Code injection approach to add feature on service
•Transferir como PPTX, PDF•
0 gostou•841 visualizações
Recomendados
Mais conteúdo relacionado
Destaque
Destaque (14)
Último
Último (20)
Code injection approach to add feature on service
- 1. A Code Injection Approach to Add Feature on Service houcheng@gmail.com CCMA, ITRI
- 2. Introduction • Initial idea • we need to extend features onto some running service without suspending it. • we don’t want to upgrade program binary file; when need new feature turn it on and when don’t need turn it off – Benefits • new service can be on demand turn on • when off: the same binary file, so its stability still kept • when on: loss some stability but increase functionality
- 3. Basic Idea s4~5 s1~3 service_wrapper() s1 s2 s3 s1() s2() s3() service’s memory space BEFORE service_wrapper() s1 s2 s3 service_wrapper2() s1() s2() s4 s4() s5 s5() s3() hooked service’s memory space that support s4 and s5 AFTER : hook function
- 4. Steps 1) Use GDB to attach running process 2) Place the hook function that onto service wrapper function; • for original service request, run original code • for new service request, run new code 3) The hook function • • • Has the same parameters as selected function Can call functions and access data of application Return 1 to indicate not execute original selected function
- 5. Flow of Code Injection hooker.S hooker.c build scripts code inject scripts hook hook.o running service gdb s45.c • compile • link • • • • load build symbol table resolve reference hook libraries (GLIBC) Linux OS
- 6. Code Inject Script • Load • call mmap() in GDB to load binary onto process memory space • Build symbol table: • add symbols of service by signature searching on .code segment • add symbols of injected code by reading its debug file • add symbols of GLIBC by calling GDB • Resolve reference • For each un-resolve symbols in hook code, resolve by looking up symbol table • Hook • Copy hooker onto address of service wrapper function
- 7. Signature Search DB to support Multiple Versions of Service Application signature search script running service offset:0x800, “v1.1” offset:0x800, “v1.2” vstring table service_func, “aa cc dd ....” function_2, “aa bb cc ... “ service_func, “aa cc dd ....” function_2, “aa bb cc ... “ 1) check every entry of vstring table to find service version 2) use correct version’s signatures to build symbol table
- 8. Detail of Hooker Implementation • hooker: (in assembly, hooker.S) – placed at selected function to jump to hook-body, the sequence is: • • • hook-body: (in assembly, hooker.S) – – Call hook function in C preserve selected function’s parameters (overwrite by hook function) , RAX (overwrite during far jump) and selected function’s header code (overwrite by hooker code), the sequence is • • • • • • • jump to hook-body pop rax, nop, nop and nop push parameters of selected function call hook function pop parameters of selected function preserve selected function header’s execution binary push RAX jump to hooker’s hook-function (in C, hooker.C) a) reference selected function’s original parameters, b) reference global functions and data of application c) reference functions of GLIBC d) reference global functions and global objects of injected object