This is the mail archive of the
libc-help@sourceware.org
mailing list for the glibc project.
Re: Library injection
- From: "Ángel González" <keisial at gmail dot com>
- Cc: libc-help at sourceware dot org
- Date: Tue, 05 Apr 2011 01:39:32 +0200
- Subject: Re: Library injection
- References: <4D9A3E42.9080508@purecode.pl> <4D9A5646.2080302@gmail.com>
Adam wrote:
> Hello!
> my name is Adam Sznajder and I study computer science at Warsaw
> University of Technology. Currently I'm writting my graduate work
> which I have to do in order to finish my studies. The main aim of my
> project is to inject a library into some running process and create a
> new thread which will e.g. protect stack. As you can see it is a quite
> interesting task, but I have a problem with library injection. I found
> some awesome article on which I based my work:
> http://nologin.org/Downloads/Papers/remote-library-injection.pdf .
Any special reason to do that on a running process? Injecting your
protecting code on a unmodified binary using LD_PRELOAD when launching
would be much easier.
There are two ways of doing it. Calling the library dlopen(), or using
the lower level syscalls that it uses.
> Unfortunately my project doesn't work properly. It crashes in the
> middle of _dl_open function with the offset 0x163. Could you please
> have a look on my project and tell me what's wrong with it? You can
> download the sources here: www.purecode.pl/dllInjection.zip. I
> understand that you are busy and have much more important things to
> do, but can someone explain me what should I put into each register
> before _dl_open call?
Your int3 made me think you were trying to enter into the kernel, but in
such case it would have been int 0x80, and you would get the syscall
number to place into EAX from including #include <syscall.h>
I realise now that they are probably there just for debugging. That's
fine, since in Linux there's not a single syscall for loading a library
into the current process.
> Currently I store in eax register address of library's path, in ebx
> 0x80000002 and in ecx NULL. Being honest I'm quite stressed because
> the time is running and I don't really know what's wrong. I work on
> Arch Linux with ld-2.13.so library.
Loading of EAX is unintuitive but seems right (given that you're working
on a 32 bit platform).
The EBX is 0x80000003, you seem to be specifying RTLD_LAZY and RTLD_NOW,
which doesn't make sense (RTLD_NOW seems to win, which is what I think
you would want).
The NULL ECX may be a problem. The caller argument seem to be the return
address. So you would need mov ecx, [esp]
Finally, dlmopen_doit appears to be using a fourth parameter (a
namespace id) which you seem to be setting to 0x11d50. Have you tried
using 0 (LM_ID_BASE) there?