If you enjoy this article, subscribe (via RSS or e-mail) and follow me on twitter.
The tricks, techniques, and ugly hacks in this article are PLATFORM SPECIFIC, DANGEROUS, and NOT PORTABLE.
This is the third article in a series of articles describing a set of low level hacks that I used to create memprof a Ruby level memory profiler. You should be able to survive without reading the other articles in this series, but you can check them out here and here.
How is this different from the other hooking articles/techniques?
The previous articles explained how to insert trampolines in the
.text segment of a binary. This article explains a cool technique for hooking functions in the
.text segment of shared libraries, allowing your handler to run, and then resuming execution. Hooking shared libraries turns out to be less work than hooking the binary (in the case of Ruby, that is), but making it all happen was a bit tricky. Read on to learn more.
The “problem” with shared libraries
The problem is that if a trampoline is inserted into the code of the shared library, the trampoline will need to invoke the dynamic linker to resolve the function that is being hooked, call the function, do whatever additional logic is desired, and then resume execution.
In other words you need to (somehow) insert a trampoline for a function that will call the function being trampolined without ending up in an infinite loop.
The additional complexity occurs because when shared libraries are loaded, the kernel decides at runtime where exactly in memory the library should be loaded. Since the exact location of symbols is not known at link time, a procedure linkage table (
.plt) is created so that the program and the dynamic linker can work together to resolve symbol addresses.
- Program calls a function in a shared object, the link editor makes sure that the program jumps to a stub function in the
- The program sets some data up for the dynamic linker and then hands control over to it.
- The dynamic linker looks at the info set up by the program and fills in the absolute address of the function that was called in the
.pltin the global offset table (
- Then the dynamic linker calls the function.
- Subsequent calls to the same function jump to the same stub in the
.plt, but every time after the first call the absolute address is already in the
.got(because when the dynamic linker is invoked the first time, it fills in the absolute address in the
Disassembling a short Ruby VM function that calls
rb_newobj (a memory allocation routine that we’d like to hook), shows the calls to the
: . . . . 1af14: e8 e7 c6 ff ff callq 17600 [rb_newobj@plt] . . . .
Let’s take a look at the corresponding
: 17600: ff 25 6a 9c 2c 00 jmpq *0x2c9c6a(%rip) # 2e1270 [_GLOBAL_OFFSET_TABLE_+0x288] 17606: 68 4e 00 00 00 pushq $0x4e 1760b: e9 00 fb ff ff jmpq 17110 <_init+0x18>
Important fact: The program and each shared library has its own
.got sections (amongst other sections). Keep this in mind as it’ll be handy very shortly.
That is a lot of stub code to reproduce in the trampoline. Reproducing that stuff in the trampoline shouldn’t be hard, but invites a large number of bugs over to play. Is there a better way?
What is a global offset table (
The global offset table (
.got) is a table of absolute addresses that can be filled in at runtime. In the assembly dump above, the
.got entry for
rb_newobj is referenced in the
.plt stub code.
Intercepting a function call
It would be awesome if it were possible to overwrite the
.got entry for
rb_newobj and insert the address of a trampoline. But how would the intercepting function call
rb_newobj itself without ending up in an infinite loop?
The important fact above comes in to save the day.
Since each shared object has its own
.got sections, it is possible to overwrite the
.got entry for
rb_newobj in every shared object except for the object where the trampoline lives. Then, when
rb_newobj is called, the
.plt entry will redirect execution to the trampoline. The trampoline then calls out to its
.plt entry for
rb_newobj which is left untouched allowing
rb_newobj to be resolved and called out to successfully.
Not as easy as it sounds, though
This solution is less work than the other hooking methods, but it has its own particular details as well:
- You’ll need to walk the link map at runtime to determine the base address for the shared library you are hooking (it could be anywhere).
- Next, you’ll need to parse the
.rela.pltsection which contains information on the location of each
.pltstub, relative to the base address of the shared object.
- Once you have the address of the
.pltstub, you’ll need to determine the absolute address of the
.gotentry by parsing the first instruction of the
jmp) as seen in the disassembly above.
- Finally, you can write to the
.gotentry the address of your trampoline, as long as the trampoline lives in a different shared library.
You’ve now successfully managed to poison the
.got entry of a symbol in one shared library to direct execution to your own function which can then call the intercepted function itself without getting stuck in an infinite loop.
- There are lots of sections in each ELF object. Each section is special and important.
- ELF documentation can be difficult to obtain and understand.
- Got pretty lucky this time around. I was getting a little worried that it would get complicated. Made it out alive, though.