Detecting the start of applications

[Otterz]

Hi,

I am trying to detect the launch of applications. This may be more pertinent to Kernel Programming, but I am not sure it needs to be implemented in the kernel!

What I want to do is detect the launch of an application, and then IF the application is one I care about, then I may trigger some events (debugging, instrumentation, special logging .... ).

I am not entirely sure of what happens when you 'execute' and application.

I am guessing here, but I assume when you use the command line to "./myapp", the shell makes a system call to fork() the execution, creating a new process "myapp", and then the parent returns to the command line (if you "&"), or waits for the child to finish. I would have to hook into fork(), does the linux kernel offer any other methods to detect the creation of a new process?

[Cabhan]

You could hook into fork() to see what executes next, but you're going to end up in a lot of incorrect fork()s. The better approach would be to hook into the exec family of system calls, which actually execute programs.

I don't know the exact approach that you are going to take. One way that I know is to create a .so that overrides the exec family using dlopen and dlsym, and then using LD_PRELOAD to run the library before any program that is executed. But this may or may not be what you want.

Keep us updated. I'd be interested.

[wje_lf]

Keep us updated. I'd be interested.

So would I.

What will make things a little simpler is that there isn't a whole family of exec system calls; there's just execve. The family of exec library calls are front-ends to this one guy.