How to detect new process creation?

hkhalid · 08-18-2009, 07:11 PM

Hi every body,
I'm developping an application that acts like a firewall with several
modules.
One of these modules should detect new processes, block them and inform the user who will accept or deny the new process. An appropriate signal is then sent to the process (SIGKILL or SIGCONT).
The problem is how to detect these new processes?
I've crated a program that reads the /proc directory when the application is just run, saves the actual processes in a table and then loops forever doing the folowing steps:
read /proc and get a list of actual processes;
compare this list with that caught in the beginning;
if there is more processes, read both lists and catch the new one
inform the user
get answer and act accordingly
update process list

the code for reading actual processes looks like this:

int proc_list[];
struct dirent *ent ;
DIR *proc ;
int i = 0 ;
proc = opendir ("/proc") ;
while (ent = readdir (proc))
if (isdigit (ent->d_name))
{
proc_list[i] = atoi(ent->dname);
i++;
}
close (proc) ;

Detecting processes this way works, but repeating in infinitely is resources consuming.

So, please does any body have another idea of how to do this resources friendly?

thanks in advance.

jiml8 · 08-18-2009, 08:22 PM

I do believe you'll have to hack the kernel. Maybe make a modification to the clone() routine to have it send a signal to a specified kernel module, then write that kernel module. Your firewall probably needs a kernel component anyway, doesn't it?

hkhalid · 09-13-2009, 03:14 AM

Hi everybody,
Yes, my firewall needs a kernel module. But when trying to implement this module, I got some surprises. The idea is the following.
We know that all processes are created by a call to the a function from the exec() family. These functions call, somehow, the execve() system call. So, the solution would be to hack the execve() syscall so that it informs me about the new process creation. The problem is that when I implement this module, compile it and run it, all what I get is a system freeze! The running processes keep running but for new ones I get a “process stopped” message. Note that when I hack another syscall, let’s say sys_chdir, it works fine and I get informed about all directory changes.
I googled for an answer and learned that the execve() is a special syscall since it can’t be delegated.
So I tried another solution. I hacked the sys_mkdir so that I get informed about all directories created in the /proc (because for each new process, the system created a separate directory in /proc with the pid of that process as directory name). The result, I get informed about all directories creation except those created in /proc!
Here is the code I used to hack the sys_mkdir:

<code>

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/unistd.h>

#define MODULE_NAME "module1"

/*
* I got the sys table address using
* # grep ' sys_call_table' /usr/src/linux/System.map | sed "s/^\(.*\) \(.* sys_call_table\)/0x\1/"
*/

#define SYS_CALL_TABLE_ADDRESS 0xc036b150;

#ifdef SYS_CALL_TABLE_ADDRESS
void **sys_call_table = ( void * )SYS_CALL_TABLE_ADDRESS;
#else
extern void *sys_call_table[];
#endif

MODULE_LICENSE( "GPL");

/* this function will store the original mkdir function */
asmlinkage int ( *original_sys_call )( const char *, int );

/*this is the hackes function */
asmlinkage int custom_sys_call( char *path, int m )
{
printk( KERN_INFO "'%s': directory created in (%s)\n", MODULE_NAME, path );

/* Call the original system call to maintain functionality */
return original_sys_call( path, m );
}

int init_module()
{

/* Store reference to the original system call */
original_sys_call = sys_call_table[ __NR_mkdir ];

/* Manipulate sys_call_table to call custom_sys_call instead of original_sys_call */
sys_call_table[ __NR_mkdir ] = custom_sys_call;

return 0;
}

/* This function is called when the module is unloaded */
void cleanup_module()
{

/* Restore original_sys_call */
sys_call_table[ __NR_mkdir ] = original_sys_call;

}
</code>

So, my questions are:
1. Is there any method to get the execve() system call delegated?
2. Since the mkdir doesn’t inform me about directories created in /proc, I guess the system uses some other system call to create these directories. Can anyone help me please to catch this system call?
Thanks.

wje_lq · 09-13-2009, 04:24 AM

Quote:

Originally Posted by hkhalid

We know that all processes are created by a call to the a function from the exec() family.

Um, I know nothing about hacking the kernel except that you're going to have to do that.

But I would submit that processes are created not as a result of a call from the exec() family, but as a result of a fork() or vfork() call. You might still have to focus on the exec() style calls, but I'm just sayin'.

hkhalid · 09-13-2009, 06:53 AM

Thanks wje_lq,
Yes, I think I didn't express it as it should be. Processes are created by calling the fork() or vfork() function that will create an exact copy of the caller process. This exact copy is replaced by the new process image when calling the exec() function.
I tried to catch the fork() and vfork() but I get nothing intersting. I create as much processes as I want without being informed by the system.

Hko · 09-13-2009, 05:31 PM

Not sure if it could work, but just an idea:

Maybe you can set an inotify-watch on /proc, so you only need to scan /proc/[0-9]* when a new PID is created.

I never tried to use inotify myself, but if I understand it correctly it can even tell you what has changed in /proc. Then you don't need to scan /proc/[0-9]* at all..