Пример #1
0
//http://blog.csdn.net/L173864930/article/details/40507359
int elfHook(const char *soname, const char *symbol, void *replace_func, void **old_func){
	assert(old_func);
	assert(replace_func);
	assert(symbol);

	//从给定的so中获取基址,获取so句柄ElfHandle
	ElfHandle* handle = openElfBySoname(soname);
	ElfInfo info;
	//从segment视图获取elf信息(即加载到内存的so)
	getElfInfoBySegmentView(info, handle);


	Elf32_Sym *sym = NULL;
	int symidx = 0;

	//根据符号名寻找函数地址Sym
	findSymByName(info, symbol, &sym, &symidx);

	if(!sym){
		LOGE("[-] Could not find symbol %s", symbol);
		goto fails;
	}else{
		LOGI("[+] sym %p, symidx %d.", sym, symidx);
	}

	for (int i = 0; i < info.relpltsz; i++) {
		Elf32_Rel& rel = info.relplt[i];
		if (ELF32_R_SYM(rel.r_info) == symidx && ELF32_R_TYPE(rel.r_info) == R_ARM_JUMP_SLOT) {

			void *addr = (void *) (info.elf_base + rel.r_offset);
			//进行一次替换relplt表函数地址操作,其中需要使用mprotect修改访问内存,然后调用系统指令 清除缓存
			if (replaceFunc(addr, replace_func, old_func))
				goto fails;

			//only once
			break;
		}
	}

	for (int i = 0; i < info.reldynsz; i++) {
		Elf32_Rel& rel = info.reldyn[i];
		if (ELF32_R_SYM(rel.r_info) == symidx &&
				(ELF32_R_TYPE(rel.r_info) == R_ARM_ABS32
						|| ELF32_R_TYPE(rel.r_info) == R_ARM_GLOB_DAT)) {

			void *addr = (void *) (info.elf_base + rel.r_offset);
			//进行一次替换reldyn表函数地址操作,其中需要使用mprotect修改访问内存,然后调用系统指令 清除缓存
			if (replaceFunc(addr, replace_func, old_func))
				goto fails;
		}
	}

	fails:
	closeElfBySoname(handle);//释放资源,关闭elf句柄
	return 0;
}
Пример #2
0
__attribute__((visibility("default"))) void hook_init( char *args )
{
    if( g_isInit == 1 )
    {
        printf("i am already in!");
        return;
    }

    void* soHandle = NULL;

    // the libapp.so is a .so of target process, and it call strcmp
    soHandle  = dlopen( "libapp.so", RTLD_GLOBAL );
    if( soHandle != NULL )
    {
        g_realstrcmp = NULL;
        replaceFunc( soHandle, "strcmp", my_strcmp, (void**)&g_realstrcmp );

        int ret = pthread_create( &g_hThread, NULL, my_thread, NULL );
        if( ret != 0 )
        {
            printf("create thread error:%d", ret );
        }

        g_isInit = 1;
    }

}
Пример #3
0
void CloexecDupCheck::check(const MatchFinder::MatchResult &Result) {
  const std::string &ReplacementText =
      (Twine("fcntl(") + getSpellingArg(Result, 0) + ", F_DUPFD_CLOEXEC)")
          .str();

  replaceFunc(Result,
              "prefer fcntl() to dup() because fcntl() allows F_DUPFD_CLOEXEC",
              ReplacementText);
}
void CloexecAcceptCheck::check(const MatchFinder::MatchResult &Result) {
  const std::string &ReplacementText =
      (Twine("accept4(") + getSpellingArg(Result, 0) + ", " +
       getSpellingArg(Result, 1) + ", " + getSpellingArg(Result, 2) +
       ", SOCK_CLOEXEC)")
          .str();

  replaceFunc(
      Result,
      "prefer accept4() to accept() because accept4() allows SOCK_CLOEXEC",
      ReplacementText);
}
Пример #5
0
int main(void){
  
  char *str;
  char *regex = "\\w+";
  regex_t reg;
  str = (char *)malloc(sizeof(char)*55);
  strcpy(str,"hello, world");

  regcomp(&reg,regex,REG_EXTENDED);
  replaceFunc(str,reg,upcase,0);

  printf("%s\n",str);

  free(str);
  regfree(&reg);
  return 0;
}