lorenz.stechauner/BSc-Thesis
1
0
Fork 0
Code Activity

thesis: Add second subsection

Browse Source
This commit is contained in:
Lorenz Stechauner
2025-07-02 15:22:37 +02:00
parent 6033a59bbf
commit d1d9f601c9
2 changed files with 82 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/README.md
View File

@@ -70,7 +70,7 @@ From the [OPTIONS section in the Linux manual page gcc(1)](https://www.man7.org/
> For example, `-Wl,-Map,output.map` passes `-Map output.map` to the linker. > For example, `-Wl,-Map,output.map` passes `-Map output.map` to the linker.
> When using the GNU linker, you can also get the same effect with `-Wl,-Map=output.map`. > When using the GNU linker, you can also get the same effect with `-Wl,-Map=output.map`.
* Need to re-link(/-comiple) * Need to re-link(/-compile)
* Relatively simple code: * Relatively simple code:
* Function name: `__wrap_<symbol>` * Function name: `__wrap_<symbol>`
* Call to real function inside wrapper: `__real_<symbol>` * Call to real function inside wrapper: `__real_<symbol>`

115
thesis/src/02.intercept.tex
View File

@@ -7,6 +7,84 @@ Lorem Ipsum.
Lorem Ipsum. Lorem Ipsum.
\subsection{Wrapper Functions in gcc}\label{subsec:wrapper-functions}
Another method for overriding functions is to tell the compiler directly, which functions should be overridden.
The compiler, and the linker respectively, then directly link calls to the specified functions to wrapper functions.
The default linker \texttt{ld} includes such a feature.
See the OPTIONS section in the ld(1) Linux manual page~\cite{ld.1}:
\begin{quote}
\begin{description}
\item[\texttt{-{}-wrap=\textit{symbol}}]
Use a wrapper function for \texttt{\textit{symbol}}.
Any undefined reference to \texttt{\textit{symbol}} will be resolved to \texttt{\_\_wrap\_\textit{symbol}}.
Any undefined reference to \texttt{\_\_real\_\textit{symbol}} will be resolved to \texttt{\textit{symbol}}.
This can be used to provide a wrapper for a system function.
The wrapper function should be called \texttt{\_\_wrap\_\textit{symbol}}.
If it wishes to call the system function, it should call \texttt{\_\_real\_\textit{symbol}}.
\lbrack\dots\rbrack
\end{description}
\end{quote}
The gcc compiler also supports this, by allowing to pass options to the linker.
See the OPTIONS section in the gcc(1) Linux manual page~\cite{gcc.1}:
\begin{quote}
\begin{description}
\item[\texttt{-Wl,\textit{option}}]
Pass \texttt{\textit{option}} as an option to the linker.
If \texttt{\textit{option}} contains commas, it is split into multiple options at the commas.
You can use this syntax to pass an argument to the option.
For example, \texttt{-Wl,-Map,output.map} passes \texttt{-Map output.map} to the linker.
When using the GNU linker, you can also get the same effect with \texttt{-Wl,-Map=output.map}.
\lbrack\dots\rbrack
\end{description}
\end{quote}
This means, by specifying \texttt{-Wl,-{}-wrap=\textit{symbol}} when compiling using gcc,
all calls from the currently compiled program to \texttt{\textit{symbol}} are redirected to \texttt{\_\_wrap\_\textit{symbol}}.
To call the real function inside the wrapper, \texttt{\_\_real\_\textit{symbol}} may be used.
The listings \ref{lst:wrap.c} and \ref{lst:wrap} try to illustrate this by overriding the \texttt{malloc} function of the C standard library.
\begin{listing}[htbp]
\begin{minted}[linenos]{c}
#include <stddef.h>
extern void *__real_malloc(size_t size);
void *__wrap_malloc(size_t size) {
// before call to malloc
void *ret = __real_malloc(size);
// after call to malloc
return ret;
}
\end{minted}
\caption{Contents of \texttt{wrap.c}.}
\label{lst:wrap.c}
\end{listing}
\begin{listing}[htbp]
\begin{minted}{shell}
gcc -o main_wrapped main.c wrap.c -Wl,--wrap=malloc
./main_wrapped
\end{minted}
\caption{Compile \texttt{main.c} and \texttt{wrap.c} and run the resulting program.}
\label{lst:wrap}
\end{listing}
This approach allows wrapping any function in a relatively clean way.
But it is not possible to override functions in any given binary program.
It is required to re-compile (or to re-link) a given program to use this feature of ld.
Therefore, the source code (or the corresponding \texttt{*.out} files) needs to be available.
Note, only calls from the targeted source code will be redirected, calls from other libraries won't.
Theoretically, it should be possible to re-link a given binary without having access to its source code.
But due to other more straight-forward methods (see \ref{subsec:preloading}), this has not been further investigated.
\subsection{Preloading using \texttt{LD\_PRELOAD}}\label{subsec:preloading} \subsection{Preloading using \texttt{LD\_PRELOAD}}\label{subsec:preloading}
To execute binary files on Linux systems, a dynamic linker is needed at runtime. To execute binary files on Linux systems, a dynamic linker is needed at runtime.
@@ -33,7 +111,7 @@ See the ENVIRONMENT section in the ld.so(8) Linux manual page~\cite{ld.so.8}:
\end{quote} \end{quote}
This means, by setting the environment variable \texttt{LD\_PRELOAD}, it is possible to override specific functions. This means, by setting the environment variable \texttt{LD\_PRELOAD}, it is possible to override specific functions.
The listings \ref{lst:preload.c} and \ref{lst:preload} try to illustrate this. The listings \ref{lst:preload.c} and \ref{lst:preload} try to illustrate this by overriding the \texttt{malloc} function of the C standard library.
\begin{listing}[htbp] \begin{listing}[htbp]
\begin{minted}[linenos]{c} \begin{minted}[linenos]{c}
@@ -63,7 +141,7 @@ void *malloc(size_t size) {
gcc -shared -fPIC -o preload.so preload.c gcc -shared -fPIC -o preload.so preload.c
LD_PRELOAD="$(pwd)/preload.so" ./main LD_PRELOAD="$(pwd)/preload.so" ./main
\end{minted} \end{minted}
\caption{Compile \texttt{preload.so} and run a program with \texttt{LD\_PRELOAD}.} \caption{Compile \texttt{preload.c} and run a program with \texttt{LD\_PRELOAD}.}
\label{lst:preload} \label{lst:preload}
\end{listing} \end{listing}
@@ -71,40 +149,9 @@ The function \texttt{dlsym} is used to retrieve the original address of the \tex
\texttt{RTLD\_NEXT} indicates to find the next occurrence of \texttt{malloc} in the search order after the current object. \texttt{RTLD\_NEXT} indicates to find the next occurrence of \texttt{malloc} in the search order after the current object.
\cite{dlsym.3} \cite{dlsym.3}
Using this method, it is possible to override, and therefore wrap, any function as long as the targeted binary was not statically linked. By using this method, it is possible to override, and therefore wrap, any function as long as the targeted binary was not statically linked.
Although, one has to be aware that not only function calls inside the targeted binary, but also calls inside other libraries (e.g., to \texttt{malloc}) are redirected to the overriding function. Although, one has to be aware that not only function calls inside the targeted binary, but also calls inside other libraries (e.g., to \texttt{malloc}) are redirected to the overriding function.
\subsection{Wrapper Functions in \texttt{gcc}}\label{subsec:wrapper-functions}
From the OPTIONS section in the ld(1) Linux manual page~\cite{ld.1}:
\begin{quote}
\begin{description}
\item[\texttt{--wrap=\textit{symbol}}]
Use a wrapper function for \texttt{\textit{symbol}}.
Any undefined reference to \texttt{\textit{symbol}} will be resolved to \texttt{\_\_wrap\_\textit{symbol}}.
Any undefined reference to \texttt{\_\_real\_\textit{symbol}} will be resolved to \texttt{\textit{symbol}}.
This can be used to provide a wrapper for a system function.
The wrapper function should be called \texttt{\_\_wrap\_\textit{symbol}}.
If it wishes to call the system function, it should call \texttt{\_\_real\_\textit{symbol}}.
\lbrack\dots\rbrack
\end{description}
\end{quote}
From the OPTIONS section in the gcc(1) Linux manual page~\cite{gcc.1}:
\begin{quote}
\begin{description}
\item[\texttt{-Wl,\textit{option}}]
Pass \texttt{\textit{option}} as an option to the linker.
If \texttt{\textit{option}} contains commas, it is split into multiple options at the commas.
You can use this syntax to pass an argument to the option.
For example, \texttt{-Wl,-Map,output.map} passes \texttt{-Map output.map} to the linker.
When using the GNU linker, you can also get the same effect with \texttt{-Wl,-Map=output.map}.
\lbrack\dots\rbrack
\end{description}
\end{quote}
\subsection{Kernel Module}\label{subsec:kernel-module} \subsection{Kernel Module}\label{subsec:kernel-module}