Filesystem sandbox interception

18 views
Skip to first unread message

Patrick Bernardina

unread,
Sep 28, 2023, 8:50:12 AM9/28/23
to jep-p...@googlegroups.com
I need to extend some class/interface that would intercept any filesystem call from python script to, via java code, redirect io or filesystem metada operations, including access made by uri like sqlite3 do.

Is it currently possible?

Ben Steffensmeier

unread,
Oct 5, 2023, 1:38:51 PM10/5/23
to Jep Project
Jep does not do anything to enable or disable the interception of filesystem calls. Any python code can call back into java so if you can find any solution to intercept operations in python you can redirect back to java. As an example of something that redirects IO back to java here is the python code jep uses to redirect stdio back into java streams. I don't think there is a single comprehensive way to intercept all filesystem operations in python but I found discussions here and here that might get you started on some ideas.

Ben

Mike Johnson

unread,
Oct 5, 2023, 2:20:18 PM10/5/23
to Ben Steffensmeier, Jep Project
Yeah that seems like a lot and there would inevitably be holes. What are you trying to do?

Since they run in the same process, securing the whole runtime in a container is probably where I'd start if you're trying to prevent access.

--
You received this message because you are subscribed to the Google Groups "Jep Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jep-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jep-project/020144c0-55bf-4d67-b2b3-a35a609bc1d0n%40googlegroups.com.

Patrick Bernardina

unread,
Oct 17, 2023, 10:35:24 PM10/17/23
to Jep Project
I work on development of forensic tool called IPED. It interfaces/integrates with some already implemented python forensic tools.
Right now, I am developing some integration with ALeapp. I would like to call ALeapp in a way that any try to open a file would be intercepted by IPED in a way that he would open a file inside the acquired evidence being processed, not the local file system where IPED is installed.
Also, this interception could be used to override some ALeapp code before the compilation/execution, changing their behaviour.

Thanks for the directions Ben. I think they will help me anyhow.
Reply all
Reply to author
Forward
0 new messages