Override some functions not working, such as read()

[pfsun]

Hi,

Great work. I have tried your code. It works well. However, there is still one problem that I don't know whether your code support? I want to override some functions like read, write, open. So I rewrite these functions and compile to one shared object. And then I use your code to inject this shared object. I check the maps, the shared object has been loaded into the runtime process. But there will be segmentation fault if I continue to run the process which will use the override functions. If I use LD_RELAOD, the execution will use these override functions.

Thank you very much.

[vikasnkumar]

hello @pfsun Yes, the library does not over-ride existing functions since I have not implemented that. You will have to explicitly patch the ELF structure to do the override and that is not trivial to do it during runtime. Even if you patch it, there is no guarantee that if the application has loaded multiple other SO files, all their function calls will also get patched. You will have to find instances of the functions in all the libraries and patch all their ELF structures and even then not sure if it will work without crashing the software. So I have not done it.

[manvir-singh]

How would I do this "patch the ELF structure to do the override"? Ida pro?

[vikasnkumar]

Depends on your situation. If you have control of the application then just use the LD_PRELOAD environment variable before starting the application. If you do not have control of the application you need to read up on Elf format and the linker used by the application before you can move forward.

[manvir-singh]

@vikasnkumar I know about LD_PRELOAD and can use it. But the problem is how can I use LD_PRELOAD to intercept function calls that are within the executable? I know you can use LD_PRELOAD to intercept dynamic library function calls, but I need to intercept static functions in the executable itself.

[vikasnkumar]

Have you tried using LD_PRELOAD and creating a library with a function that has the same name as the static function you're trying to replace ? Otherwise you will have to create a new exe and load the target exe as a library and edit the Elf table address.

If the target executable has not been stripped this should work. If it has been stripped you're out of luck.

[manvir-singh]

Yes I tried LD_PRELOAD and it didn't work. Is there a tutorial or example on how to edit the elf table?

[vikasnkumar]

Have you tried using radare to do it ? It should do this for your scenario. You may not need hotpatch.

[manvir-singh]

Thanks for the help. I got "LD_PRELOAD" to work after all.