c++ - Hook function call linux mint -

-

some days ago wrote simple hook/detour patching single call instruction. worked on ubuntu 12.xyz (32bit), updated linux mint 17.1(32bit) , segmentation fault.

i have 2 projects

  • target project calls function named goodguy
  • library project loaded dlopen() overwrites offset call instruction in target application

before overwriting call instruction offset, modify protection of page by:

mprotect(pageof(address),pagesize,prot_write|prot_exec|prot_read)

this works fine (returns 0).

when debug programm, crashs while trying write address of call:

memcpy((void*)(address + 1),(void*)&calloffset,4);

looks not allowed overwrite instructions, why ?

i diabled alsr , used -z execstack -fno-stack-protector flags g++.

do know how allow application write instructions ?

thank you, alex

edit

sorry guys, here code:

target application:

#include <dlfcn.h> #include <stdio.h> #include <stdio.h> #include <iostream>  void goodguy(); //full lib path ! char libpath[] = "inser_your_path_here/lib.so";  int main(){   dlopen(libpath,rtld_now);   goodguy();   return 0; }  void goodguy(){     printf("good guy :)\n"); }

and shared lib code:

#include <stdio.h> #include <cstring> #include <stdint.h> #include <sys/mman.h> #include <unistd.h>  void badguy();  int pagesize = sysconf(_sc_pagesize);  void *pageof(void* p){     return (void*)((unsigned int)p & ~(pagesize - 1)); }  extern "c" void __attribute__ ((constructor)) dllload(void){     uint32_t addressofcall = 0x0804862a; //address goodguy called in target app     uint32_t addressofnextinstruction = addressofcall + 5;     uint32_t calloffset = (uint32_t)badguy - addressofnextinstruction;      mprotect(pageof((void*)(addressofcall + 1)),pagesize, prot_write|prot_exec|prot_read);     memcpy((void*)(addressofcall + 1),(void*)&calloffset,4); }  void badguy(){   printf("bad guy :(\n"); }

to find out addressofcall open target application gdb gdb target , display main function disas main , have @ +29

gdb$ disas main dump of assembler code function main()    0x0804860d <+0>: push   ebp    0x0804860e <+1>: mov    ebp,esp    0x08048610 <+3>: ,    esp,0xfffffff0    0x08048613 <+6>: sub    esp,0x10    0x08048616 <+9>: mov    dword ptr [esp+0x4],0x2    0x0804861e <+17>:    mov    dword ptr [esp],0x804a060    0x08048625 <+24>:    call   0x80484f0 <dlopen@plt>     ___________    |0x0804862a| <+29>:  call   0x8048636 <goodguy()>    |__________|    0x0804862f <+34>:    mov    eax,0x0    0x08048634 <+39>:    leave      0x08048635 <+40>:    ret


Comments

Post a Comment

Popular posts from this blog

node.js - Mongoose: Cast to ObjectId failed for value on newly created object after setting the value -

-
this question has answer here: what's mongoose error cast objectid failed value xxx @ path “_id”? 7 answers even though has been asked many times because entity has no valid objectid field. i came across situation objectid set value can casted objectid still error. the schema: var serviceschema = parammongoose.schema({ servicename:{ type: parammongoose.schema.types.objectid , ref: 'servicenames',required:true } }); pseudo code: servicefromdb=new service({servicename:'some name'}); servicefromdb.servicename='000000000000000000000001'; servicefromdb.save(function(paramerror,paramdata){ if(paramerror){ console.log('but but...',servicefromdb,paramerror) } }); the output of code is: but but... { servicename: 000000000000000000000001, _id: 55079a90286f49280364f78b } { [casterror: cast objectid faile...
Read more

gradle error "Cannot convert the provided notation to a File or URI" -

-
i have defined 2 system properties in gradle.properties: systemprop.builddir=build systemprop.cfgdir=build\\cfg and have following task defined in build.gradle: task clean(group:'clean',description:'clean project') << { ant.sequential { delete(dir: system.properties.builddir) mkdir(dir: system.properties.builddir) delete(dir: system.properties.cfgdir) mkdir(dir: system.properties.cfgdir) } } this generates following error: execution failed task ':clean'. > cannot convert provided notation file or uri: {dir=build}. following types/formats supported: - string or charsequence path, e.g 'src/main/java' or '/usr/include' - string or charsequence uri, e.g 'file:/usr/include' - file instance. - uri or url instance. but equivalent block of code not generate error , works expected: task clean(group:'clean',description:'clean project') << { ...
Read more

python - NameError: name 'subprocess' is not defined -

-
i'm trying make rng website: http://jamesdotcom.com/?p=417 . when run following code: captureimage = subprocess.popen( [ "fswebcam", "-r", "356x292", "-d", "/dev/video0", "static.jpg", "--skip", "10" ], stdout=devnull, stderr=devnull) captureimage.communicate() i following error message: nameerror: name 'subprocess' not defined what should do? thanks have imported first? import subprocess captureimage = subprocess.popen(["fswebcam", ...) subprocess included in python standard library since python 2.4. should not necessary install it.
Read more