tags:

views:

461

answers:

2
+1  Q: 

Method to intercept child process filesystem activity

I have a small command-line application written in C that acts as a wrapper/launcher for other programs (think: xargs). The application is written to compile on FreeBSD/Linux (via fork()/exec()) and Windows (CreateProcess()). In addition to being able to intercept, inject, or otherwise manipulate the command-line arguments for the child application, I was wondering if there is an easy way to intercept the child program's filesystem activity (or it's children, and so forth). I'm mainly interested in just the filenames accessed for either read or write, but not the contents of said files, and would like the interception to be as lightweight as possible.

In googling some relevant keywords from above, it seems there are many ways to do this in Win32. From file system filter drivers to tampering with PE import table headers. None of these seem trivial or something I could self-contain within my wrapper program's executable (e.g. most would require extra DLLs or driver files alongside the main executable.) Also, I'd like this to work on Windows XP through 7, if possible, without having to hack around UAC or other platform deltas. It's my child process, so I figure I should be able to securely monitor its activity :)

On Linux, there is inotify(), but it monitors general filesystem access without regard to ONLY my child process/es. Same thing goes for FreeBSD's kqueue(). These also break down in SMP cases where multiple instances of the wrapper might be running different programs, and each needs to disambiguate their own child's filesystem activity from one another.

I'd certainly appreciate any suggestions that the SO community might have to offer.

+2  A: 

The only suggestion I would make is to use strace (trace system calls and signals), though this is more of a debugging tool, and does affect the performance of the process being traced

strace -f -e trace=file -o <output-file> <cmd-line>

-f - follow forks
-e trace=file - will output system calls related to the file-system
-o <output-file>

IMHO - if you get familiar with strace, it is always a useful tool to have in the armory.

Beano  2009-06-23 06:28:35
Thank you, Beano. I've used strace, but was unaware of the -e trace=file shortcut ... very handy. Unfortunately, the performance penalty is a bit high, as it uses ptrace(2) under the hood.
Optigrab  2009-06-23 23:50:19
A: 

Write a "interposer" library that hooks your fopen and set LD_PRELOAD environment variable for all child processes. This works with dynamically linked libraries thou.

Example of how to do this can be found here: http://developers.sun.com/solaris/articles/lib_interposers.html and http://lists.debian.org/debian-powerpc/2004/11/msg00039.html shows a partial implementation for fopen() interposer..

rasjani  2009-06-23 19:27:31
If you want to go this route, you'd probably be better off intercepting the system calls that access the file system. open(), creat(), chmod(), exec*(). There may be others.
Keith Smith  2009-06-23 19:38:06
^ true, allthou writing such wrapper with implementations for open(), fopen(), fdopen(), freopen() should cover quite a lot of cases.
rasjani  2009-06-23 19:50:56
This approach seems to be the simplest, with the only downside being that I need to have a separate 'interceptor' shared library file in addition to just my executable. Is there a mechanism equivalent to LD_PRELOAD on Win32 platforms?
Optigrab  2009-06-23 23:57:11
Optigrab: Im not familar with windows development but found this wikipedia article which describes 4 ways to archive the same: http://en.wikipedia.org/wiki/DLL_injection
rasjani  2009-06-24 09:00:53
Thank you all for the pointers. On *nix, I'm successfully using LD_PRELOAD, and on Win32, I found a great article on DLL injection here: http://www.codeproject.com/KB/threads/completeinject.aspxThe only downside of this approach is needing the extra .so/.dll file living alongside my executable. I suppose I could auto-extract it, use it , and delete it from inside my executable, but I'll leave that for another day.
Optigrab  2009-06-28 03:25:51
I just want to add one thing. This approach is not entirely secure against tampering. Meaning that if child process actively tries to avoid your attention/limits it can do so.
Stan  2009-06-30 17:29:22

related questions

grep a file, but show several surrounding lines?
VMWare Server Under Linux Secondary NIC connection
Should I move from C++ to Python? ... Or another language?
Globus Toolkit virtual machine
How to avoid redefining VERSION, PACKAGE, etc.
How do I setup Public-Key Authentication?
showing a message box from a bash script in linux
Best Linux Distro for Computer Repair
Mapping my custom keys in Debian
Any IcedTea war stories?
How do you find the age of a long-running Linux process?
Personal Linux web server
Programmatically talking to a Serial Port in OS X or Linux
what's in your .bashrc ?
Linux - files and scripts that execute on boot
Text Editor For Linux (Besides Vi)?
Lightweight IDE for Linux
Shell scripting input redirection oddities
XML Editing/Viewing Software
What should a longtime Windows user know when starting to use Linux?
Gtk SSH client for Linux?
Getting root permissions on a file inside of vi?
Is it possible to drag windows between workspaces when using Compiz?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?