Code injection approach to add feature on service
-
Upload
houcheng-lin -
Category
Technology
-
view
190 -
download
1
Transcript of Code injection approach to add feature on service
![Page 2: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/2.jpg)
Introduction
• Initial idea• we need to extend features onto some running service
without suspending it. • we don’t want to upgrade program binary file; when need
new feature turn it on and when don’t need turn it off
– Benefits• new service can be on demand turn on• when off: the same binary file, so its stability still kept• when on: loss some stability but increase functionality
![Page 3: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/3.jpg)
service_wrapper()
Basic Idea
service_wrapper2()
s4 s4()s1 s1()
s2()
s3()
s2
s3
service’s memory space
service_wrapper()
s1 s1()
s2()
s3()
s2
s3
BEFORE AFTER
hooked service’s memory space that support s4 and s5
s4~5s1~3
s5 s5()
: hook function
![Page 4: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/4.jpg)
Steps
1) Use GDB to attach running process2) Place the hook function that onto service
wrapper function; • for original service request, run original code• for new service request, run new code
3) The hook function• Has the same parameters as selected function• Can call functions and access data of application • Return 1 to indicate not execute original selected
function
![Page 5: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/5.jpg)
running service
Flow of Code Injection
code inject scripts
gdb
libraries (GLIBC)
Linux OS
build scripts hook.ohooker.c
hooker.S
hook
s45.c
• compile• link
• load• build symbol table• resolve reference• hook
![Page 6: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/6.jpg)
Code Inject Script
• Load • call mmap() in GDB to load binary onto process memory
space• Build symbol table:
• add symbols of service by signature searching on .code segment
• add symbols of injected code by reading its debug file• add symbols of GLIBC by calling GDB
• Resolve reference• For each un-resolve symbols in hook code, resolve by
looking up symbol table• Hook
• Copy hooker onto address of service wrapper function
![Page 7: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/7.jpg)
Signature Search DB to support Multiple Versions of Service Application
signature search script
running service
1) check every entry of vstring table to find service version
2) use correct version’s signatures to build symbol table
offset:0x800, “v1.1”offset:0x800, “v1.2”
vstring table
service_func, “aa cc dd ....”function_2, “aa bb cc ... “
service_func, “aa cc dd ....”function_2, “aa bb cc ... “
![Page 8: Code injection approach to add feature on service](https://reader037.fdocuments.us/reader037/viewer/2022110309/5586e4d5d8b42a84798b456d/html5/thumbnails/8.jpg)
Detail of Hooker Implementation• hooker: (in assembly, hooker.S)
– placed at selected function to jump to hook-body, the sequence is:• jump to hook-body• pop rax, nop, nop and nop
• hook-body: (in assembly, hooker.S)– Call hook function in C– preserve selected function’s parameters (overwrite by hook function) , RAX (overwrite during far
jump) and selected function’s header code (overwrite by hooker code), the sequence is• push parameters of selected function• call hook function• pop parameters of selected function• preserve selected function header’s execution binary• push RAX• jump to hooker’s
• hook-function (in C, hooker.C)a) reference selected function’s original parameters, b) reference global functions and data of applicationc) reference functions of GLIBCd) reference global functions and global objects of injected object