inline-hook的本质是加跳转指令,在x86下实现比较简单,一般用push $addr; ret即可
这条指定的含义是: 将指定的地址压栈,然后返回到该地址,从而实现hook
然后在指定函数内的hook,需要维持堆栈平衡,因为假设hooked之后想要跳回函数执行,但当前的上下文已经改变,这时候若跳回去,可能会引发crash
这里假设有下面这样的代码:
#include "test.h"
#include <stdio.h>
#include <dlfcn.h>
#define libc_path "/lib/i386-linux-gnu/libc.so.6"
static int do_add(int a, int b) {
printf("in do_addr, a = %d, b = %d\n",a, b);
return a + b;
}
static void *g_handle;
int add(int a, int b) {
puts("-----------------add-----------------");
void *handle = dlopen(libc_path, RTLD_LAZY);
if (handle != NULL) {
g_handle = handle;
}
printf("in add handle = %p\n",(void *)handle);
long addr;
__asm__("movl %%esp,%0"::"g"(addr));
printf("esp = 0x%lx\n",addr);
printf("hello,world\n");
int ret = do_add(a, b);
printf("on ret = %d\n", ret);
return ret;
}
假设我们比较关心handle的值,想将它导出到外面使用。默认在C的语义下,你是没办法获取到该指针的,但是inline-hook可以。
我们的思路是,找到dlopen调用之后的指令: call dlopen@plt
将其强制跳转到指定函数:比如test。 然后从eax中拿出返回值,然后将上下文保存下来,再跳回到原先中断的指令,具体test方法的代码如下:
.text
.global test
test:
pushl %eax
pushl %ebx
movl %eax,%ebx
movl %ebx,handle
pusha
pushf
call copy
popf
popa
popl %ebx
popl %eax
jmp *next_call_dlopen_addr
那么如何找到call dlopen@这个地址呢?
我们需要解析ELF文件结构了,很显然,dlopen是属于libc.so下的,那么我们遍历plt结构即可:
static Elf32_Addr get_func_plt_addr(const char *lib_path, const char *func_name) {
Elf32_Ehdr *ehdr;
Elf32_Shdr *shdr;
Elf32_Phdr *phdr;
uint8_t *mem;
int fd;
struct stat st;
int i, j;
if ( (fd = open(lib_path, O_RDONLY)) < 0) {
perror("open");
exit(1);
}
if (fstat(fd, &st) < 0) {
perror("fstat");
exit(1);
}
mem = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (mem == MAP_FAILED) {
perror("mmap");
exit(1);
}
if (mem[0] != 0x7f && strcmp(&mem[1], "ELF")) {
fprintf(stderr,"It's not an ELF\n");
exit(1);
}
ehdr = (Elf32_Ehdr *)mem;
shdr = (Elf32_Shdr *)(mem + ehdr->e_shoff);
phdr = (Elf32_Phdr *)(mem + ehdr->e_phoff);
const char *shstrtab = (const char *)&mem[shdr[ehdr->e_shstrndx].sh_offset];
Elf32_Sym *symtab;
const char *strtab;
Elf32_Addr plt_addr;
Elf32_Off dlopen_off;
Elf32_Rel *rel;
int k;
const char *sh_name;
int rel_index;
for (i = 0; i < ehdr->e_shnum; i++) {
sh_name = &shstrtab[shdr[i].sh_name];
if (strcmp(sh_name,".plt") == 0) {
plt_addr = shdr[i].sh_addr;
}
if (strcmp(sh_name,".rel.plt") == 0) {
rel = (Elf32_Rel *)&mem[shdr[i].sh_offset];
Elf32_Rel *relp = rel;
for (k = 0; k < shdr[i].sh_size / sizeof(Elf32_Rel); k++) {
if (ELF32_R_SYM(relp->r_info) == j) {
rel_index = relp - rel;
}
relp++;
}
}
if (shdr[i].sh_type == SHT_SYMTAB || shdr[i].sh_type == SHT_DYNSYM) {
symtab = (Elf32_Sym *)&mem[shdr[i].sh_offset];
strtab = (const char *)&mem[shdr[shdr[i].sh_link].sh_offset];
for (j = 0; j < shdr[i].sh_size / sizeof(Elf32_Sym); j++) {
if (strcmp(&strtab[symtab->st_name],func_name) == 0) {
dlopen_off = symtab->st_value;
break;
}
symtab++;
}
}
}
Elf32_Addr result = (rel_index + 1) * 16 + plt_addr; // 注意: 每个plt 16字节且加上plt0
return result + lib_base_addr;
}
注意:在plt下,每项都占16个字节。而rel_index不包括plt0的占位,故相对地址偏移为: (rel_index + 1) * 16 + plt_base_address
我们知道call指令占5个字节,而call的实际编码为e8 (当前指令的地址 + 5)- dlopen@plt的地址,这样,就可以写出下列搜索代码:
long search(long start_addr,long call_path) {
// 0x460 e8 offset
int i = 0;
const char *func = (const char *)start_addr;
long dst_path;
long offset;
long mem_off;
call_path = call_path - lib_base_addr;
while (1) {
if ((func[i] & 0xff) == 0xe8) { // call
// call_path = 0x460
// dst_path = start_addr + i + 5;
// offset = call_path - dst_path
dst_path = i + 5 + start_addr;
dst_path = dst_path - lib_base_addr;
offset = call_path - dst_path;
mem_off = *(long *)&func[i + 1];
if (mem_off == offset) {
printf("-----------find mem_off = 0x%lx---------------\n", (unsigned long)mem_off);
break;
}
}
++i;
}
return start_addr + i;
}
最后完整的代码见: https://github.com/liuyx/inline-hook