2

I want to patch an ELF executable to insert a function call (the function s2e_rawmon_loadmodule and its dependencies are to be linked statically, preferably) at the beginning.

This answer seems to have a nice set of pointers. If I have understood correctly, dynamic instrumentation using PIN/Valgrind/DynamoRIO alters the address space. The addresses of the subsequent instructions get changed which I don't want.

For static instrumentation, ERESI project could have been useful. But, it looks like the project has been abandoned for long. I am not being able to build the tool on Ubuntu 14.04 due to compilation issues.

Can anybody help me out with some workaround?

Community
  • 1
sherlock
  • 1,381
  • 3
  • 23
  • 40
  • I don't understand if the function you want to call is already in the binary or not, and/or if you want to modify just one binary or to design a generic way to do it. I'd say you could just create a new section manually, drop your code in it (and the first few instructions of OEP), and put a JMP at the OEP. – user2823000 Sep 22 '15 at 09:14
  • would you post the link to your compilation issues ? – w s Sep 22 '15 at 09:26
  • OK, I built it on ubuntu 14.04. The only issue I encountered was usage of word __unbounded in entry.c which ( word __unbounded) can be freely removed without any problem. – w s Sep 22 '15 at 09:40
  • @ws Yes, it works fine with __unbounded deleted. But, does that affect the functionality anyway? – sherlock Sep 22 '15 at 10:14
  • @Dillinur No, the code does not reside in the binary. – sherlock Sep 22 '15 at 10:14
  • @Holmes.Sherlock As far as I understand what __unbounded means it shouldn't affect the functionality. As far as I understand it is not supported anyway, which means that if you want to keep the source intact, you may try to use older versions of gcc. – w s Sep 22 '15 at 10:36
  • Thanks! I have compiler ERESI. So far, I haven't been able to figure out what is going on here: http://www.eresi-project.org/browser/trunk/testsuite/elf/etrel_inject/etrel_original. Any insight? – sherlock Sep 22 '15 at 11:33
  • Both relinject32 and relinject64 returns the following error: [WARNING] : profile_err() is NULL . Reverting to prinf. [E] Unable to copy PLT – sherlock Sep 22 '15 at 11:59
  • You may try DynInst (which is actively developped), the following phrase in its document "... [Dyninst]... permit the insertion of code into a computer application that is either running or on disk (... known as static instrumentation...)" suggests that it can response to your need. – Ta Thanh Dinh Dec 22 '15 at 22:53

1 Answers1

1

It seems that you're trying to run some code in the context of the binary before anything meaningful happens.

You should read some resources about ELF infection, for example on vxheavens or here.

But since you're trying to inject/execute s2e_rawmon_loadmodule from s2e, maybe you should just use a debugger instead, because I'm quite sure that this is not how it's supposed to be used.

jvoisin
  • 2,516
  • 16
  • 23
  • How come a debugger help me in injecting a function while the target binary is running on a Debian guest inside s2e framework? Of course, s2e_rawmon_loadmodule is supposed to be used while source is available. In my case, source is missing, only binary is assumed to be present. – sherlock Sep 23 '15 at 01:38
  • 2
    Because you didn't mentioned that the software was running on a host inside the s2e framework ;) – jvoisin Sep 23 '15 at 17:34