堆栈内存溢出
  简体   繁体   English

拦截Linux中执行的命令

[英]Intercept executed commands in linux

 原文  2017-10-24 02:11:39       c/ linux/ linux-kernel

问题描述

I need to know is it possible to intercept user executed command in loadable kernel module. 我需要知道是否可以在可加载内核模块中拦截用户执行的命令。 I know that system calls can be intercepted such as open(). 我知道系统调用可以被拦截,例如open()。 But what i need to do is intercepts user entered command/ process and add some validations. 但是我需要做的是拦截用户输入的命令/过程并添加一些验证。 for example, if user enters cp command, before executing the command i need to perform some validations against it. 例如,如果用户输入cp命令,则在执行该命令之前,我需要对其进行一些验证。 If we cannot do this in LKM, what are the alternative approaches? 如果我们无法在LKM中做到这一点,还有哪些替代方法?

2 个解决方案

解决方案1
 1  2017-10-24 06:12:04

You need to look up how many actual system calls there are for execvp() and friends (probably 1, maybe 2 — it could be more, but probably isn't), and then intercept those system calls. 您需要查找execvp()和朋友的实际系统调用数量(可能是1,也许是2 –可能更多,但可能不是),然后拦截这些系统调用。 You might need to worry about posix_spawn() and friends too. 您可能还需要担心posix_spawn()和朋友。 They're the only ways that new processes can be run. 它们是新流程可以运行的唯一方式。 There isn't any other way to intercept them. 没有其他方法可以拦截它们。

解决方案2
 1  

You could try using an LKM or a systemtap plugin(which compiles to an LKM). 您可以尝试使用LKM或systemtap插件(编译为LKM)。 The kernel functions that you should hook are execve and execveat . 您应该挂接的内核函数是execveexecveat In case you are doing this for programming fun and want to write hooking code by yourself, you might want to look at kprobes and know that you can get kernel function addresses from /proc/kallsyms . 如果您这样做是为了编程乐趣,并且想自己编写钩子代码,则可能要看一下kprobes并知道可以从/proc/kallsyms获取内核函数地址。

Of course, recompiling the kernel with your own hooking code is another option if that is a possibility. 当然,如果可能的话,用您自己的挂钩代码重新编译内核是另一种选择。

In both the cases above you probably want to intercept the execve calls made by a specific uid; 在以上两种情况下,您可能都想截取由特定uid进行的execve调用。 if so, you should filter calls from that uid. 如果是这样,则应该过滤来自该uid的调用。

A userspace approach might be to try writing a seccomp filter. 用户空间方法可能是尝试编写seccomp过滤器。 Here is a tutorial on how to go about writing one. 是有关如何编写一个教程。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何拦截linux信号? (在C中) - how to intercept linux signals ? (in C) 如何拦截存储大小查询命令 - How to intercept storage size query commands 用C执行Linux命令 - Executing linux commands with c 编写嵌入式Linux的AT命令 - Writing AT commands embedded linux 我怎么能拦截 linux sys 调用? - how could I intercept linux sys calls? 有没有办法在 Linux 中拦截文件处理请求? - Is there a way to intercept file handling requests in Linux? 如何拦截linux中最低级别的键盘输入? - How to intercept keyboard input at the lowest level in linux? 从守护程序运行Linux命令 - Run Linux commands from Daemon 拦截linux pthread_create函数,导致JVM / SSH崩溃 - Intercept linux pthread_create function, leading to JVM/SSH crash 查看 - 但不拦截 - Linux 计算机的所有 IPv4 流量 - View - but not intercept - all IPv4 traffic to Linux computer
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM