Pete's Log: ld_preload is cool
Entry #904, (Coding, Hacking, & CS stuff)(posted when I was 22 years old.)
I can definitely see, though, why it's had its share of security problems... also cool is the syscall(2) function. Definitely something to keep in mind for future obfuscated code projects. The best thing is that linux has no manpage for syscall that I can tell, and in the solaris syscall manpage the warnings section is nearly twice as long as the description section. So here's something fun to do:
cat > blah.c << EOF
long int read(int fd, void* buf, int count)
{
printf("read from %d\n", fd);
return syscall(3, fd, buf, count);
}
EOF
cc -c blah.c -o blah.o
ld -shared blah.o -o blah.so
setenv LD_PRELOAD `pwd`/blah.so
now, in theory, running any program that does a read (cat /etc/resolv.conf if you can't think of something offhand) should give you a little note of what fd is being read from. So I don't remember where I first discovered syscall. I think it was last fall, and I dunno why I didn't play with it until now. I've known about LD_PRELOAD for a while, but never bothered until now to figure out how it works. I've known about intercepting system/library calls for a while, but only through statically compiling replacement calls, not dynamically.
So some fun notes: it'd be a wise idea to unsetenv LD_PRELOAD before removing blah.so. And while we're on the topic of things that lead to badness, this is fun: setenv $HOME to a relative path sometime. launch tcsh. see how long you can go before it aborts...
I should get back to work now...