[Gammaray-interest] New plugin idea: Event inspector

Milian Wolff milian.wolff at kdab.com
Tue Sep 19 13:07:14 CEST 2017


On Dienstag, 19. September 2017 12:27:08 CEST Christian Gagneraud wrote:
> On 19 September 2017 at 22:05, Milian Wolff <milian.wolff at kdab.com> wrote:
> > On Dienstag, 19. September 2017 11:45:01 CEST Christian Gagneraud wrote:
> >> On 19 September 2017 at 21:17, Milian Wolff <milian.wolff at kdab.com> 
wrote:
> >> > On Dienstag, 19. September 2017 11:11:45 CEST Christian Gagneraud 
wrote:
> >> >> On 19 September 2017 at 20:46, Milian Wolff <milian.wolff at kdab.com>
> > 
> > wrote:
> >> >> > On Dienstag, 19. September 2017 10:39:45 CEST Christian Gagneraud
> > 
> > wrote:
> >> >> >> On 19 September 2017 at 17:11, Christian Gagneraud
> >> >> >> <chgans at gmail.com>
> >> > 
> >> > wrote:
> >> >> >> > On 18 September 2017 at 14:52, Christian Gagneraud
> >> >> >> > <chgans at gmail.com>
> >> >> > 
> >> >> > wrote:
> >> >> >> >> On 18 September 2017 at 08:25, Milian Wolff
> >> >> >> >> <milian.wolff at kdab.com>
> >> >> >> >> wrote:
> >> >> >> >> [...]
> >> >> >> >> 
> >> >> >> >>>> I'm reading this right [1] now, it's called "Cheating the ELF
> >> >> >> >>>> -
> >> >> >> >>>> Subversive Dynamic Linking to Libraries".
> >> >> >> >>>> AFAIU, he's talking about manipulation of the PLT of an ELF
> >> >> >> >>>> image.
> >> >> >> >>>> Which is, I think, what i would like to achieve: replace a
> >> >> >> >>>> symbol
> >> >> >> >>>> with
> >> >> >> >>>> another one of my choice, and still be able to call the
> >> >> >> >>>> original
> >> >> >> >>>> symbol.
> >> >> >> >>>> Now, this does not seem easy....
> >> >> >> >>> 
> >> >> >> >>> You can have a look at the heaptrack injector code, which does
> >> >> >> >>> just
> >> >> >> >>> that.
> >> >> >> >> 
> >> >> >> >> Yes, it is very interesting indeed, thanks for the pointer!
> >> >> >> > 
> >> >> >> > Using this technique i was able to subsitute Qt's dynamic symbols
> >> >> >> > (eg,
> >> >> >> > qt_startup_hook) in a simple Qt application.
> >> >> >> > And i now understand what this QtCore.dyn file is all about! ;)
> >> >> >> > 
> >> >> >> > Using the Loadable program segment, i can as well wrap any Qt
> >> >> >> > function
> >> >> >> > used by the program (QObject::EventFilter, ...).
> >> >> >> 
> >> >> >> Hi Milian,
> >> >> >> 
> >> >> >> This makes me think that heaptrack doesn't track memory related
> >> >> >> symbols directly imported by the program itself. It does track only
> >> >> >> malloc/free made by loaded shared objects.... Am I missing
> >> >> >> something?
> >> >> >> 
> >> >> >> Due to
> >> >> >> https://github.com/KDE/heaptrack/blob/master/src/track/heaptrack_in
> >> >> >> jec
> >> >> >> t.c
> >> >> >> pp
> >> >> >> #L269
> >> >> > 
> >> >> > What is a "malloc/free symbol directly imported by the program
> >> >> > itself"?
> >> >> 
> >> >> I mean "all memory related symbols" that heaptrack needs to track to
> >> >> be able to fulfill its job.
> >> >> 
> >> >> Maybe i misunderstood the goal of heaptrack.
> >> >> 
> >> >> I started with a copy/paste of your code (see [1] below about
> >> >> copy/pasting open source code), and then added another if in the
> >> >> "program header type" check , one that would - I think - capture
> >> >> dynamic symbols in a non dynamic object such as an ELF program file.
> >> >> Basically I have the feeling that one has to check for PT_LOAD as
> >> >> well.
> >> >> My dl_iterate_phdr always start with info->dlpi_name == "", and this
> >> >> unnamed PT_LOAD program header contains dynamic symbols embedded into
> >> >> the ELF program file itself.
> >> >> 
> >> >> So if i understand correctly (and I might be wrong), heaptrack install
> >> >> hooks only on dynamic symbols found in dynamic ELF object (SOlibs),
> >> >> not on dynamic symbols found in "PT_LOAD"'able ELF objects such as
> >> >> program files.
> >> > 
> >> > Can you give an example of when that would apply? This is a serious
> >> > question.
> >> 
> >> Yes, thanks for asking, it was stimulating! ;)
> >> 
> >> But the answer is unfortunately very simple:
> >> I'm running the code in the host program not in an LD_PRELOAD object!
> >> So i think that in my case dl_iterate_phdr gives me access to the
> >> just-loaded ELF file: the executable, which can contains itself
> >> contains dynamic symbols such as malloc or free like in:
> >> 
> >> int main(int argc, charr **argv)
> >> {
> >> 
> >>    stuff = new Stuff()
> >>    return 0;
> >> 
> >> }
> >> 
> >> The ELF program file have it's own dynamic symbol table too, this call
> >> to "new" will point to a non-heaptrack-tracked symbols.
> >> 
> >> Bummer i'm disappointed by my own answer! ;)
> > 
> > I will have to write a unit test to check whether that is really happening
> > or not. A quick look at a binary like the above in elf-dissector shows a
> > .plt entry for _Znam at got which will eventually call malloc internally so
> > I think that should work fine.
> 
> I haven't come across "_Znam at got " yet, so i cannot comment.
> But I will keep an eye, for sure! ;)
> 
> What is this thing suppose to be/do? A across-shared-objects shared
> symbol cache? Lol!

https://reverseengineering.stackexchange.com/questions/1992/what-is-plt-got

HTH

-- 
Milian Wolff | milian.wolff at kdab.com | Senior Software Engineer
KDAB (Deutschland) GmbH&Co KG, a KDAB Group company
Tel: +49-30-521325470
KDAB - The Qt Experts




More information about the Gammaray-interest mailing list