Sunday, October 23, 2011

Library preloading for reverse engineering

  Many times when reversing a dynamically linked executable, we could benefit from knowing when calls to certain functions are made or/and alter its behavior in a faster and more elegant way without modifying the executable.
Library preloading is a great feature that allows us to inject functions from our own libraries in a program and override the duplicated functions.

  Let's take for example Wireshark. 

  ldd is a tool that outputs a program's dynamically linked dependencies, known as shared objects (.so) on *nix systems.
[email protected]:~$ ldd /usr/bin/wireshark =>  (0x00007fff3f7ff000) => /usr/lib/wireshark/ (0x00007f4b095b5000) => /usr/lib/wireshark/ (0x00007f4b060d9000)
    ... => /lib/x86_64-linux-gnu/ (0x00007f4b03d57000)
Better yet than replacing a whole library, we could override only one or certain functions.
Let's replace getenv which is a function from stdlib.h that returns the value of an environment variable. We use the same original source code of getenv and only add a printf at the beginning to show us what variable is being looked for.
char *getenv(const char *name)
We then compile it and explicitly specify that we want it to be a shared object.
[email protected]:~/space$ gcc -shared -fPIC mygetenv.c -o 
[email protected]:~/space$ file
space/ ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped
and finally we use the environnement variable LD_PRELOAD to preload our shared object
[email protected]:~/space$ /usr/bin/wireshark
That's it! There are many variantes and uses to this technique that would could prove useful in many situations.

1 comment: