function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this...
Transcript of function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this...
![Page 1: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/1.jpg)
function hooking for osx and linux
joe damato@joedamato
timetobleed.com
![Page 2: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/2.jpg)
slides are ontimetobleed.com
![Page 3: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/3.jpg)
(free jmpesp)
![Page 4: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/4.jpg)
i’m not a security researcher.
call me a script kiddie: @joedamato
![Page 5: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/5.jpg)
![Page 6: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/6.jpg)
laughinglarry.com
![Page 7: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/7.jpg)
slayerinc.com
![Page 8: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/8.jpg)
dbgrady.files.wordpress.com
assembly is in att syntax
![Page 9: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/9.jpg)
WTF is an ABI ?
![Page 10: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/10.jpg)
WTF is an Application Binary
Interface ?
![Page 11: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/11.jpg)
alignment
thomasgroup.com
![Page 12: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/12.jpg)
calling convention
arianlim.wordpress.com
![Page 13: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/13.jpg)
object file and library formats
tandemfs.org
![Page 14: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/14.jpg)
hierarchy of specs
![Page 15: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/15.jpg)
topatoco.com
![Page 16: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/16.jpg)
System V ABI (271 pages)
System V ABI AMD64 Architecture Processor Supplement (128 pages)
System V ABI Intel386 Architecture Processor Supplement (377 pages)
MIPS, ARM, PPC, and IA-64 too!
![Page 17: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/17.jpg)
mac osx x86-64 calling convention
based on
System V ABI AMD64 Architecture ! ! ! Processor Supplement
![Page 18: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/18.jpg)
gregs-wines.com
![Page 19: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/19.jpg)
alignment
thomasgroup.com
![Page 20: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/20.jpg)
end of argument area must be aligned on a 16byte boundary.
and $0xfffffffffffffff0, %rsp
![Page 21: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/21.jpg)
calling convention
arianlim.wordpress.com
![Page 22: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/22.jpg)
• function arguments from left to right live in:%rdi, %rsi, %rdx, %rcx, %r8, %r9
• that’s for INTEGER class items.
• Other stuff gets passed on the stack (like on i386).
• registers are either caller or callee saved
![Page 23: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/23.jpg)
object file and library formats
tandemfs.org
![Page 24: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/24.jpg)
steverubel.typepad.com
![Page 25: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/25.jpg)
ELF Objects
en.wikipedia.org
![Page 26: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/26.jpg)
ELF Objects• ELF objects have headers
• elf header (describes the elf object)
• program headers (describes segments)
• section headers (describes sections)
• libelf is useful for wandering the elf object extracting information.
• the executable and each .so has its own set of data
![Page 27: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/27.jpg)
ELF Object sections• .text - code lives here
• .plt - stub code that helps to “resolve” absolute function addresses.
• .got.plt - absolute function addresses; used by .plt entries.
• .debug_info - debugging information
• .gnu_debuglink - checksum and filename for debug info
![Page 28: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/28.jpg)
ELF Object sections
• .dynsym - maps exported symbol names to offsets
• .dynstr - stores exported symbol name strings
• .symtab - maps symbol names to offsets
• .strtab - symbol name strings
• more sections for other stuff.
![Page 29: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/29.jpg)
vanachteren.net
![Page 30: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/30.jpg)
Mach-O Objects
developer.apple.com
![Page 31: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/31.jpg)
Mach-O Objects• Mach-O objects have load commands
• header (describes the mach-o object)
• load commands (describe layout and linkage info)
• segment commands (describes sections)
• dyld(3) describes some apis for touching mach-o objects
• the executable and each dylib/bundle has its own set of data
![Page 32: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/32.jpg)
Mach-O sections
• __text - code lives here
• __symbol_stub1 - list of jmpq instructions for runtime dynamic linking
• __stub_helper - stub code that helps to “resolve” absolute function addresses.
• __la_symbol_ptr - absolute function addresses; used by symbol stub
![Page 33: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/33.jpg)
Mach-O sections
• symtabs do not live in a segment, they have their own load commands.
• LC_SYMTAB - holds offsets for symbol table and string table.
• LC_DYSYMTAB - a list of 32bit offsets into LC_SYMTAB for dynamic symbols.
![Page 34: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/34.jpg)
blog.makezine.com
![Page 35: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/35.jpg)
nm
000000000048ac90 t Balloc
0000000000491270 T Init_Array
0000000000497520 T Init_Bignum
000000000041dc80 T Init_Binding
000000000049d9b0 T Init_Comparable
000000000049de30 T Init_Dir
00000000004a1080 T Init_Enumerable
00000000004a3720 T Init_Enumerator
00000000004a4f30 T Init_Exception
000000000042c2d0 T Init_File
0000000000434b90 T Init_GC
% nm /usr/bin/ruby
symbol “value”
symbol names
![Page 36: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/36.jpg)
objdump% objdump -D /usr/bin/ruby
offsets opcodes instructions helpful metadata
![Page 37: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/37.jpg)
readelf% readelf -a /usr/bin/ruby
This is a *tiny* subset of the data available
![Page 38: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/38.jpg)
otool% otool -l /usr/bin/ruby
This is a *tiny* subset of the data available
![Page 39: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/39.jpg)
nerve.com
![Page 40: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/40.jpg)
strip• You can strip out whatever sections you
want....
• but your binary may not run.
• you need to leave the dynamic symbol/string tables intact or dynamic linking will not work.
![Page 41: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/41.jpg)
bassfishin.com
![Page 42: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/42.jpg)
Calling functions
callq *%rbx
callq 0xdeadbeef
other ways, too...
![Page 43: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/43.jpg)
anatomy of a call412d16: e8 c1 36 02 00 callq 4363dc # <a_function>
412d1b: .....
address of this instruction
call opcode32bit displacement to the target function from the next instruction.
(objdump output)
![Page 44: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/44.jpg)
anatomy of a call412d16: e8 c1 36 02 00 callq 4363dc # <a_function>
412d1b: .....
412d1b = 4363dc + 000236c1
(x86 is little endian)
(objdump output)
![Page 45: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/45.jpg)
Hook a_function
Overwrite the displacement so that all calls to a_function actually call a different function instead.
It may look like this:int other_function() { /* do something good/bad */
/* be sure to call a_function! */ return a_function();}
![Page 46: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/46.jpg)
codez are easy/* CHILL, it’s fucking psuedo code */
while (are_moar_bytes()) { curr_ins = next_ins; next_ins = get_next_ins(); if (curr_ins->type == INSN_CALL) { if ((hook_me - next_ins) == curr_ins->displacement) { /* found a call hook_me!*/ rewrite(curr_ins->displacement, (replacement_fn - next_ins)); return 0; } }}
... right?.....
![Page 47: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/47.jpg)
lemur.com
![Page 48: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/48.jpg)
32bit displacement• overwriting an existing call with another call
• stack will be aligned
• args are good to go
• can’t redirect to code that is outside of:
• [rip + 32bit displacement]
• you can scan the address space looking for an available page with mmap, though...
![Page 49: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/49.jpg)
Doesn’t work for all
calling a function that is exported by a dynamic library works differently.
![Page 50: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/50.jpg)
How runtime dynamic linking works (elf)
0x7ffff7afd6e6
.got.plt entry
![Page 51: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/51.jpg)
How runtime dynamic linking works (elf)
0x7ffff7afd6e6
.got.plt entryInitially, the .got.plt entry contains the address of the instruction after
the jmp.
![Page 52: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/52.jpg)
How runtime dynamic linking works (elf)
0x7ffff7afd6e6
.got.plt entryAn ID is stored and the rtld is
invoked.
![Page 53: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/53.jpg)
How runtime dynamic linking works (elf)
0x7ffff7b34ac0
.got.plt entryrtld writes the address of
rb_newobj to the .got.plt entry.
![Page 54: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/54.jpg)
How runtime dynamic linking works (elf)
0x7ffff7b34ac0
.got.plt entryrtld writes the address of
rb_newobj to the .got.plt entry.
calls to the PLT entry jump immediately to rb_newobj now
that .got.plt is filled in.
![Page 55: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/55.jpg)
rs.tacklewarehouse.com
![Page 56: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/56.jpg)
Hook the GOT
Redirect execution by overwriting all the .got.plt entries for rb_newobj in each DSO with a handler function instead.
