可以用gdb做一个函数指针指向到其他位置? [英] Can gdb make a function pointer point to another location?
问题描述
我来解释一下:
比方说,我很感兴趣,更换兰特()通过某个应用程序中使用
功能。
Let's say I'm interested in replacing the rand()
function used by a certain application.
所以我gdb连接到这一进程,使其装载我的自定义共享库(其中有一个自定义的兰特()
功能):
So I attach gdb to this process and make it load my custom shared library (which has a customized rand()
function):
call (int) dlopen("path_to_library/asdf.so")
这将使定制的兰特()
进程的内存里面的功能。然而,在这一点上符号的兰特的仍将指向默认兰特()
功能。有没有一种方法,使GDB点的符号,以新的兰特()
功能,迫使过程中使用我的版本?
This would place the customized rand()
function inside the process' memory. However, at this point the symbol rand will still point to the default rand()
function. Is there a way to make gdb point the symbol to the new rand()
function, forcing the process to use my version?
我必须说,我也不允许使用 LD_ preLOAD
(Linux版)也不 DYLD_INSERT_LIBRARIES
(Mac OS X的)方法,对于这一点,因为它们允许code注射液只在程序开始执行。
I must say I'm also not allowed to use the LD_PRELOAD
(linux) nor DYLD_INSERT_LIBRARIES
(mac os x) methods for this, because they allow code injection only in the beginning of the program execution.
这是我想更换的应用兰特()
,启动多个线程,其中一些开始新工艺,和我感兴趣的注入code对这些新的过程之一。正如我上面提到的,GDB是非常适合这个目的,因为它允许code注射到特定进程。
The application that I would like to replace rand()
, starts several threads and some of them start new processes, and I'm interested in injecting code on one of these new processes. As I mentioned above, GDB is great for this purpose because it allows code injection into a specific process.
推荐答案
我跟着这个帖子一>和这个presentation ,并提出了以下集的OSX gdb命令与x86-64的可执行文件,它可以连接到进程时被加载与 -x
选项:
I followed this post and this presentation and came up with the following set of gdb commands for OSX with x86-64 executable, which can be loaded with -x
option when attaching to the process:
set $s = dyld_stub_rand
set $p = ($s+6+*(int*)($s+2))
call (void*)dlsym((void*)dlopen("myrand.dylib"), "my_rand")
set *(void**)$p = my_rand
c
神奇的是在设置$ P = ...
命令。 dyld_stub_rand
是一个6字节的跳转指令。跳转偏移量是在 dyld_stub_rand + 2
(4字节)。这是一个 $裂口
-relative跳,所以加偏移到什么撕裂将是在这一点上(后 $权指令,
dyld_stub_rand + 6
)。
The magic is in set $p = ...
command. dyld_stub_rand
is a 6-byte jump instruction. Jump offset is at dyld_stub_rand+2
(4 bytes). This is a $rip
-relative jump, so add offset to what $rip
would be at this point (right after the instruction, dyld_stub_rand+6
).
这指向一个符号表项,这应该是真正的兰特
或动态链接程序加载它(如果它从未被调用)。然后它被 my_rand
代替。
This points to a symbol table entry, which should be either real rand
or dynamic linker routine to load it (if it was never called). It is then replaced by my_rand
.
有时GDB会拿起 dyld_stub_rand
从libSystem中或其他共享库,如果出现这种情况,与先卸载它们删除符号文件
运行其他命令之前。
Sometimes gdb will pick up dyld_stub_rand
from libSystem or another shared library, if that happens, unload them first with remove-symbol-file
before running other commands.
这篇关于可以用gdb做一个函数指针指向到其他位置?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!