From owner-freebsd-hackers  Thu Oct 17 15:49:25 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E6B9637B401
	for <hackers@freebsd.org>; Thu, 17 Oct 2002 15:49:23 -0700 (PDT)
Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 230C543E6E
	for <hackers@freebsd.org>; Thu, 17 Oct 2002 15:49:23 -0700 (PDT)
	(envelope-from tlambert2@mindspring.com)
Received: from pool0475.cvx22-bradley.dialup.earthlink.net ([209.179.199.220] helo=mindspring.com)
	by avocet.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
	id 182JS7-0005a8-00; Thu, 17 Oct 2002 15:49:15 -0700
Message-ID: <3DAF3E24.C94F9DCE@mindspring.com>
Date: Thu, 17 Oct 2002 15:48:04 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Ramkumar Chinchani <rc27@cse.Buffalo.EDU>
Cc: hackers@freebsd.org
Subject: Re: tracing exec system call
References: <200210172213.g9HMDO423357@pollux.cse.buffalo.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Ramkumar Chinchani wrote:
> What would be the best way to *capture* the execv system call at its entry point
> from user space? ptrace()?
> 
> What would be a good way to inspect the command line args to execv *after* the
> path, etc., has been resolved?

Duplicate the path resolution process, and examine the results,
before making the call.


> This is useful if one wants to monitor a process and all the system calls it
> makes and then disallow a few of them if suspicious.

This is also useful for weenies who want to write "rootkits", or to
hide the fact that there are suspicious calls being made from any
monitoring software loaded before the exploit was loaded, by
capruring the suspicious events and calling the code directly, to
avoid the monitoring.

The answer is that you can replace any system call entry point with
your own.

If you want another approach, replace the standard execution class
entry points with your own, using a loadable module, since they are
pointers, and call through to the original pointers in order to do
the real work.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message