c++ - Hook function call linux mint -

-

some days ago wrote simple hook/detour patching single call instruction. worked on ubuntu 12.xyz (32bit), updated linux mint 17.1(32bit) , segmentation fault.

i have 2 projects

  • target project calls function named goodguy
  • library project loaded dlopen() overwrites offset call instruction in target application

before overwriting call instruction offset, modify protection of page by:

mprotect(pageof(address),pagesize,prot_write|prot_exec|prot_read)

this works fine (returns 0).

when debug programm, crashs while trying write address of call:

memcpy((void*)(address + 1),(void*)&calloffset,4);

looks not allowed overwrite instructions, why ?

i diabled alsr , used -z execstack -fno-stack-protector flags g++.

do know how allow application write instructions ?

thank you, alex

edit

sorry guys, here code:

target application:

#include <dlfcn.h> #include <stdio.h> #include <stdio.h> #include <iostream>  void goodguy(); //full lib path ! char libpath[] = "inser_your_path_here/lib.so";  int main(){   dlopen(libpath,rtld_now);   goodguy();   return 0; }  void goodguy(){     printf("good guy :)\n"); }

and shared lib code:

#include <stdio.h> #include <cstring> #include <stdint.h> #include <sys/mman.h> #include <unistd.h>  void badguy();  int pagesize = sysconf(_sc_pagesize);  void *pageof(void* p){     return (void*)((unsigned int)p & ~(pagesize - 1)); }  extern "c" void __attribute__ ((constructor)) dllload(void){     uint32_t addressofcall = 0x0804862a; //address goodguy called in target app     uint32_t addressofnextinstruction = addressofcall + 5;     uint32_t calloffset = (uint32_t)badguy - addressofnextinstruction;      mprotect(pageof((void*)(addressofcall + 1)),pagesize, prot_write|prot_exec|prot_read);     memcpy((void*)(addressofcall + 1),(void*)&calloffset,4); }  void badguy(){   printf("bad guy :(\n"); }

to find out addressofcall open target application gdb gdb target , display main function disas main , have @ +29

gdb$ disas main dump of assembler code function main()    0x0804860d <+0>: push   ebp    0x0804860e <+1>: mov    ebp,esp    0x08048610 <+3>: ,    esp,0xfffffff0    0x08048613 <+6>: sub    esp,0x10    0x08048616 <+9>: mov    dword ptr [esp+0x4],0x2    0x0804861e <+17>:    mov    dword ptr [esp],0x804a060    0x08048625 <+24>:    call   0x80484f0 <dlopen@plt>     ___________    |0x0804862a| <+29>:  call   0x8048636 <goodguy()>    |__________|    0x0804862f <+34>:    mov    eax,0x0    0x08048634 <+39>:    leave      0x08048635 <+40>:    ret


Comments

Post a Comment

Popular posts from this blog

node.js - Mongoose: Cast to ObjectId failed for value on newly created object after setting the value -

-
this question has answer here: what's mongoose error cast objectid failed value xxx @ path “_id”? 7 answers even though has been asked many times because entity has no valid objectid field. i came across situation objectid set value can casted objectid still error. the schema: var serviceschema = parammongoose.schema({ servicename:{ type: parammongoose.schema.types.objectid , ref: 'servicenames',required:true } }); pseudo code: servicefromdb=new service({servicename:'some name'}); servicefromdb.servicename='000000000000000000000001'; servicefromdb.save(function(paramerror,paramdata){ if(paramerror){ console.log('but but...',servicefromdb,paramerror) } }); the output of code is: but but... { servicename: 000000000000000000000001, _id: 55079a90286f49280364f78b } { [casterror: cast objectid faile...
Read more

Simple Angular 2 project fails 'Unexpected reserved word' -

-
i trying create simple angular2 project based on ng2do project. using quickstart , have following code... <script src="js/quickstart/dist/es6-shim.js"></script> .... import {component, template, bootstrap, foreach} 'js/quickstart/angular2/angular2'; this gives me following error... uncaught syntaxerror: unexpected reserved word what missing? don't know if helps have been having issues day realised because starting code script reference <script src="app.js"> </script> instead of using <script> system.import('app'); </script> hope helps using in tsconfig { "version": "1.5.0-beta", "compileroptions": { "target": "es6", "module": "amd", "declaration": false, "noimplicitany": false, "removecomments": true, "nolib": fal...
Read more

php - Get process resource by PID -

-
Image
i want write web ssh console, , found 2 problems. what want do. first want execute start.php file have following code. $process = proc_open('start', array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "a") ), $pipes); second want run command.php file run command on created process in start.php file , results it. $pid = 12345; print_r(process_command('ping google.com', $pid)); i want access process ( cmd ) created in past, send command , result. why problem, if can create new process each command.php execution? because new process new session, if login mysql in past command.php execution, in next executions must login mysql again, because new process not remember logged. example on windows. i create new process ( cmd ) in php, current directory c:\webserv\ . i write cd / command, current directory c:\ . this example, dont want c...
Read more