可以用gdb做一个函数指针指向到其他位置？ [英] Can gdb make a function pointer point to another location?

问题描述

我来解释一下：

比方说，我很感兴趣，更换兰特（）通过某个应用程序中使用功能。

Let's say I'm interested in replacing the rand() function used by a certain application.

所以我gdb连接到这一进程，使其装载我的自定义共享库（其中有一个自定义的兰特（）功能）：

So I attach gdb to this process and make it load my custom shared library (which has a customized rand() function):

call (int) dlopen("path_to_library/asdf.so")

这将使定制的兰特（）进程的内存里面的功能。然而，在这一点上符号的兰特的仍将指向默认兰特（）功能。有没有一种方法，使GDB点的符号，以新的兰特（）功能，迫使过程中使用我的版本？

This would place the customized rand() function inside the process' memory. However, at this point the symbol rand will still point to the default rand() function. Is there a way to make gdb point the symbol to the new rand() function, forcing the process to use my version?

我必须说，我也不允许使用 LD_ preLOAD （Linux版）也不 DYLD_INSERT_LIBRARIES （Mac OS X的）方法，对于这一点，因为它们允许code注射液只在程序开始执行。

I must say I'm also not allowed to use the LD_PRELOAD (linux) nor DYLD_INSERT_LIBRARIES (mac os x) methods for this, because they allow code injection only in the beginning of the program execution.

这是我想更换的应用兰特（），启动多个线程，其中一些开始新工艺，和我感兴趣的注入code对这些新的过程之一。正如我上面提到的，GDB是非常适合这个目的，因为它允许code注射到特定进程。

The application that I would like to replace rand(), starts several threads and some of them start new processes, and I'm interested in injecting code on one of these new processes. As I mentioned above, GDB is great for this purpose because it allows code injection into a specific process.

推荐答案

我跟着这个帖子和这个presentation ，并提出了以下集的OSX gdb命令与x86-64的可执行文件，它可以连接到进程时被加载与 -x 选项：

I followed this post and this presentation and came up with the following set of gdb commands for OSX with x86-64 executable, which can be loaded with -x option when attaching to the process:

set $s = dyld_stub_rand
set $p = ($s+6+*(int*)($s+2))
call (void*)dlsym((void*)dlopen("myrand.dylib"), "my_rand")
set *(void**)$p = my_rand
c

神奇的是在设置$ P = ... 命令。 dyld_stub_rand 是一个6字节的跳转指令。跳转偏移量是在 dyld_stub_rand + 2 （4字节）。这是一个 $裂口 -relative跳，所以加偏移到什么撕裂将是在这一点上（后 $权指令， dyld_stub_rand + 6 ）。

The magic is in set $p = ... command. dyld_stub_rand is a 6-byte jump instruction. Jump offset is at dyld_stub_rand+2 (4 bytes). This is a $rip-relative jump, so add offset to what $rip would be at this point (right after the instruction, dyld_stub_rand+6).

这指向一个符号表项，这应该是真正的兰特或动态链接程序加载它（如果它从未被调用）。然后它被 my_rand 代替。

This points to a symbol table entry, which should be either real rand or dynamic linker routine to load it (if it was never called). It is then replaced by my_rand.

有时GDB会拿起 dyld_stub_rand 从libSystem中或其他共享库，如果出现这种情况，与先卸载它们删除符号文件运行其他命令之前。

Sometimes gdb will pick up dyld_stub_rand from libSystem or another shared library, if that happens, unload them first with remove-symbol-file before running other commands.

这篇关于可以用gdb做一个函数指针指向到其他位置？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！