Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Code injection approach to add feature on service
1. A Code Injection Approach to
Add Feature on Service
houcheng@gmail.com
CCMA, ITRI
2. Introduction
• Initial idea
• we need to extend features onto some running service
without suspending it.
• we don’t want to upgrade program binary file; when need
new feature turn it on and when don’t need turn it off
– Benefits
• new service can be on demand turn on
• when off: the same binary file, so its stability still kept
• when on: loss some stability but increase functionality
4. Steps
1) Use GDB to attach running process
2) Place the hook function that onto service
wrapper function;
• for original service request, run original code
• for new service request, run new code
3) The hook function
•
•
•
Has the same parameters as selected function
Can call functions and access data of application
Return 1 to indicate not execute original selected
function
5. Flow of Code Injection
hooker.S
hooker.c
build
scripts
code inject
scripts
hook
hook.o
running service
gdb
s45.c
• compile
• link
•
•
•
•
load
build symbol table
resolve reference
hook
libraries (GLIBC)
Linux OS
6. Code Inject Script
• Load
• call mmap() in GDB to load binary onto process memory
space
• Build symbol table:
• add symbols of service by signature searching on .code
segment
• add symbols of injected code by reading its debug file
• add symbols of GLIBC by calling GDB
• Resolve reference
• For each un-resolve symbols in hook code, resolve by
looking up symbol table
• Hook
• Copy hooker onto address of service wrapper function
7. Signature Search DB to support Multiple
Versions of Service Application
signature
search
script
running
service
offset:0x800, “v1.1”
offset:0x800, “v1.2”
vstring table
service_func, “aa cc dd ....”
function_2, “aa bb cc ... “
service_func, “aa cc dd ....”
function_2, “aa bb cc ... “
1) check every entry of
vstring table to find
service version
2) use correct version’s
signatures to build
symbol table
8. Detail of Hooker Implementation
•
hooker: (in assembly, hooker.S)
–
placed at selected function to jump to hook-body, the sequence is:
•
•
•
hook-body: (in assembly, hooker.S)
–
–
Call hook function in C
preserve selected function’s parameters (overwrite by hook function) , RAX (overwrite during far
jump) and selected function’s header code (overwrite by hooker code), the sequence is
•
•
•
•
•
•
•
jump to hook-body
pop rax, nop, nop and nop
push parameters of selected function
call hook function
pop parameters of selected function
preserve selected function header’s execution binary
push RAX
jump to hooker’s
hook-function (in C, hooker.C)
a) reference selected function’s original parameters,
b) reference global functions and data of application
c) reference functions of GLIBC
d) reference global functions and global objects of injected object