![Page 57: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/57.jpg)
0xdeadbeef
.got.plt entryVALUE other_function() { new_obj = rb_newobj(); /* do something with new_obj */ return new_obj;}
Hook the GOT
NO, it isn’t. other_function() lives in it’s own DSO, so its calls to rb_newobj() use the .plt/.got.plt in its own DSO.
As long as we leave other_function()‘s DSO unmodified, we’ll avoid an infinite loop.
WAIT... other_function() calls rb_newobj() isn’t that an infinite loop?
![Page 58: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/58.jpg)
vanachteren.net
![Page 59: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/59.jpg)
tlaneve.files.wordpress.com
![Page 60: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/60.jpg)
elf
mach-o
me
![Page 61: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/61.jpg)
what else is left?
inline functions.
![Page 62: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/62.jpg)
add_freelist• Can’t hook because add_freelist is inlined:
static inline voidadd_freelist(p) RVALUE *p;{ p->as.free.flags = 0; p->as.free.next = freelist; freelist = p;}
• The compiler has the option of inserting the instructions of this function directly into the callers.
• If this happens, you won’t see any calls.
![Page 63: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/63.jpg)
So... what now?• Look carefully at the code:
static inline voidadd_freelist(p) RVALUE *p;{ p->as.free.flags = 0; p->as.free.next = freelist; freelist = p;}
• Notice that freelist gets updated.
• freelist has file level scope.
• hmmmm......
![Page 64: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/64.jpg)
A (stupid) crazy idea• freelist has file level scope and lives at some
static address.
• add_freelist updates freelist, so...
• Why not search the binary for mov instructions that have freelist as the target!
• Overwrite that mov instruction with a call to our code!
• But... we have a problem.
• The system isn’t ready for a call instruction.
![Page 65: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/65.jpg)
alignment
thomasgroup.com
![Page 66: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/66.jpg)
calling convention
arianlim.wordpress.com
![Page 67: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/67.jpg)
Isn’t ready? What?• The 64bit ABI says that the stack must be
aligned to a 16byte boundary after any/all arguments have been arranged.
• Since the overwrite is just some random mov, no way to guarantee that the stack is aligned.
• If we just plop in a call instruction, we won’t be able to arrange for arguments to get put in the right registers.
• So now what?
![Page 68: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/68.jpg)
jmp
• Can use a jmp instruction.
• Transfer execution to an assembly stub generated at runtime.
• recreate the overwritten instruction
• set the system up to call a function
• do something good/bad
• jmp back when done to resume execution
![Page 69: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/69.jpg)
picasaweb.google.com/lh/photo/-R3BPlqOq8MfQGFTduIqCA
![Page 70: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/70.jpg)
checklist• save and restore caller/callee saved
registers.
• align the stack.
• recreate what was overwritten.
• arrange for any arguments your replacement function needs to end up in registers.
• invoke your code.
• resume execution as if nothing happened.
![Page 71: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/71.jpg)
this instruction updates the freelist and comes from add_freelist:
Can’t overwrite it with a call instruction because the state of the system is not ready for a function call.
The jmp instruction and its offset are 5 bytes wide.Can’t grow or shrink the binary, so insert 2 one byte
NOPs.
address of assembly stub
![Page 72: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/72.jpg)
this instruction updates the freelist and comes from add_freelist:
Can’t overwrite it with a call instruction because the state of the system is not ready for a function call.
The jmp instruction and its offset are 5 bytes wide.Can’t grow or shrink the binary, so insert 2 one byte
NOPs.
must jump back here
![Page 73: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/73.jpg)
shortened assembly stub
![Page 74: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/74.jpg)
shortened assembly stub
void handler(VALUE freed_object) { mark_object_freed(freed_object); return;}
![Page 75: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/75.jpg)
and it actually works.
