Hooking execve for an LD_PRELOAD library
Andreas Fink
finkandreas@web.de
Sun Jan 17 07:07:32 GMT 2021
Hello,
I would like to hook a call to execve, and have the code:
############### execve_override.c ######################
#define _GNU_SOURCE
#include <dlfcn.h>
#include <stdio.h>
int (*real_execve)(const char *pathname, char *const argv[], char *const envp[])=NULL;
int execve(const char *pathname, char *const argv[], char *const envp[]) {
if (real_execve==NULL) {
real_execve = dlsym(RTLD_NEXT, "execve");
}
FILE* logfile = fopen("/tmp/execve_override.log", "a");
fprintf(logfile, "intercepted execve for %s\n", pathname);
fclose(logfile);
return real_execve(pathname, argv, envp);
}
############################################################
I compiled it:
gcc -o libexecve_override.so -shared -fPIC execve_override.c -ldl
and start an executable that calls execve:
LD_PRELOAD=/path/to/libexecve_override.so my_binary_calling_execve
Up to this point everything works as expected. The call to execve is
hooked, logged in the file /tmp/execve_override.log and forwarded to
the next execve implementation.
I compiled my executable without any specific flags, i.e. a vanilla:
gcc test_exec.c
Now I would like the same for execvp to happen. Reading the man page of
execvp it is mentioned that exec-family functions are just
frontends to execve, so I replaced in my executable source code the
explicit call to execve with a call to execvp. I expected that this
would just work, as execvp would in turn call execve and this would be
caught by the hook, then logged and forwarded to the real
implementation. But to my surprise no such thing happened. execvp would
run successfully, but my hook would never be called.
Why is the hook not called, what did I miss?
Thanks for any help
Andreas
More information about the Libc-help
mailing list