Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "how to understand the dynamic link library under Linux hook". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

I. the principle of dynamic link library function hijacking

In the Unix operating system, the program runs according to a certain rule order to find the dependent dynamic link library. When the specified so file is found, the dynamic linker (/ lib/ld-linux.so.X) will load and initialize the shared object that the program depends on. Why can the so file be used to hijack the function?

This is related to the characteristics of LINUX, the global symbols in the so loaded first will be shielded from the symbols loaded later, that is to say, if the program loads two so files successively, and two so files define a function with the same name, when the function is called in the program, the function in the loaded so will be called, and the one loaded later will be shielded; so to achieve hijacking, you must get a head start.

The environment variable LD_PRELOAD and the configuration file / etc/ld.so.preload allow us to take advantage of this. They can affect the runtime Runtime linker of the program. It allows you to define dynamic link libraries that are loaded first before the program runs. We just need to write a function of the same name that we need hook in the .so loaded through LD_PRELOAD. As we can see from the following figure using strace, the .so specified by LD_PRELOAD is loaded first.

Of course, there is no point in hijacking ordinary functions! What we want to hijack is the system function! We know that in the Unix operating system, for GCC, by default, links to standard C functions (fopen, printf, execv family, etc.) in the compiled program are linked to libc.so.6 this function library by dynamic linking, and we can hijack these functions as long as we load our own so file before loading libc.so.6.

II. Demo

Let's start with a simple c program (sample.c)

The following code standard calls the fopen function and checks the return value

# include int main (void) {printf ("Calling the fopen () function...\ n"); FILE * fd = fopen ("test.txt", "r"); if (! fd) {printf ("fopen () returned NULL\ n"); return 1;} printf ("fopen () succeeded\ n"); return 0;}

Compilation execution

$gcc-o sample sample.c$. / sampleCalling the fopen () function...fopen () returned NULL$ touch test.txt$. / sampleCalling the fopen () function...fopen () succeeded

Start writing our own so dynamic library

# include FILE * fopen (const char * path, const char * mode) {printf ("This is my fopen!\ n"); return NULL;}

Compiled into .so

Gcc-Wall-fPIC-shared-o myfopen.so myfopen.c

When the sample program is executed after setting the environment variable, we can see that the fopen function is hijacked successfully and NULL is returned

$LD_PRELOAD=./myfopen.so. / sampleCalling the fopen () function...This is myfopen! fopen () returned NULL

Of course, it is unwise to make fopen always return null. We should restore the behavior of the real fopen in the fake fopen function. Take a look at the following code: it's dlfcn.h 's turn to explicitly call the dynamic library, use the dlsym function to call the original fopen function from the c standard library, and save the address of the original function so that it can finally return to the recovery site.

# define _ GNU_SOURCE#include # include FILE * fopen (const char* path, const char* mode) {printf ("In our own fopen, opening% s\ n", path); FILE * (* original_fopen) (const char*, const char*); original_fopen = dlsym (RTLD_NEXT, "fopen"); return (* original_fopen) (path, mode);}

Tips: if the value of the first parameter of the dlsym or dlvsym function is set to RTLD_NEXT, the function returns the runtime address of the symbol (function) named NAME in the next shared object. Which shared object is next depends on the order in which the shared library is loaded. The order in which dlsym looks for shared libraries is as follows: all directories separated by semicolons listed by the ① environment variable LD_LIBRARY_PATH. The list of libraries found in the ② file / etc/ld.so.cache, refreshed by the ldconfig command. ③ directory usr/lib. ④ directory / lib. ⑤ current directory. Compile:

Gcc-Wall-fPIC-shared-o myfopen.so myfopen.c-ldl

Execution: call the original function, hijacked successfully!

$LD_PRELOAD=./myfopen.so. / sampleCalling the fopen () function...In our own fopen, opening test.txtfopen () succeeded III. Problems needing attention and problems needing attention in the application of LD_PRELOAD hook

The order of 1.so file loading and function hijacking.

In many cases, before you hijack, other components in the system have also hijacked this function, so you should pay special attention to the order in which so is loaded, and be sure to load your own so library before other components'so libraries are loaded, otherwise your hook function will be ignored.

two。 Maintain the completeness of the original function and business compatibility. The function to be hook must be returned at the end of the hook. There must be no excessive delay in its own execution logic before the return. Excessive delay may cause the original business logic to fail. Use the RTLD_NEXT handle to maintain the original chain of shared library calls.

Application 1: HIDS intrusion detection system

Hijack libc library

Advantages: good performance, relatively stable, simpler than LKM, high adaptability, usually against the intrusion of web level.

Disadvantages: there is nothing you can do about statically compiled programs, and there is a risk that they will be bypassed.

Application 2: rootkit malware

This technology has been applied by many kinds of malware, such as cub3, vlany, bdvl and so on.

This is the end of the introduction of "how to understand the dynamic link library under Ring3 by Linux hook technology". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.