This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
Re: change .got.plt in user application
- From: Yubin Ruan <ablacktshirt at gmail dot com>
- To: binutils at sourceware dot org
- Date: Wed, 13 Sep 2017 09:48:02 +0800
- Subject: Re: change .got.plt in user application
- Authentication-results: sourceware.org; auth=none
- References: <CAJYFCiNZZD+R_e=6zws2s5wds-8R6vOaQkDZ88dhcJgm_wgCpQ@mail.gmail.com>
Mailing binutils@ to see whether someone can provides some suggestions ;-)
Yubin
2017-09-11 21:43 GMT+08:00 Yubin Ruan <ablacktshirt@gmail.com>:
> Hi,
> I am doing some experiment with code injection (at run time) and I
> want to change the way some specific functions behave, that is, I want
> to replace all calls to "real_func" with calls to "test_func".
>
> I have finished most of the code injection work and I know that I can
> find where the "real_func" locates and then place a "jmp" instruction
> there to make it jump to the "test_func", i.e., function trampolines,
> as others would call it.
>
> But, instead of doing function trampolines, I prefer to change the
> ".got" and ".got.plt" segments to make it resolve "naturally" to
> "test_func" rather than "real_func". As you know, the dynamic linker
> fills in those entry the first time a "real_func" is called (lazy
> binding), and then it is fixed. So, I think there might be some ways
> to do what the dynamic linker does, only if we can find the ".got" and
> ".got.plt".
>
> I am currently not so clear about the right way to do that. Please
> provide some helps (references, or, warn me ;-).
>
> P.S., the reason why I prefer changing ".got" and ".plt" to function
> trampoline is that:
>
> 1) function trampoline is tricky to implement ...
> 2) function trampoline requires us to change other people's DSO,
> which may be shared by many applications (think libc.so), thus ruining
> the Copy-on-Write mechanism provided by the operating system.
>
> Yubin