Thread: How to wrap "execv" system call in Linux using C?

  1. #1
    Registered User
    Join Date
    Jul 2021
    Posts
    9

    How to wrap "execv" system call in Linux using C?

    Hello guys, I'm developing a tool for educational purposes that one of the features is intercepting every command a user is executing in Linux and then log it somewhere. The problem is that I have been trying to solve this but I have been unable. A fellow from SO made a close approach still not working. Can somebody help please?

  2. #2
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    Are you trying to do anything that say strace can't?

    > A fellow from SO made a close approach still not working. Can somebody help please?
    Pointing at someone else's broken code with the sub-text "I found this, please fix it for me" isn't going to go very far.

    If you want actual help, post your best effort and your observations about what does/doesn't work.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  3. #3
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    > Are you trying to do anything that say strace can't?
    Yes, I'm trying to learn here not to invent the wheel.


    > Pointing at someone else's broken code with the sub-text "I found this, please fix it for me" isn't going to go very far.
    I just wanted to give credit not to take it from myself since I didn't make that code


    > If you want actual help, post your best effort and your observations about what does/doesn't work.
    I have observed that even though I compile one of them to binary and the other as a shared lib, even though I enter the path of preloading, the wrapper of `execv` is not catching it.

  4. #4
    Registered User
    Join Date
    May 2009
    Posts
    4,183
    The fact you could be a bad actor because what you are trying to do sounds like an illegal activity also does not help.

    Tim S.
    "...a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are,in short, a perfect match.." Bill Bryson

  5. #5
    Registered User
    Join Date
    Sep 2020
    Posts
    425
    Are you clear about what you want to do?

    A system call is the transfer of control from the userspace program to the OS kernel. The requires use of the the OS's debug facility.

    Wrapping library functions using LD_PRELOAD to log what is going on is something else - it is all in userspace, and just uses hooks in the dynamic linking process.

    To me "intercepting every command a user is executing in Linux" seems to be something else. If I delete a file it doesn't use the exec system call, nor would it involve wrapping a just a few library functions.

  6. #6
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    Quote Originally Posted by hamster_nz View Post
    Are you clear about what you want to do?

    A system call is the transfer of control from the userspace program to the OS kernel. The requires use of the the OS's debug facility.

    Wrapping library functions using LD_PRELOAD to log what is going on is something else - it is all in userspace, and just uses hooks in the dynamic linking process.

    To me "intercepting every command a user is executing in Linux" seems to be something else. If I delete a file it doesn't use the exec system call, nor would it involve wrapping a just a few library functions.

    To me "intercepting every command a user is executing in Linux" seems to be something else. If I delete a file it doesn't use the exec system call, nor would it involve wrapping a just a few library functions.
    Yeah I get it, if a user deletes a file using GUI then it's fine, I'm more in the command line stuff. If a user executes a command with args, the logger would just get it and log it somewhere safe.

  7. #7
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    Quote Originally Posted by stahta01 View Post
    The fact you could be a bad actor because what you are trying to do sounds like an illegal activity also does not help.

    Tim S.
    No not really, I don't have any personal gains from this except expanding my learning horizont.

  8. #8
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    Okay, I actually have made more progress, I have successfully linked both binaries but there's smth else...

    Code:
    #define _GNU_SOURCE
    #include <dlfcn.h>
    #include <stdio.h>
    #include <unistd.h>
    #include <errno.h>
    #include <string.h>
    
    static int( * real_exec)(const char * , char * const [], char * const []) = 0;
    static void __attribute__((constructor)) init(void) {
        real_exec = (int( * )(const char * , char * const [], char * const [])) dlsym(RTLD_NEXT, "execve");
    //    printf("smth get exectuted");
    }
    
    
    int execve(const char * arg, char * const argv[], char * const envp[]) {
        printf("In wrapped execve\n");
        return ( * real_exec)(arg, argv, envp);
    }

    Now when I execute the other binary I get the only "printf("smth get exectuted");" in my screen, how do I show which command was executed and with its args?
    Last edited by thecowmilk; 10-17-2022 at 08:22 AM.

  9. #9
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    You mean like
    printf("In wrapped execve:%s\n",arg);
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  10. #10
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    Quote Originally Posted by Salem View Post
    You mean like
    printf("In wrapped execve:%s\n",arg);
    Yess!! But "in wrapped execve" doesn't get executed when the other bin runs

  11. #11
    Registered User
    Join Date
    Sep 2020
    Posts
    425
    Quote Originally Posted by thecowmilk View Post
    Yess!! But "in wrapped execve" doesn't get executed when the other bin runs
    Possibly because exec() is a whole family of funcitons:

    Code:
           int execl(const char *pathname, const char *arg, ...
                           /* (char  *) NULL */);
           int execlp(const char *file, const char *arg, ...
                           /* (char  *) NULL */);
           int execle(const char *pathname, const char *arg, ...
                           /*, (char *) NULL, char *const envp[] */);
           int execv(const char *pathname, char *const argv[]);
           int execvp(const char *file, char *const argv[]);
           int execvpe(const char *file, char *const argv[],
                           char *const envp[]);
    You don't really know in advance which one a program will use, so just like Pokemon - you got to catch them all!

    Actually you can use the 'nm' utility to find what external symbols a program uses....

    Code:
    $ nm a | grep " U "
                     U __libc_start_main@@GLIBC_2.2.5
                     U free@@GLIBC_2.2.5
                     U malloc@@GLIBC_2.2.5
                     U puts@@GLIBC_2.2.5

  12. #12
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    Quote Originally Posted by hamster_nz View Post
    Possibly because exec() is a whole family of funcitons:

    Code:
           int execl(const char *pathname, const char *arg, ...
                           /* (char  *) NULL */);
           int execlp(const char *file, const char *arg, ...
                           /* (char  *) NULL */);
           int execle(const char *pathname, const char *arg, ...
                           /*, (char *) NULL, char *const envp[] */);
           int execv(const char *pathname, char *const argv[]);
           int execvp(const char *file, char *const argv[]);
           int execvpe(const char *file, char *const argv[],
                           char *const envp[]);
    You don't really know in advance which one a program will use, so just like Pokemon - you got to catch them all!

    Actually you can use the 'nm' utility to find what external symbols a program uses....

    Code:
    $ nm a | grep " U "
                     U __libc_start_main@@GLIBC_2.2.5
                     U free@@GLIBC_2.2.5
                     U malloc@@GLIBC_2.2.5
                     U puts@@GLIBC_2.2.5
    Well that's interesting...

    Code:
    nm test | grep 'U'
                     U execl@GLIBC_2.2.5
                     U fork@GLIBC_2.2.5
    0000000000002018 r __GNU_EH_FRAME_HDR
                     U __libc_start_main@GLIBC_2.34
                     U wait@GLIBC_2.2.5
                                                                                                                                                                                                           
    nm libtmp.so | grep 'U'
                     U dlsym@GLIBC_2.34
    000000000000201c r __GNU_EH_FRAME_HDR
                     U puts@GLIBC_2.2.5
    libtmp.so is the shared library which has the 'execv' function which needs to be wrapped.

  13. #13
    Registered User
    Join Date
    Jul 2021
    Posts
    9
    I DID IT GUYS!! I successfully wrapped execve!!!!

  14. #14
    Banned
    Join Date
    Jul 2022
    Posts
    112
    I DID IT GUYS!! I successfully wrapped execve!!!!
    Share !!

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Replies: 2
    Last Post: 12-08-2014, 08:12 PM
  2. I am confused by "Linux thread" and "NPTL"
    By meili100 in forum Linux Programming
    Replies: 6
    Last Post: 03-27-2008, 12:14 PM
  3. Using "system()" call under Win2000
    By spork in forum C Programming
    Replies: 10
    Last Post: 01-27-2005, 01:13 PM
  4. "itoa"-"_itoa" , "inp"-"_inp", Why some functions have "
    By L.O.K. in forum Windows Programming
    Replies: 5
    Last Post: 12-08-2002, 08:25 AM
  5. "CWnd"-"HWnd","CBitmap"-"HBitmap"...., What is mean by "
    By L.O.K. in forum Windows Programming
    Replies: 2
    Last Post: 12-04-2002, 07:59 AM

Tags for this Thread