0

I bullied simple monitor that print the path of the file that been execute so i hooked the execve system call but the problem was that the file name parameter contain only the file name and not the all path. any way i copied the envp parameter and i printed every string in it but the out put was just LS_C so i am wondering where do the execve system call get path from this is my code:

static asmlinkage long our_execl(const char __user * filename, const char __user * const __user * argv, const char __user * const __user * envp) { copy_from_user(mid,envp,sizeof(envp)); printk("okdotk:%d\n",sizeof(envp)); for(i=0;i<sizeof(envp);i++) { strncpy_from_user(env, mid[i], sizeof(mid[i])); env[255]='\0'; printk("%s\n",env); reset_envp(sizeof(env)); }

return original_call(filename,argv,envp) }

Improve this question

1 Answer 1

Reset to default
2

sizeof(envp) is the sizeof a pointer which on your system is 4. It's not the length of the array.

Therefore, your code merely shows the first 4 letters LS_C of a single environment variable LS_COLOR=..

You should instead iterate until envp[i] is NULL, signaling the end of the environment. For each environment variable, you should copy until you see a \0, and again not stop after the first 4 bytes.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

but i can't check the envp[i] before copy it to kernel space so how should i get the size of the array?
You can't get the length of the array up front, just like how you can't get the length of a string up front. You have to search it until you find the terminator (the char** envp is terminated by NULL the same way char* is terminated by \0)
and one more question I did what you sad and it worked just fine but i got list of number and variables so maybe you know how to get the PATH variable
Are you saying that when you examine envp[1], it's NULL? What's your current code?
Please post your updated code. It's not clear exactly what you have changed, so we can't guess what your code is actually doing now.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.