gem install memprofhttp://github.com/ice799/memprof
![Page 76: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/76.jpg)
listverse.files.wordpress.com
![Page 77: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/77.jpg)
Sample Outputrequire 'memprof'Memprof.startrequire "stringio"StringIO.newMemprof.stats
108 /custom/ree/lib/ruby/1.8/x86_64-linux/stringio.so:0:__node__ 14 test2.rb:3:String 2 /custom/ree/lib/ruby/1.8/x86_64-linux/stringio.so:0:Class 1 test2.rb:4:StringIO 1 test2.rb:4:String 1 test2.rb:3:Array 1 /custom/ree/lib/ruby/1.8/x86_64-linux/stringio.so:0:Enumerable
![Page 78: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/78.jpg)
a web-based heap visualizer and leak analyzermemprof.com
![Page 79: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/79.jpg)
memprof.coma web-based heap visualizer and leak analyzer
![Page 80: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/80.jpg)
a web-based heap visualizer and leak analyzermemprof.com
![Page 81: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/81.jpg)
memprof.coma web-based heap visualizer and leak analyzer
![Page 82: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/82.jpg)
memprof.coma web-based heap visualizer and leak analyzer
![Page 83: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/83.jpg)
memprof.coma web-based heap visualizer and leak analyzer
![Page 84: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/84.jpg)
community.devexpress.com
![Page 85: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/85.jpg)
config.middleware.use(Memprof::Tracer)
{ "time": 4.3442,
"rails": { "controller": "test", "action": "index" },
"request": { "REQUEST_PATH": "/test,, "REQUEST_METHOD": "GET" },
total time for request
rails controller/action
request env info
![Page 86: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/86.jpg)
"mysql": { "queries": 3, "time": 0.00109302 },
"gc": { "calls": 8, "time": 2.04925 },
config.middleware.use(Memprof::Tracer)
8 calls to GC2 secs spent in GC
3 mysql queries
![Page 87: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/87.jpg)
"objects": { "created": 3911103, "types": { "none": 1168831, "object": 1127, "float": 627, "string": 1334637, "array": 609313, "hash": 3676, "match": 70211 } }}
config.middleware.use(Memprof::Tracer)
3 million objs created
lots of strings
lots of arrays
regexp matches
object instances
1 million method calls
![Page 88: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/88.jpg)
smiley-faces.org
![Page 89: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/89.jpg)
mindfulsecurity.com
![Page 90: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/90.jpg)
evil liveshttp://github.com/ice799/memprof/tree/dnw
• makes ruby faster!11!!1
• hooks read syscall
• looks for magic cookie (JOE)
• turns off GC
• Ruby is fast.
![Page 91: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/91.jpg)
it makes ruby faster!!1!
look a bullshit benchmark!
![Page 92: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/92.jpg)
it makes ruby faster!!1!#NORMAL RUBY!!!!11!!
[joe@mawu:/Users/joe/code/defcon/memprof/ext]% ab -c 10 -n 200 http://blah:4567/hi/JOE
Benchmarking blah (be patient)Completed 100 requestsCompleted 200 requestsFinished 200 requests
Concurrency Level: 10Time taken for tests: 7.462 secondsComplete requests: 200Failed requests: 0Write errors: 0Requests per second: 26.80 [#/sec] (mean)Time per request: 373.108 [ms] (mean)Time per request: 37.311 [ms] (mean, across all concurrent requests)
![Page 93: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/93.jpg)
it makes ruby faster!!1!# fast0r RUBY!!!11!111[joe@mawu:/Users/joe/code/defcon]% ab -c 10 -n 200 http://blah:4567/hi/JOE
Benchmarking blah (be patient)Completed 100 requestsCompleted 200 requestsFinished 200 requests
Concurrency Level: 10Time taken for tests: 6.594 secondsComplete requests: 200Failed requests: 0Write errors: 0Requests per second: 30.33 [#/sec] (mean)Time per request: 329.708 [ms] (mean)Time per request: 32.971 [ms] (mean, across all concurrent requests)
![Page 94: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/94.jpg)
you can do anything
• this example is stupid, but you can do anything.
• hook read/write and phone home with data.
• fork a backdoor when a specific cookie is seen
• whatever
![Page 95: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/95.jpg)
break.com
![Page 96: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/96.jpg)
zanyvideos.com
![Page 97: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/97.jpg)
injectso
• written by Shaun Clowes
• injects libraries into running processes using ptrace(2).
• super clever hack!
