Date: Thu, 17 Oct 2002 15:48:04 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Ramkumar Chinchani <rc27@cse.Buffalo.EDU> Cc: hackers@freebsd.org Subject: Re: tracing exec system call Message-ID: <3DAF3E24.C94F9DCE@mindspring.com> References: <200210172213.g9HMDO423357@pollux.cse.buffalo.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Ramkumar Chinchani wrote: > What would be the best way to *capture* the execv system call at its entry point > from user space? ptrace()? > > What would be a good way to inspect the command line args to execv *after* the > path, etc., has been resolved? Duplicate the path resolution process, and examine the results, before making the call. > This is useful if one wants to monitor a process and all the system calls it > makes and then disallow a few of them if suspicious. This is also useful for weenies who want to write "rootkits", or to hide the fact that there are suspicious calls being made from any monitoring software loaded before the exploit was loaded, by capruring the suspicious events and calling the code directly, to avoid the monitoring. The answer is that you can replace any system call entry point with your own. If you want another approach, replace the standard execution class entry points with your own, using a loadable module, since they are pointers, and call through to the original pointers in order to do the real work. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3DAF3E24.C94F9DCE>