开发者

_dl_open in ld-2.13.so invoked

开发者 https://www.devze.com 2023-02-21 07:19 出处:网络
I would like to call _dl_open function from ld-2.13.so. I get the offset of this function from objdump and then I add it to library beginning address in order to get function address. Then I attach to

I would like to call _dl_open function from ld-2.13.so. I get the offset of this function from objdump and then I add it to library beginning address in order to get function address. Then I attach to the process by ptrace and inject my own binary code in which:

  • I put into eax register address of the library's path.
  • I put into ebx RLTD_LAZY
  • I put into ecx NULL (it's a caller, but I don't get what's really is).

Then I call the function (which address is correctly calculated) and I get... nothing :) The library is not injected and I have no output. I found in ld-2.13.so also _dl_open_worker function which when I call I get:

./process: error while loading shared libraries: dlopen: invalid caller

What am I doing wrong?

Everythin开发者_如何转开发g what I've done was based on: http://nologin.org/Downloads/Papers/remote-library-injection.pdf

Thanks in advance for any help.


Linux uses address space layout randomization (ASLR) to thwart remote buffer overflow attacks that do exactly what you're talking about.

When asking questions like this, I seriously recommend that you describe your legitimate need for the information. SO users aren't going to provide much assistance with apparently illicit activities.


You can do this using "hotpatch" from https://github.com/vikasnkumar/hotpatch

The code does everything you need to do. It handles the relative addressing. Still need to figure out the _dl_open part but should get that done in a couple of days.

Works for 64-bit well.


(I know this is an old question, but I am recording the answer here for future developers)

The problem was trying to put the mode/flags value into ebx when it should have been placed into edx. The following article describes how to invoke _dl_open manually in the context of library injection:

http://www.ars-informatica.com/Root/Code/2010_04_18/LinuxPTrace.aspx

They define _dl_open as:

void * 
internal_function 
_dl_open(const char *file, int mode, const void *caller);

Although the symbol is exported by libc it is still defined as an internal function, meaning its parameters are passed via registers in the following manner:

EAX = const char *file
ECX = const void *caller
EDX = int mode
0

精彩评论

暂无评论...
验证码 换一张
取 消