![Page 98: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/98.jpg)
hockeydrunk.com
![Page 99: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/99.jpg)
injecting live processes
• ptrace(2)
• allows you to view and modify the register set and address space of another process
• permissions on memory are ignored
![Page 100: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/100.jpg)
fucking injectso, how does it work?
• attach to target process using ptrace
• save a copy of a small piece of the program stack.
• save a copy of the register set
• create a fake stack frame with a saved return address of 0
![Page 101: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/101.jpg)
fucking injectso, how does it work?• set register set to point at dlopen
• rip = &dlopen
• rdi = dso name
• rsi = mode
• let er rip, waitpid and it’ll segfault on return to 0.
• restore stack, register set, resume as normal.
![Page 102: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/102.jpg)
ptrace evil dso• remote allocating
memory is a pain in the ass.
• generating segfaults in running processes might be bad (core dumps, etc).
• binary patching is hard, doing it with ptrace is harder.
• getting the user to use your library might be hard.
• already running processes will need to be killed first.
• need to poison each time app is started.
• binary patching is hard.
![Page 103: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/103.jpg)
realmofraven.com
![Page 104: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/104.jpg)
combine ‘em
• use injectso hack to load an evil dso
• evil dso will take it from there
![Page 105: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/105.jpg)
64bit injectso port• ported by Stealth
• http://c-skills.blogspot.com/2007/05/injectso.html
• i did some trivial cleanup and put the codez on github
• http://github.com/ice799/injectso64
• tested it on 64bit ubuntu VM, works.
![Page 106: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/106.jpg)
injectso +
evil-binary-patching-dso
customdynamics.com
![Page 107: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/107.jpg)
customdynamics.com
![Page 108: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/108.jpg)
buycostumes.com
![Page 109: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/109.jpg)
emeraldinsight.com
![Page 110: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/110.jpg)
how to defend against it• NX bit - call mprotect
• strip debug information - mostly prebuilt binaries
• statically link everything - extremely large binaries
• put all .text code in ROM - maybe?
• don’t load DSOs at runtime - no plugins, though
• disable ptrace - no gdb/strace.
• check /proc/<pid>/maps - word.
![Page 111: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/111.jpg)
slashgear.com
![Page 112: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/112.jpg)
my future research: exploring alternative
binary formats.
![Page 113: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/113.jpg)
slayerinc.com
![Page 114: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/114.jpg)
globalhealthandfitness.com
![Page 115: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/115.jpg)
alignment
thomasgroup.com
![Page 116: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/116.jpg)
calling convention
arianlim.wordpress.com
![Page 117: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/117.jpg)
object file and library formats
tandemfs.org
![Page 118: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/118.jpg)
questions?joe damato
@joedamatotimetobleed.com
http://timetobleed.com/string-together-global-offset-tables-to-build-a-ruby-memory-profiler/http://timetobleed.com/hot-patching-inlined-functions-with-x86_64-asm-metaprogramming/http://timetobleed.com/rewrite-your-ruby-vm-at-runtime-to-hot-patch-useful-features/http://timetobleed.com/dynamic-linking-elf-vs-mach-o/http://timetobleed.com/dynamic-symbol-table-duel-elf-vs-mach-o-round-2/
![Page 119: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/119.jpg)
tallteacher.files.wordpress.com
![Page 120: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/120.jpg)
“Interesting Behavior of OS X”
• Steven Edwards ([email protected])
• november 29 2007
• http://www.winehq.org/pipermail/wine-devel/2007-November/060846.html
![Page 121: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/121.jpg)
leopard has a pe loader?
handle = dlopen("./procexp.exe", RTLD_NOW | RTLD_FIRST );
steven-edwardss-imac:temp sedwards$ ./a.outdlopen(./procexp.exe, 258): Library not loaded: WS2_32.dll Referenced from: /Users/sedwards/Library/ApplicationSupport/CrossOver/Bottles/winetest/drive_c/windows/temp/procexp.exe Reason: image not found
![Page 122: function hooking for osx and linux - DEF CON...• resume execution as if nothing happened. this instruction updates the freelist and comes from add_freelist: Can’t overwrite it](https://reader033.fdocuments.net/reader033/viewer/2022043004/5f860a26912de663fe3644ea/html5/thumbnails/122.jpg)
cfs2.tistory.com