This is the mail archive of the
libc-help@sourceware.org
mailing list for the glibc project.
change .got.plt in user application
- From: Yubin Ruan <ablacktshirt at gmail dot com>
- To: libc-help at sourceware dot org
- Date: Mon, 11 Sep 2017 21:43:14 +0800
- Subject: change .got.plt in user application
- Authentication-results: sourceware.org; auth=none
Hi,
I am doing some experiment with code injection (at run time) and I
want to change the way some specific functions behave, that is, I want
to replace all calls to "real_func" with calls to "test_func".
I have finished most of the code injection work and I know that I can
find where the "real_func" locates and then place a "jmp" instruction
there to make it jump to the "test_func", i.e., function trampolines,
as others would call it.
But, instead of doing function trampolines, I prefer to change the
".got" and ".got.plt" segments to make it resolve "naturally" to
"test_func" rather than "real_func". As you know, the dynamic linker
fills in those entry the first time a "real_func" is called (lazy
binding), and then it is fixed. So, I think there might be some ways
to do what the dynamic linker does, only if we can find the ".got" and
".got.plt".
I am currently not so clear about the right way to do that. Please
provide some helps (references, or, warn me ;-).
P.S., the reason why I prefer changing ".got" and ".plt" to function
trampoline is that:
1) function trampoline is tricky to implement ...
2) function trampoline requires us to change other people's DSO,
which may be shared by many applications (think libc.so), thus ruining
the Copy-on-Write mechanism provided by the operating system.
Yubin