{"id":3549,"date":"2018-04-25T10:07:35","date_gmt":"2018-04-25T17:07:35","guid":{"rendered":"http:\/\/mattfife.com\/?p=3549"},"modified":"2018-04-25T10:09:09","modified_gmt":"2018-04-25T17:09:09","slug":"ld_preload-and-stealing-function-calls","status":"publish","type":"post","link":"https:\/\/mattfife.com\/?p=3549","title":{"rendered":"LD_PRELOAD and stealing function calls"},"content":{"rendered":"

There is a clever little trick that one can use for a variety of purposes on Linux. It involves overriding or hijacking function calls. It’s called LD_PRELOAD.<\/p>\n

Lets say you create a file called unrandom.c that includes an implementation of the rand() function. It matches the function rand() in standard C.<\/p>\n

\n
\n\n\n\n
unrandom.c:<\/caption>\n
\n
1<\/div>\n
2<\/div>\n
3<\/div>\n<\/td>\n
\n
\n
int<\/code> rand<\/code>(){<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>return<\/code> 42; <\/code>\/\/the most random number in the universe<\/code><\/div>\n
}<\/code><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n

We\u2019ll compile it into a shared library.<\/p>\n

\n
gcc -shared -fPIC unrandom.c -o unrandom.so<\/pre>\n<\/blockquote>\n
Now\u2026 just run a program (my_program) that uses random numbers like this, and you’ll find that the rand function only generates 42.<\/p>\n
\n
LD_PRELOAD=$PWD\/unrandom.so .\/my_program<\/pre>\n<\/blockquote>\n
This trick can be used in a variety of ways. A good write-up can be found here, and is worth a read:<\/p>\n
Dynamic linker tricks: Using LD_PRELOAD to cheat, inject features and investigate programs<\/a><\/p><\/blockquote>\n