technical ramblings from a wanna-be unix dinosaur
Defcon 18: Function hooking for OSX and Linux from Daniel Hückmann on Vimeo.
Function hooking for OSX and Linux
Written by Aman Gupta
August 1st, 2010 at 11:24 am
Posted in debugging,linux,monitoring,osx,systems
Tagged with linux, monitoring, profiling, systems
Firstly thanks for the talk and making it available, lots of good info there.
I have a question which would seem to show a hole in my understanding of hooking and whilst this question is in relation to a Mac binary I assume the same method would be used for Elf. Inspecting a Mach-o binrary and overwriting byte code of absolute displacements with new displacements in the current binary address space requires that the client binary run in the hooking binaries space. How do you allow the linker to do it's job of address fixes whilst also having the binary run in the current space?
I have read another presentation entitled "Infecting the Mach-o Object Format" by Neil Archibald and I am wondering if the concatenation method is what is used as that seems to be the most fitting? Otherwise execv could not do what is wanted as it overwrites the current process IIRC and mmap-ing the binary into the current address space would (I assume) not run the linker and how could the binary the be executed? calling _start ?
What am I missing or overlooking? Thanks for any info or links in advance.
Subscribe via RSS
Subscribe via Email
The Journalist template by Lucian E. Marin — Built for WordPress