Intercept ELF loader in linux kernel: fs/binfmt_elf.c file via loadable kernel module

Question

I am new to kernel coding and at present I am working with ELF files which have been modified a little bit for the security purposes for which I need to look at some of it\'

Answer 1

Yes, it's possible, but definitely not easy. There is even a supported kernel facility "kprobes" that allows you to insert calls to your own code from specified locations (see Documentation/kprobes.txt). If inserting calls to your own code is insufficient, I think you would need to use the same sort of mechanisms as kprobe: patching the desired location by overwriting instructions with jmps or calls into your own code.

I once worked at a company whose security product installed its hooks by runtime-patching the Windows kernel. This is pretty much the same thing, though at least with Windows at the time there were a finite number of versions that had to be supported.

So, it's definitely possible, but I wouldn't want to try it. It will be very brittle; you'll be in effect trying to hit a moving target. Every kernel security patch or version upgrade is likely to break your code.