FergusInLondon · September 24, 2021 16:20 · FergusInLondon · Mar 28, 2017
diff --git a/filesnooper.c b/filesnooper.c
 /* filesnooper.c - Fergus In London <[email protected]>
 *
 * Similar to snoopy.c, wrote to scratch an itch and demonstrate how LD_PRELOAD
 *  can be used for injecting code and/or hooking/wrapping around function calls.
 *
 * This is actually a good example, because if you try and use it with different
 *  ways of writing files, you'll see that to actually do this effectively you'd
 *  need to examine the target binary with strace, and potentially implement
 *  signatures from other libraries. (i.e a binary calling fprintf() may not be
 *  be effected by this.)
 */

 #define _GNU_SOURCE
 #include <dlfcn.h>
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>

 #define MAX_FILE_PATH 255
 #define FILE_TARGET "secret.txt"

 static ssize_t (*real_write)(int fd, const void *buf, size_t count) = NULL;

 ssize_t write(int fildes, const void *buf, size_t nbytes) {
 // Ignore STDOUT and STDERR
    if (fildes < 3){
        goto passthrough;
    }

 // Determine filepath via the file descriptor
    char linkpath[MAX_FILE_PATH];
    sprintf(linkpath, "/proc/self/fd/%d", fildes);
    char filepath[MAX_FILE_PATH];
    ssize_t pathLength = readlink(linkpath, filepath, MAX_FILE_PATH);

 // Check that the path is valid and readlink worked, additionally check filename
    if ((pathLength < 0) || (strstr(filepath, FILE_TARGET) == NULL)){
        goto passthrough;
    }

 // Filename matches, so log out buffer.
    printf("Looks like we got ourselves a secret here...\n");
    printf("[Message] %s\n", buf);

 passthrough:
    if (real_write == NULL) real_write = dlsym(RTLD_NEXT, "write");
    real_write(fildes, buf, nbytes);
 }
diff --git a/test.c b/test.c
 /* test.c - example target for filesnooper.c */

 #include <unistd.h>
 #include <fcntl.h>

 int main(int argc, char **argv) {
    int sec_desc = open("/tmp/secret.txt", O_WRONLY | O_APPEND);
    int std_desc = open("/tmp/boring.txt", O_WRONLY | O_APPEND);

    write(sec_desc, "This is a secret.\n", 36);
    write(std_desc, "This is a NOT a secret.\n", 36);

    return 0;
 }
	/* filesnooper.c - Fergus In London <[email protected]>
	*
	* Similar to snoopy.c, wrote to scratch an itch and demonstrate how LD_PRELOAD
	* can be used for injecting code and/or hooking/wrapping around function calls.
	*
	* This is actually a good example, because if you try and use it with different
	* ways of writing files, you'll see that to actually do this effectively you'd
	* need to examine the target binary with strace, and potentially implement
	* signatures from other libraries. (i.e a binary calling fprintf() may not be
	* be effected by this.)
	*/

	#define _GNU_SOURCE
	#include <dlfcn.h>
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>

	#define MAX_FILE_PATH 255
	#define FILE_TARGET "secret.txt"

	static ssize_t (real_write)(int fd, const void buf, size_t count) = NULL;

	ssize_t write(int fildes, const void *buf, size_t nbytes) {
	// Ignore STDOUT and STDERR
	if (fildes < 3){
	goto passthrough;
	}

	// Determine filepath via the file descriptor
	char linkpath[MAX_FILE_PATH];
	sprintf(linkpath, "/proc/self/fd/%d", fildes);
	char filepath[MAX_FILE_PATH];
	ssize_t pathLength = readlink(linkpath, filepath, MAX_FILE_PATH);

	// Check that the path is valid and readlink worked, additionally check filename
	if ((pathLength < 0) \|\| (strstr(filepath, FILE_TARGET) == NULL)){
	goto passthrough;
	}

	// Filename matches, so log out buffer.
	printf("Looks like we got ourselves a secret here...\n");
	printf("[Message] %s\n", buf);

	passthrough:
	if (real_write == NULL) real_write = dlsym(RTLD_NEXT, "write");
	real_write(fildes, buf, nbytes);
	}
	/* test.c - example target for filesnooper.c */

	#include <unistd.h>
	#include <fcntl.h>

	int main(int argc, char **argv) {
	int sec_desc = open("/tmp/secret.txt", O_WRONLY \| O_APPEND);
	int std_desc = open("/tmp/boring.txt", O_WRONLY \| O_APPEND);

	write(sec_desc, "This is a secret.\n", 36);
	write(std_desc, "This is a NOT a secret.\n", 36);

	return 0;
	}