Re: [Alsa-devel] OSS driver removal, 2nd round

From: Jan Engelhardt
Date: Mon Jul 03 2006 - 05:26:29 EST

Next message: Alexey Dobriyan: "[PATCH] cris: switch to iminor/imajor"
Previous message: Andrew Morton: "Re: [PATCH] genirq: ARM dyntick cleanup"
In reply to: Lee Revell: "Re: [Alsa-devel] OSS driver removal, 2nd round"
Next in thread: Stefan Smietanowski: "Re: [Alsa-devel] OSS driver removal, 2nd round"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>
>> We do not reverse engineer the .text section, but change the .dynstr
>> section that is specific to the ELF format. I doubt any app out there md5s
>> itself.
>
>It's possible. They certainly try very hard to thwart reverse
>engineers.
>
>http://www.secdev.org/conf/skype_BHEU06.handout.pdf
>

Here is your POC for the manipulation of dynstr (and therefore, interception of
library calls without interfering with redefining/overriden libc names like
memory debuggers and AOSS do).

skype-1.2.0.18.tar.bz2

.dynsym table (0x2f80), as printed per "HT"
0130 global func 00000000 0000007c *undefined writ
05b9 global func 00000000 0000007c *undefined open
074d global func 00000000 0000007c *undefined read

.dynsym table (absaddr 0x2f80):
ofs absaddr stringptr
+0x0130 0x4280 0xe0c0
+0x05b9 0x8b10 0xddbc
+0x074d 0xa450 0xdff0

.dynstr table (absaddr 0xa750):
ofs absaddr name
+0xe0c0 0x18810 write
+0xddbc 0x1850c open (note it is part of "fdopen")
+0xdff0 0x18740 read

Change to w2ite, o2en, r2en. Implement w2ite(), o2en(), r2()en and fdo2en() in
an extra library. Load that via LD_PRELOAD.

---extra.c---
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

int o2en(const char *path, int flags, mode_t mode) {
int ret = open(path, flags, mode);
printf("open(\"%s\", %x, %04o) = %d\n", path, flags, (int)mode, ret);
return ret;
}

FILE *fdo2en(int fd, const char *mode) {
FILE *ret = fdopen(fd, mode);
printf("fdopen(%d, \"%s\") = %#p\n", fd, mode, ret);
return ret;
}

ssize_t r2ad(int fd, void *buf, size_t count) {
ssize_t ret = read(fd, buf, count);
printf("read(%d, %#p, %zu) = %zd\n", fd, buf, count, ret);
return ret;
}

ssize_t w2ite(int fd, const void *buf, size_t count) {
ssize_t ret = write(fd, buf, count);
printf("write(%d, %#p, %zu) = %zd\n", fd, buf, count, ret);
return ret;
}

---eof---
11:21 linux01:~ > cc extra.c -Wall -o extra.so -shared
11:21 linux01:~ > export LD_PRELOAD=$PWD/extra.so
write(4, 0xbfffe82b, 1) = 1
write(4, 0x8a211d0, 26) = 26
read(4, 0x8a27620, 2048) = 4
write(4, 0x8a211d0, 7) = 7
read(4, 0x8a31750, 2048) = 260
read(4, 0x8a31f60, 2048) = -1
read(4, 0x8a31f60, 2048) = 82
read(4, 0x8a32770, 2048) = -1
read(4, 0x8a32770, 2048) = 256
read(4, 0x8a31f60, 2048) = -1
open("/home/jengelh/.Skype/shared.lck", 8041, 0777) = 8
open("/home/jengelh/.Skype/shared.xml", 8000, 0777) = 9
read(9, 0x8a3c900, 168) = 168
open("/dev/urandom", 0, 0004) = 8
read(8, 0xbfffe760, 8) = 8
open("/dev/urandom", 0, 0004) = 8
read(8, 0xbfffe760, 8) = 8
open("/dev/urandom", 0, 1051125610) = 8
read(8, 0xbfffe7a0, 8) = 8
open("/dev/urandom", 0, 1051131340) = 8
read(8, 0xbfffe7a0, 8) = 8

W.W.W.W.W.

Jan Engelhardt
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexey Dobriyan: "[PATCH] cris: switch to iminor/imajor"
Previous message: Andrew Morton: "Re: [PATCH] genirq: ARM dyntick cleanup"
In reply to: Lee Revell: "Re: [Alsa-devel] OSS driver removal, 2nd round"
Next in thread: Stefan Smietanowski: "Re: [Alsa-devel] OSS driver removal, 2nd round"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]