1. Introduction
What is appcap? Appcap is a tricky application for x86 Linux which allows the user with enough power (usually the superuser) on a Linux machine to attach and redirect standard input and output of any application to his actual tty.
In this way the superuser obtains an instrument for looking into oridinary users' sessions. This may be very usefull if there the superuser is in suspect of some of his users doing nasty thing from his machine.
2. Details
Appcap uses the ptrace() debugging call in order to modify application's address space and change the flow of execution of the traced application. So the first prerequisite for running appcap is a working ptrace() call. If you can debug applications on your machine using gdb you can also use appcap.
Appcap will attach to the selected application and inject some assembler code into the application, which in turn will redirect the standard input and output to a file descriptor passed to it over an Unix domain socket (usually located in /tmp/auth-fd). This file descriptor is the tty of appcap. You can specify by the '-f' command line argument which descriptor numbers of the hijacked application have to be dup'ed to the passed descriptor. Usually you don't need to specify this and it will default to '0' resulting in stdin and stdout (0 and 1 respectivelly) beeing redirected. However, I've seen ssh versions using descriptor numbers 4 and 5 for stdin/out, so in that case you need to give -f 4 (note that using then you also must pass the pid of the application by using -p pid). If unsure, look in /proc/pid/fd for the file descriptors.
Appcap will inject a relocatable assembler code into the first executable & writeable VMA segment of that application. This may fail if no of applications VMA's (virtual memory areas) are marked +wx. In this case you may need to hack the source somewhat...
This assembler code will bind an UNIX domain socket (as defined in the source) and wait for passing a file descriptor over there. Note that the code doesn't check for errors, so it may sometimes also fail ;-). Drop me a note if you are encountering some errors (including system/application and other important system information if you have some).
After all this goes fine, appcap will restore the original state of the application (erasing the assember code and restoring the CPU registers too) so the application will proceed to run at the place where it has been interrupted by ptrace(attach).
If you don't need the controll of the application's tty, press CTRL-C to detach from. Appcap will then inject another assembler code, which will try to reverse the descriptor changes done by the first injection. Remember that if you issued some commands beeing attached to a session, it is impossible (ok it can be done somehow...) to really restore the state of the application, because it have been running! It is left to you to care about this!
After pressing CTRL-C the originall (with above restriction) state of the application will be restored and the application will continue to run on the first tty.
Sounds unbelivable? No, it is only a bit tricky :-)
3. License & legal stuff
This software is licensed under the GPL as found in the LICENSE file. The author is not responsible for any damage resulting from using this software. You use it on your own risk. This software is beeing released to the community as an administration tool. Any illegal or unethical usage is strongly prohibited. The author of this software is not responsible for any damge/information disclosure/privacy viloation or any other kind of infringement resulting from using appcap by any person.
4. Changelog
- 0.11 initial release
5. Contact
Please report bugs to paul@ihaquer.com