https://github.com/nlevitt/exec_spy
My Toy Kernel Module Just For Fun
https://github.com/nlevitt/exec_spy
Last synced: 9 months ago
JSON representation
My Toy Kernel Module Just For Fun
- Host: GitHub
- URL: https://github.com/nlevitt/exec_spy
- Owner: nlevitt
- License: gpl-2.0
- Created: 2018-02-10T00:06:55.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2018-02-22T01:03:21.000Z (almost 8 years ago)
- Last Synced: 2025-02-05T03:56:34.803Z (11 months ago)
- Language: C
- Size: 15.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
- License: LICENSE
Awesome Lists containing this project
README
My Toy Kernel Module Just For Fun
---------------------------------
`exec_spy.c` is a linux kernel module which intercepts and wraps the execve(2)
syscall and logs the command being run (or attempted), arguments, and a few
other pieces of information (pid, uid, cwd).
It accomplishes this by messing with the syscall table in a way that might be
architecture (x86_64) and kernel version specific. Developed on Ubuntu 17.10
"artful" and kernel 4.13.0-32-generic. Might have bugs and crash your computer,
so don't run it anywhere that matters. For example, my vm froze when I tried
loading it on 4.4.0-45-generic.
To build, make sure `/lib/modules/$(uname -r)/build` is set up correctly for
building kernel modules. On Ubuntu I think all you have to do is `apt-get
install linux-headers`. Then run `make`. For more information see
https://www.kernel.org/doc/Documentation/kbuild/modules.txt
Load with `insmod exec_spy.ko`, unload with `rmmod exec_spy`.
Note: *The kernel already has this functionality (and much more) built into
it.* Try this on Ubuntu:
```shell
sudo apt-get -y install auditd
sudo auditctl -a exit,always -F arch=b64 -S execve
sudo auditctl -a exit,always -F arch=b32 -S execve
sudo auditctl -a exit,always -F arch=b64 -S execveat
sudo auditctl -a exit,always -F arch=b32 -S execveat
sudo less +F /var/log/audit/audit.log
```