Hooking all loaded libraries

[chrahunt]

I'm writing a library and want to intercept and take some action on any call to fork. This requires overriding the function in all loaded shared libraries. Users install the interceptor after process start so LD_PRELOAD is out of the question, and instead I'm using plthook.

Currently, my approach is:

1. Get all mapped ELF headers (i.e. that start with "\x7fELF") in /proc/self/maps
2. Convert them to a valid address to use with plthook_open_by_address(&hook, (void *) address)
3. Call plthook_replace(hook, "fork", (void *) my_fork, NULL) to actually do work
4. Call plthook_replace(hook, "dlopen", (void *) my_dlopen, NULL) to intercept and hook any future loaded libraries

Is this the most straightforward use of plthook to accomplish the stated goal?

[kubo]

How about funchook if the platform is Linux x86 or x86_64? See 'Basic API Hooking' and 'Trampoline' sections in this document to know what funchook does.

1. Get all mapped ELF headers (i.e. that start with "\x7fELF") in /proc/self/maps

How about dl_iterate_phdr?

[chrahunt]

Regarding funchook, it looks like this does have a more succinct API. I'll see if that's it applicable to my use case.

Thanks for pointing me to dl_iterate_phdr, I needed that.

[kubo]

Regarding funchook, it looks like this does have a more succinct API. I'll see if that's it applicable to my use case.

FYI. When SELinux on Linux is enabled, it may prevent funchook becase it disallow modifying read-only memory for functions.