Created
February 15, 2016 12:15
-
-
Save primiano/d14bb1b5693ce5422f7b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <stddef.h> | |
| #include <sys/mman.h> | |
| #include <dlfcn.h> | |
| #include <string.h> | |
| #define ALIAS(tc_fn) __attribute__ ((alias (#tc_fn))) | |
| #define EXPORT __attribute__((visibility("default"))) | |
| typedef void* (*mmap_t)(void*, size_t, int, int, int, off_t); | |
| static void print(const char* msg) { | |
| write(2, msg, strlen(msg) + 1); | |
| } | |
| static void* die() { | |
| print("DIE MALLOC DIE\n"); | |
| *(volatile int*)(0) = 42; | |
| return NULL; | |
| } | |
| EXPORT void* malloc(size_t size) { return die(); } | |
| EXPORT void* calloc(size_t a, size_t b) { return die(); } | |
| EXPORT void* realloc(void* addr, size_t size) { return die(); } | |
| static void* glibc_override_malloc(size_t a, const void* b) { return die(); } | |
| static void* glibc_override_calloc(size_t a, size_t b, const void* c) { return die(); } | |
| static void* glibc_override_realloc(void* a, size_t b, const void* c) { return die(); } | |
| EXPORT void* (* __malloc_hook)(size_t a, const void* b) = &glibc_override_malloc; | |
| EXPORT void* (* __calloc_hook)(size_t a, size_t b, const void* c) = &glibc_override_calloc; | |
| EXPORT void* (* __realloc_hook)(void* a, size_t b, const void* c) = &glibc_override_realloc; | |
| EXPORT void* __libc_malloc(size_t) ALIAS(malloc); | |
| EXPORT void* __libc_calloc(size_t, size_t) ALIAS(calloc); | |
| EXPORT void* __libc_realloc(void*, size_t ) ALIAS(realloc); | |
| int main() { | |
| print("1: doing a direct mmap call:\n"); | |
| void* ret = mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0,0); | |
| print(ret ? " SUCCESS\n" : " FAIL\n"); | |
| print("\n2: doing a dlsym(RTLD_NEXT) mmap call\n"); | |
| mmap_t indirect_mmap = (mmap_t) dlsym(RTLD_NEXT, "mmap"); | |
| ret = indirect_mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0,0); | |
| print(ret ? " SUCCESS\n" : " FAIL\n"); | |
| print("\n3: doing a dlopen() + dlsym(RTLD_NEXT) mmap call\n"); | |
| //!!!!!!!!!!!!!!!!!!!!!!!!!!!! WILL DIE HERE | |
| void* handle = dlopen("libdl.so", RTLD_NOW); | |
| indirect_mmap = dlsym(handle, "mmap"); | |
| ret = indirect_mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0,0); | |
| print(ret ? " SUCCESS\n" : " FAIL\n"); | |
| return 0; | |
| } | |
| /* | |
| /tmp primiano 12:14:40 15/02 | |
| $ gcc -o test test.c -ldl && ./test | |
| 1: doing a direct mmap call: | |
| SUCCESS | |
| 2: doing a dlsym(RTLD_NEXT) mmap call | |
| SUCCESS | |
| 3: doing a dlopen() + dlsym(RTLD_NEXT) mmap call | |
| DIE MALLOC DIE | |
| Segmentation fault (core dumped) | |
| */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment