syscall intercept in libc on read at symbol level
Rick Spillane
necro351@gmail.com
Fri Jun 17 02:45:00 GMT 2005
So I managed to figure out what went wrong. I was trying to intercept
calls to 'read' from application programs linking aginst libc while
they were still symbols and before they were turned into syscall
interrupts.
*I added a file "__read.c" to the /io subdirectory.
*I put __libc_read (<args>) in that file with my overridden definition
of __libc_read.
*I included the:
libc_hidden_def (__libc_read)
weak_alias (__libc_read, __read)
libc_hidden_weak (__read)
weak_alias (__libc_read, read)
crap to weakly alias the name so conflicting symbols from other
libraries would be chosen over the 'read' syscall and so that it would
get the __GI_* alias it needed to link with the PIC code.
*I added __read to the 'routines' target of the Makefile in the /io
subdirectory.
*I changed the weak and strong names of the 'read' system call in
/sysdeps/unix/syscalls.list to have 'r_' before every instance of
'read' on that line (except for the instances in the filename and
syscall name columns so libc would build and link).
Then I deleted the /io subdirectory and sysd-syscalls in the build
directory and remade. However then it crashed, exlaiming that it had
an invalid ELF header. I looked into elf/dl-load.c and found that it
was actually calling __libc_read in the build process, so instead of
making my __libc_read just return a bogus value, I made it make a call
to __libc_r_read (the real read from my newly named 'read' syscall in
syscalls.list remember). Then it built just fine.
However the optimizer was making it difficult to verify that I
successfully intercepted the syscall, so I then had it open /tmp/flag
when it was called so my sentinel code wouldn't get optimized away. I
rebuilt libc, and afterward found it already opened /tmp/flag which is
good, that meant that I sucessfully intercepted calls to __libc_read
at least for code within glibc. I then removed /tmp/flag and ran a
test application that I statically linked against libc.a and it too
touched /tmp/flag so I knew it was working.
I am sorry for the long mail, but I was unable to find *any*
assistance either through google or elsehow to solve the problem I
needed to solve, so I tried to be very explicit in case some other
poor sap wanted to do what I did for some reason.
Ciao.
--
Rick
necro351@gmail.com
More information about the Libc-alpha
mailing list