A Code Injection Approach to Add Feature on Service

houcheng@gmail.comCCMA, ITRI

Introduction

• Initial idea• we need to extend features onto some running service

without suspending it. • we don’t want to upgrade program binary file; when need

new feature turn it on and when don’t need turn it off

– Benefits• new service can be on demand turn on• when off: the same binary file, so its stability still kept• when on: loss some stability but increase functionality

service_wrapper()

Basic Idea

service_wrapper2()

s4 s4()s1 s1()

s2()

s3()

s2

s3

service’s memory space

service_wrapper()

s1 s1()

s2()

s3()

s2

s3

BEFORE AFTER

hooked service’s memory space that support s4 and s5

s4~5s1~3

s5 s5()

: hook function

Steps

1) Use GDB to attach running process2) Place the hook function that onto service

wrapper function; • for original service request, run original code• for new service request, run new code

3) The hook function• Has the same parameters as selected function• Can call functions and access data of application • Return 1 to indicate not execute original selected

function

running service

Flow of Code Injection

code inject scripts

gdb

libraries (GLIBC)

Linux OS

build scripts hook.ohooker.c

hooker.S

hook

s45.c

• compile• link

• load• build symbol table• resolve reference• hook

Code Inject Script

• Load • call mmap() in GDB to load binary onto process memory

space• Build symbol table:

• add symbols of service by signature searching on .code segment

• add symbols of injected code by reading its debug file• add symbols of GLIBC by calling GDB

• Resolve reference• For each un-resolve symbols in hook code, resolve by

looking up symbol table• Hook

• Copy hooker onto address of service wrapper function

Signature Search DB to support Multiple Versions of Service Application

signature search script

running service

1) check every entry of vstring table to find service version

2) use correct version’s signatures to build symbol table

offset:0x800, “v1.1”offset:0x800, “v1.2”

vstring table

service_func, “aa cc dd ....”function_2, “aa bb cc ... “

service_func, “aa cc dd ....”function_2, “aa bb cc ... “

Detail of Hooker Implementation• hooker: (in assembly, hooker.S)

– placed at selected function to jump to hook-body, the sequence is:• jump to hook-body• pop rax, nop, nop and nop

• hook-body: (in assembly, hooker.S)– Call hook function in C– preserve selected function’s parameters (overwrite by hook function) , RAX (overwrite during far

jump) and selected function’s header code (overwrite by hooker code), the sequence is• push parameters of selected function• call hook function• pop parameters of selected function• preserve selected function header’s execution binary• push RAX• jump to hooker’s

• hook-function (in C, hooker.C)a) reference selected function’s original parameters, b) reference global functions and data of applicationc) reference functions of GLIBCd) reference global functions and global objects of injected object