete sys_execve connection solution here: https://github.com/kfiros/execmon

0

kfiros Nov 07 '16 at 16:05

source share

Ilya Matveychikov · Accepted Answer · 2012-03-12T18:15:30+0000

You cannot attach execve by changing the system call table in such a way that stub_execve is called from stub_execve on x86_64 . So the call chain is sys_call_table[NR_execve] -> stub_execve -> sys_execve -> do_execve ... Look at stub_execve on the LXR.

Capture sys_execve () on Linux 3.x

More articles: