Hello guys, I'm developing a tool for educational purposes that one of the features is intercepting every command a user is executing in Linux and then log it somewhere. The problem is that I have been trying to solve this but I have been unable. A fellow from SO made a close approach still not working. Can somebody help please?
Are you trying to do anything that say strace can't?
> A fellow from SO made a close approach still not working. Can somebody help please?
Pointing at someone else's broken code with the sub-text "I found this, please fix it for me" isn't going to go very far.
If you want actual help, post your best effort and your observations about what does/doesn't work.
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
If at first you don't succeed, try writing your phone number on the exam paper.
> Are you trying to do anything that say strace can't?
Yes, I'm trying to learn here not to invent the wheel.
> Pointing at someone else's broken code with the sub-text "I found this, please fix it for me" isn't going to go very far.
I just wanted to give credit not to take it from myself since I didn't make that code
> If you want actual help, post your best effort and your observations about what does/doesn't work.
I have observed that even though I compile one of them to binary and the other as a shared lib, even though I enter the path of preloading, the wrapper of `execv` is not catching it.
The fact you could be a bad actor because what you are trying to do sounds like an illegal activity also does not help.
Tim S.
"...a computer is a stupid machine with the ability to do incredibly smart things, while computer programmers are smart people with the ability to do incredibly stupid things. They are,in short, a perfect match.." Bill Bryson
Are you clear about what you want to do?
A system call is the transfer of control from the userspace program to the OS kernel. The requires use of the the OS's debug facility.
Wrapping library functions using LD_PRELOAD to log what is going on is something else - it is all in userspace, and just uses hooks in the dynamic linking process.
To me "intercepting every command a user is executing in Linux" seems to be something else. If I delete a file it doesn't use the exec system call, nor would it involve wrapping a just a few library functions.
Originally Posted by hamster_nz
Yeah I get it, if a user deletes a file using GUI then it's fine, I'm more in the command line stuff. If a user executes a command with args, the logger would just get it and log it somewhere safe.To me "intercepting every command a user is executing in Linux" seems to be something else. If I delete a file it doesn't use the exec system call, nor would it involve wrapping a just a few library functions.
No not really, I don't have any personal gains from this except expanding my learning horizont.
Okay, I actually have made more progress, I have successfully linked both binaries but there's smth else...
Code:#define _GNU_SOURCE #include <dlfcn.h> #include <stdio.h> #include <unistd.h> #include <errno.h> #include <string.h> static int( * real_exec)(const char * , char * const [], char * const []) = 0; static void __attribute__((constructor)) init(void) { real_exec = (int( * )(const char * , char * const [], char * const [])) dlsym(RTLD_NEXT, "execve"); // printf("smth get exectuted"); } int execve(const char * arg, char * const argv[], char * const envp[]) { printf("In wrapped execve\n"); return ( * real_exec)(arg, argv, envp); }
Now when I execute the other binary I get the only "printf("smth get exectuted");" in my screen, how do I show which command was executed and with its args?
Last edited by thecowmilk; 10-17-2022 at 08:22 AM.
You mean like
printf("In wrapped execve:%s\n",arg);
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
If at first you don't succeed, try writing your phone number on the exam paper.
Yess!! But "in wrapped execve" doesn't get executed when the other bin runs
Possibly because exec() is a whole family of funcitons:
You don't really know in advance which one a program will use, so just like Pokemon - you got to catch them all!Code:int execl(const char *pathname, const char *arg, ... /* (char *) NULL */); int execlp(const char *file, const char *arg, ... /* (char *) NULL */); int execle(const char *pathname, const char *arg, ... /*, (char *) NULL, char *const envp[] */); int execv(const char *pathname, char *const argv[]); int execvp(const char *file, char *const argv[]); int execvpe(const char *file, char *const argv[], char *const envp[]);
Actually you can use the 'nm' utility to find what external symbols a program uses....
Code:$ nm a | grep " U " U __libc_start_main@@GLIBC_2.2.5 U free@@GLIBC_2.2.5 U malloc@@GLIBC_2.2.5 U puts@@GLIBC_2.2.5
Well that's interesting...
libtmp.so is the shared library which has the 'execv' function which needs to be wrapped.Code:nm test | grep 'U' U execl@GLIBC_2.2.5 U fork@GLIBC_2.2.5 0000000000002018 r __GNU_EH_FRAME_HDR U __libc_start_main@GLIBC_2.34 U wait@GLIBC_2.2.5 nm libtmp.so | grep 'U' U dlsym@GLIBC_2.34 000000000000201c r __GNU_EH_FRAME_HDR U puts@GLIBC_2.2.5
I DID IT GUYS!! I successfully wrapped execve!!!!
Share !!I DID IT GUYS!! I successfully wrapped execve!!!!
