binhook is a survey of techniques to hook and/or replace functions in executable binaries or shared libraries. These allow to change the behaviour of programs, without requiring access to source code and without recompilation.
Given a pre-built application (app) that uses a function (func) with a known signature (e.g. char* func(char* A, char* B, uint32_t length)), the target of these techniques is to execute an alternative implementation defined in independent C sources (replacement).
supported os (?) platforms (any)
LD_PRELOAD is an environment variable supported by the dynamic linker on GNU/Linux systems.
http://man7.org/linux/man-pages/man8/ld.so.8.html
A list of additional, user-specified, ELF shared objects to be loaded before all others. This feature can be used to selectively override functions in other shared objects.
+------------+ +-------------+ +--------------+
| app | | patched_app | | app_lib |
| +--------+ | | +---------+ | | +----------+ |
| | func.o | +-----+ | | repl.o | | | |libfunc.so| +-----+
| +--------+ | | | +---------+ | | +----------+ | |
+------------+ | +-------------+ +--------------+ |
| v | | v
| +----+-----+ | | +----+-----+
LD_PRELOAD: | |librepl.so| | | |librepl.so|
| +----+-----+ | | +----+-----+
v v v v v
output: default default replacement default replacement
In this test suite, the following artifacts are built:
[func|replacement][.o|.so]: both the original and the replacement function are independently built as objects and as shared libraries.app:app.candfunc.o.app_lib:app.candfunc.so.patched_app:app.candreplacement.o.
And the following tests are executed:
appwithoutLD_PRELOAD. Regular execution of the app with built infunc.appwithLD_PRELOAD. When the function is built in the app,LD_PRELOADhas no effect at all.patched_appwithoutLD_PRELOAD. Execution of the patched app, should the user have access to app sources to built it.app_libwithoutLD_PRELOAD. Regular execution of the app withfuncloaded from a shared lib.app_libwithLD_PRELOAD. Execution of thereplacementfunction, sincereplacement.sois loaded beforelibfunc.so.
Notes:
LD_PRELOADallows to easily replace functions that the app uses from shared libraries. However, it is not suitable for functions that are built in the app. By the same token, it is not suitable for statically compiled bineries.- Both the app and/or the shared libraries can be built with
gcc -Os -s. No additional symbol info is required.
supported os (?) platforms (?)
In this testsuite, library shoumikhin/ELF-Hook is used. ELF-Hook allows to replace a function which is called from another function defined in a shared library.
A/B C/D
+------+ +------+ +------+ +------+ +---+
|hook.c| |test.c| |hook.c| |test.c| |app|
+-----++ ++-----+ +-----++ ++-----+ +-+-+
| | | | |
>-+-< >-+-< |rename
build | build | v
v +----------+ v +-----+----+
test <-+libfunc.so| test <-+libfunc.so|
+----------+ +----------+
The following artifacts are built:
libfunc.so: the target (func) is wrapped (wrapfunc).testA:libfunc.sois loaded withdlopenandget_module_base_addressandelf_hookare used to replacefuncwithhook(defined in testA).testB: same astestA, butdlsymis used to get a pointer to the entrypoint.testC: same astestB, but an exebutable is loaded instead of a shared library.testD: same astestC, but the entrypoint ismain(from the loaded app).
And the following tests are executed:
testA:wrapfuncis executed before and after callingelf_hook.testB:wrapfuncis executed before and after callingelf_hook.testC:funcis executed before callingelf_hook. Setting the redirect fails.testD:mainis execute before callingelf_hook. Setting the redirect fails.
Notes:
- Compared to LD_PRELOAD, ELF-Hook allows to apply modifications to a single shared library.
- Replacing a function in a shared library is supported (testA, testB), but the same approach fails with a PIE executable (testC, testD).
- ELF-Hook allows to optionally execute the original function from inside the hook. Hence,
wrapfuncis the entrypoint, and wheneverfuncis used,hookcan execute instructions before and/or after.
supported os (GNU/Linux, Windows, macOS, solaris, FreeBSD) platforms (x64, x86, arm, aarch64, powerpc, powerpc64le)
to do...
supported os (GNU/Linux, Windows, macOS) platforms (x64, x86)
to do...
- List of API Hook Libraries
- x86 API Hooking Demystified by Jurriaan Bremer
supported os (GNU/Linux) platforms (armv7, aarch32, aarch64)
work in progress...
supported os (?) platforms (?)
work in progress...
supported os (?) platforms (?)
work in progress... the extensible editor for structured binary data
supported os (?) platforms (?)
supported os (?) platforms (?)
to do... LIEF - Library to Instrument Executable Formats
- https://lief.quarkslab.com/
- https://2018.pass-the-salt.org/files/talks/03-static-instrumentation.pdf
supported os (GNU/Linux, Windows) platforms (x64, arm64, ?)
to do...
- Fixing/Making Holes in Binaries by Shaun Clowes (slides, video)
- Dynamic linker tricks: Using LD_PRELOAD to cheat, inject features and investigate programs by Rafał Cieślak
- Redirecting Functions in Shared ELF Libraries by Anthony Shoumikhin (shoumikhin/ELF-Hook)
- cea-sec/miasm
- s3team/uroboros
- PEBIL: Static Binary Instrumentation for x86/Linux
- asciiflow.com