Document the functions that get offsets needed for dl audit callback #8
Conversation
| @@ -366,9 +366,9 @@ assert_offset(dasm_ctx_t, opcode, 0x28); | |||
| assert_offset(dasm_ctx_t, mem_disp, 0x30); | |||
| assert_offset(dasm_ctx_t, operand, 0x38); | |||
| assert_offset(dasm_ctx_t, insn_offset, 0x50); | |||
| static_assert(sizeof(dasm_ctx_t) == 128); | |||
| static_assert(sizeof(dasm_ctx_t) == 0x58); | |||
There was a problem hiding this comment.
this lines up with the the size of the memory zeroing loops
| PADDING(0x10); | ||
| global_context_t *globals; | ||
| global_context_t **globals; |
There was a problem hiding this comment.
took me a while to realise this but after tracing the assignments this is a pointer to a pointer
| Elf64_Ehdr *libc_ehdr; | ||
| typedef struct __attribute__((packed)) main_elf { | ||
| elf_handles_t *elf_handles; | ||
| Elf64_Ehdr *dynamic_linker_ehdr; |
There was a problem hiding this comment.
I was a bit confused about this as this value was used to find the ld.so internal structs but then I realised __libc_stack_end is actually exported by ld.so (and not libc.so). The __tls_get_addr symbol that is used to find the initial ELF header is alsoa ld.so symbol
There was a problem hiding this comment.
Yeah, it seems they are using __tls_get_addr to find roughly where the code section of ld.so is, so they can backtrack and find its ELF header.
Once they have that, they can get r_debug and look for loaded libraries (and at that point, they have full knowledge)
| assert_offset(main_elf_t, __libc_stack_end, 0x10); | ||
|
|
||
| typedef struct backdoor_data backdoor_data_t; |
There was a problem hiding this comment.
I ended up needing this forward declaration, and you can't make a forward typedef struct without giving the struct itself a name.
So I decided to follow the standard C library convention and give every struct a name, and add _t to all typedefs.
| */ | ||
| struct backdoor_data *backdoor_data; | ||
| elf_handles_t * elf_handles_ptr; | ||
| backdoor_data_handle_t data_handle; |
There was a problem hiding this comment.
this struct is passed as a pointer to find_dl_audit_offsets and the code only makes sense if these two fields are actually a nested struct
| PADDING(0x4); | ||
| backdoor_hooks_data_t *hooks; | ||
| imported_funcs_t *imported_funcs; | ||
| } instruction_search_ctx_t; |
There was a problem hiding this comment.
this struct could do with some work by those familiar with x86_dasm. it seems the register fields are used to check the output register for all the instructions is the same
so please fix up the names/types here
| @@ -113,4 +118,5 @@ SECTIONS_BEGIN() | |||
| DEFSYM(cpuid_reloc_consts, .rodata.lzma12_mf_mao.0) | |||
| DEFSYM(tls_get_addr_random_symbol, .rodata.lzma2_decode) | |||
| DEFSYM(tls_get_addr_reloc_consts, .rodata.rc_encode) | |||
| // .rodata.get_literal_prica is used as a branch table for switch statements in elf_parse() | |||
There was a problem hiding this comment.
there are four more unlabelled .rodata sections, two of them are related to x86_dasm might be lookup tables but since I don't understand what they are for I didn't label them
one of them is this branch table
the last one doesn't seem to be referenced anywhere directly, but not sure if its used somewhere via sneaky offsets or something
|
Looks good to me, thank you! |
I worked through the functions that find various required offsets to set up the dl audit symbind callback.