60 lines
1.1 KiB
Markdown
60 lines
1.1 KiB
Markdown
|
|
Intercepting Function/System Calls in Linux
|
|
===========================================
|
|
|
|
Option 1: `LD_PRELOAD`
|
|
----------------------
|
|
|
|
* No need to re-link
|
|
* Works for *all* functions
|
|
* Works only on dynamically linked executables
|
|
|
|
Example:
|
|
```c
|
|
#include <stdlib.h>
|
|
#include <dlfcn.h>
|
|
#include <errno.h>
|
|
|
|
void *malloc(size_t size) {
|
|
// before call to malloc
|
|
void *(* _malloc)(size_t);
|
|
if ((_malloc = dlsym(RTLD_NEXT, "malloc")) == NULL) {
|
|
errno = ENOSYS;
|
|
return NULL;
|
|
}
|
|
void *ret = _malloc(size);
|
|
// after call to malloc
|
|
return ret;
|
|
}
|
|
```
|
|
|
|
|
|
Option 2: `gcc --wrap`
|
|
----------------------
|
|
|
|
* Need to re-link
|
|
* Relatively simple code:
|
|
* Function name: `__wrap_<symbol>`
|
|
* Call to real function inside wrapper: `__real_<symbol>`
|
|
* Works for *all* functions
|
|
* Works only on dynamically linked executables
|
|
|
|
Example:
|
|
```c
|
|
#include <stdlib.h>
|
|
|
|
void *__wrap_malloc(size_t size) {
|
|
// before call to malloc
|
|
void *ret = __real_malloc(size);
|
|
// after call to malloc
|
|
return ret;
|
|
}
|
|
```
|
|
|
|
|
|
Option 3: Linux kernel
|
|
----------------------
|
|
|
|
* Only works with Linux system calls
|
|
* Also works with statically linked executables
|