Re: [Alsa-devel] OSS driver removal, 2nd round

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> 
>> We do not reverse engineer the .text section, but change the .dynstr 
>> section that is specific to the ELF format. I doubt any app out there md5s 
>> itself.
>
>It's possible.  They certainly try very hard to thwart reverse
>engineers.
>
>http://www.secdev.org/conf/skype_BHEU06.handout.pdf
>

Here is your POC for the manipulation of dynstr (and therefore, interception of
library calls without interfering with redefining/overriden libc names like
memory debuggers and AOSS do).

skype-1.2.0.18.tar.bz2

.dynsym table (0x2f80), as printed per "HT"
0130 global   func     00000000 0000007c *undefined  writ
05b9 global   func     00000000 0000007c *undefined  open
074d global   func     00000000 0000007c *undefined  read

.dynsym table (absaddr 0x2f80):
ofs     absaddr stringptr
+0x0130 0x4280  0xe0c0
+0x05b9 0x8b10  0xddbc
+0x074d 0xa450  0xdff0

.dynstr table (absaddr 0xa750):
ofs     absaddr name
+0xe0c0 0x18810 write
+0xddbc 0x1850c open  (note it is part of "fdopen")
+0xdff0 0x18740 read

Change to w2ite, o2en, r2en. Implement w2ite(), o2en(), r2()en and fdo2en() in
an extra library. Load that via LD_PRELOAD.

---extra.c---
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int o2en(const char *path, int flags, mode_t mode) {
    int ret = open(path, flags, mode);
    printf("open(\"%s\", %x, %04o) = %d\n", path, flags, (int)mode, ret);
    return ret;
}

FILE *fdo2en(int fd, const char *mode) {
    FILE *ret = fdopen(fd, mode);
    printf("fdopen(%d, \"%s\") = %#p\n", fd, mode, ret);
    return ret;
}

ssize_t r2ad(int fd, void *buf, size_t count) {
    ssize_t ret = read(fd, buf, count);
    printf("read(%d, %#p, %zu) = %zd\n", fd, buf, count, ret);
    return ret;
}

ssize_t w2ite(int fd, const void *buf, size_t count) {
    ssize_t ret = write(fd, buf, count);
    printf("write(%d, %#p, %zu) = %zd\n", fd, buf, count, ret);
    return ret;
}

---eof---
11:21 linux01:~ > cc extra.c -Wall -o extra.so -shared
11:21 linux01:~ > export LD_PRELOAD=$PWD/extra.so
write(4, 0xbfffe82b, 1) = 1
write(4, 0x8a211d0, 26) = 26
read(4, 0x8a27620, 2048) = 4
write(4, 0x8a211d0, 7) = 7
read(4, 0x8a31750, 2048) = 260
read(4, 0x8a31f60, 2048) = -1
read(4, 0x8a31f60, 2048) = 82
read(4, 0x8a32770, 2048) = -1
read(4, 0x8a32770, 2048) = 256
read(4, 0x8a31f60, 2048) = -1
open("/home/jengelh/.Skype/shared.lck", 8041, 0777) = 8
open("/home/jengelh/.Skype/shared.xml", 8000, 0777) = 9
read(9, 0x8a3c900, 168) = 168
open("/dev/urandom", 0, 0004) = 8
read(8, 0xbfffe760, 8) = 8
open("/dev/urandom", 0, 0004) = 8
read(8, 0xbfffe760, 8) = 8
open("/dev/urandom", 0, 1051125610) = 8
read(8, 0xbfffe7a0, 8) = 8
open("/dev/urandom", 0, 1051131340) = 8
read(8, 0xbfffe7a0, 8) = 8


W.W.W.W.W.


Jan Engelhardt
-- 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux