This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

syscall intercept in libc on read at symbol level


So I managed to figure out what went wrong. I was trying to intercept
calls to 'read' from application programs linking aginst libc while
they were still symbols and before they were turned into syscall
interrupts.

*I added a file "__read.c" to the /io subdirectory.
*I put __libc_read (<args>) in that file with my overridden definition
of __libc_read.
*I included the:

libc_hidden_def (__libc_read)
weak_alias (__libc_read, __read)
libc_hidden_weak (__read)
weak_alias (__libc_read, read)

crap to weakly alias the name so conflicting symbols from other
libraries would be chosen over the 'read' syscall and so that it would
get the __GI_* alias it needed to link with the PIC code.
*I added __read to the 'routines' target of the Makefile in the /io
subdirectory.
*I changed the weak and strong names of the 'read' system call in
/sysdeps/unix/syscalls.list to have 'r_' before every instance of
'read' on that line (except for the instances in the filename and
syscall name columns so libc would build and link).

Then I deleted the /io subdirectory and sysd-syscalls in the build
directory and remade. However then it crashed, exlaiming that it had
an invalid ELF header. I looked into elf/dl-load.c and found that it
was actually calling __libc_read in the build process, so instead of
making my __libc_read just return a bogus value, I made it make a call
to __libc_r_read (the real read from my newly named 'read' syscall in
syscalls.list remember). Then it built just fine.

However the optimizer was making it difficult to verify that I
successfully intercepted the syscall, so I then had it open /tmp/flag
when it was called so my sentinel code wouldn't get optimized away. I
rebuilt libc, and afterward found it already opened /tmp/flag which is
good, that meant that I sucessfully intercepted calls to __libc_read
at least for code within glibc. I then removed /tmp/flag and ran a
test application that I statically linked against libc.a and it too
touched /tmp/flag so I knew it was working.

I am sorry for the long mail, but I was unable to find *any*
assistance either through google or elsehow to solve the problem I
needed to solve, so I tried to be very explicit in case some other
poor sap wanted to do what I did for some reason.

Ciao.
-- 

Rick
necro351@gmail.com


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]