int main(int argc, char **argv)
{
pid_t daemon_pid = -1;
char *my_libc = NULL, *daemon_libc = NULL;
char *dl_open_address = NULL;
char *dlopen_mode = NULL;
FILE *pfd = NULL;
char buf[128], *space = NULL;
/* nm /lib64/libc.so.6|grep __libc_dlopen_mode: 00000000000f2a40 t __libc_dlopen_mode */
size_t dlopen_offset = 0;
if (argc < 3) {
usage(argv[0]);
return 1;
}
setbuffer(stdout, NULL, 0);
my_libc = find_libc_start(getpid());
printf("Trying to obtain __libc_dlopen_mode() address relative to libc start address.\n");
printf("[1] Using my own __libc_dlopen_mode ...\n");
dlopen_mode = dlsym(NULL, "__libc_dlopen_mode");
if (dlopen_mode)
dlopen_offset = dlopen_mode - my_libc;
if (dlopen_offset == 0 &&
(pfd = popen("nm /lib64/libc.so.6|grep __libc_dlopen_mode", "r")) != NULL) {
printf("[2] Using nm method ... ");
fgets(buf, sizeof(buf), pfd);
if ((space = strchr(buf, ' ')) != NULL)
*space = 0;
dlopen_offset = strtoul(buf, NULL, 16);
fclose(pfd);
}
if (dlopen_offset == 0) {
printf("failed!\nNo more methods, bailing out.\n");
return 1;
}
printf("success!\n");
dl_open_address = find_libc_start(getpid()) + dlopen_offset;
daemon_pid = (pid_t)atoi(argv[1]);
daemon_libc = find_libc_start(daemon_pid);
printf("me: {__libc_dlopen_mode:%p, dlopen_offset:%zx}\n=> daemon: {__libc_dlopen_mode:%p, libc:%p}\n",
dl_open_address, dlopen_offset, daemon_libc + dlopen_offset, daemon_libc);
inject_code(daemon_pid, (size_t)daemon_libc,
(size_t)(daemon_libc + dlopen_offset), argv[2]);
printf("done!\n");
return 0;
}
int main(int argc, char **argv)
{
char c;
while ((c = getopt(argc, argv, "s:p:P:")) != -1) {
switch (c) {
case 'P':
process_hook.dso = realpath(optarg, NULL);
break;
case 'p':
process_hook.pid = atoi(optarg);
break;
case 's':
show_auxv(optarg);
exit(0);
default:
usage(argv[0]);
}
}
setbuffer(stdout, NULL, 0);
printf("injectso v0.51 -- DSO process hotpatching tool\n\n");
if (!process_hook.dso || !process_hook.pid) {
usage(argv[0]);
}
if (access(process_hook.dso, R_OK|X_OK) < 0) {
fprintf(stderr, "[-] DSO is not rx\n");
return 1;
}
fill_offsets_maps(&process_hook);
if (process_hook.dlopen_address == 0) {
fill_offsets_auxv(&process_hook);
}
if (process_hook.dlopen_address == 0) {
fill_offsets_nm(&process_hook);
}
if (process_hook.dlopen_address == 0) {
printf("[-] Unable to locate foreign dlopen address.\n");
return 1;
}
printf("[+] => Foreign dlopen address: %p\n", process_hook.dlopen_address);
printf("[+] Using normalized DSO path '%s'\n", process_hook.dso);
inject_code(&process_hook);
printf("[+] done.\n");
return 0;
}
int
main(int argc, char *argv[])
{
FILE *inject_f;
int elf_fd, opt, ret;
size_t len, secaddr;
long entry;
char *elf_fname, *inject_fname, *secname, *code, *err;
char optstr[] = "vhe:i:n:a:s:";
inject_data_t inject;
if(argc < 4) {
print_usage(argv[0]);
return 0;
}
inject_f = NULL;
elf_fd = -1;
secaddr = 0;
entry = -1;
code = NULL;
elf_fname = NULL;
inject_fname = NULL;
secname = NULL;
opterr = 0;
while((opt = getopt(argc, argv, optstr)) != -1) {
switch(opt) {
case 'v':
verbosity++;
break;
case 'e':
elf_fname = strdup(optarg);
break;
case 'i':
inject_fname = strdup(optarg);
break;
case 'n':
secname = strdup(optarg);
break;
case 'a':
secaddr = strtoul(optarg, NULL, 0);
break;
case 's':
entry = strtol(optarg, NULL, 0);
break;
case 'h':
default:
print_usage(argv[0]);
return 0;
}
}
if(!elf_fname || strlen(elf_fname) < 1) {
print_err("no target binary");
return 1;
} else if(!inject_fname || strlen(inject_fname) < 1) {
print_err("no code to inject");
return 1;
} else if(!secname || strlen(secname) < 1) {
print_err("no section name for injected code");
return 1;
} /*else if(secaddr == 0) {
print_err("no valid section address for injected code");
return 1;
}*/
finfo = fopen("./info/section.info","w");
verbose("opening \"%s\"", inject_fname);
inject_f = fopen(inject_fname, "r");
if(!inject_f) {
print_err("failed to open \"%s\"", inject_fname);
goto fail;
}
fseek(inject_f, 0, SEEK_END);
len = ftell(inject_f);
code = malloc(len);
if(!code) {
print_err("failed to alloc code buffer");
goto fail;
}
fseek(inject_f, 0, SEEK_SET);
fread(code, 1, len, inject_f);
verbose("opening \"%s\"", elf_fname);
elf_fd = open(elf_fname, O_RDWR);
if(elf_fd < 0) {
print_err("failed to open \"%s\"", elf_fname);
goto fail;
}
inject.code = code;
inject.len = len;
inject.entry = entry;
inject.secname = secname;
inject.secaddr = secaddr;
ret = inject_code(elf_fd, &inject, &err);
if(ret < 0) {
print_err("%s", err);
goto fail;
}
ret = 0;
goto cleanup;
fail:
ret = 1;
cleanup:
if(elf_fd >= 0) {
close(elf_fd);
}
if(inject_f) {
fclose(inject_f);
}
if(code) {
free(code);
}
if(elf_fname) {
free(elf_fname);
}
if(inject_fname) {
free(inject_fname);
}
if(secname) {
free(secname);
}
fclose(finfo);
return ret;
}