Using LD_PRELOAD analyzes HACK Linux user mode memory usage

LD_PRELOAD is an environment variable, which is used to load the dynamic library. The priority of dynamic library loading is the highest. Generally, its loading order is LD_PRELOAD > LD_ LIBRARY_ PATH > /etc/ld. so. cache > /lib>/usr/lib. In the program, we often call some functions of external libraries

Take malloc / free as an example. If we have a custom rand function, compile it into a dynamic library and use LD_PRELOAD loading, when the program calls the malloc/free function, the call is actually our custom function. Here is an example.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stddef.h>
#include <stdint.h>
#include <fcntl.h>
#include <unistd.h>
#include <math.h>
#include <sys/ioctl.h>
 
#define DBG(fmt, ...)   do { printf("%s line %d, "fmt"\n", __func__, __LINE__, ##__VA_ARGS__); } while (0)

//extern unsigned int abcdef;
int main(void)
{
	void *p = malloc(256);
	//DBG("abcdef = 0x%x", abcdef);
	if(p == NULL)
	{
	    DBG("malloc p is null.");
	}
	else
	{
	    DBG("p = %p.", p);
	}

	free(p);
	//DBG("abcdef = 0x%x", abcdef);
	p = NULL;

	return 0;
}

Run after compilation, and the results are as follows:

As expected, the current call logic can be graphically represented as follows, main C directly calls to the C library.

Using LD_PRELOAD join HOOK:

Create a new wrapper So file, internally implement malloc/free, and ensure that the function prototype is completely consistent with the C library

#define _GNU_SOURCE

#include <stdio.h>
#include <stddef.h>
#include <stdint.h>
#include <dlfcn.h>
 
#define DBG(fmt, ...)   do { printf("%s line %d, "fmt"\n", __func__, __LINE__, ##__VA_ARGS__); } while (0)

unsigned int abcdef = 0;
void *malloc(size_t size)
{
	void *ret;

	static void* (*realmalloc)(size_t size) = NULL;

	if(realmalloc == NULL)
	{
		realmalloc = dlsym(RTLD_NEXT, "malloc");
	}

	if(realmalloc == NULL)
	{
		return NULL;
	}

	//DBG("malloc");
	ret = realmalloc(size);
	abcdef = 0xdeadbeef;

	return ret;
}

void free(void *p)
{
	static void* (*realfree)(void* p) = NULL;

	if(realfree == NULL)
	{
		realfree = dlsym(RTLD_NEXT, "free");
	}

	if(realfree == NULL)
	{
		return;
	}

	realfree(p);
	abcdef = 0xbeefdead;

    return;
}

Modify main c. Add the printing logic of abcdef variable to verify whether the process has reached the HOOK library we expect. After testing, wrapper If you add a print statement in C, a segment error will appear at run time, so this is also a last resort.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stddef.h>
#include <stdint.h>
#include <fcntl.h>
#include <unistd.h>
#include <math.h>
#include <sys/ioctl.h>
 
#define DBG(fmt, ...)   do { printf("%s line %d, "fmt"\n", __func__, __LINE__, ##__VA_ARGS__); } while (0)

extern unsigned int abcdef;
int main(void)
{
	void *p = malloc(256);
	DBG("abcdef = 0x%x", abcdef);
	if(p == NULL)
	{
	    DBG("malloc p is null.");
	}
	else
	{
	    DBG("p = %p.", p);
	}

	free(p);
	DBG("abcdef = 0x%x", abcdef);
	p = NULL;

	return 0;
}

Compile wrapper So, the - ldl option must be added, otherwise a segment error will occur. The reason will be explained later. You must also add - fPIC because wrapper There are references to global variables in so.

gcc --shared wrapper.c -o wrapper.so -ldl -fPIC

Compile the main function and export environment variables

$ gcc main.c -L./ wrapper.so
$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/caozilong/Workspace/hook
$ LD_PRELOAD=./wrapper.so ./a.out

According to the program flow and printing, the main program first enters wrapper malloc/free implementation in C, and then call the real malloc/free implementation in C library through the latter. Because there is a layer of transfer in the middle, we can do something here, add some debugging, analyze information and solve specific problems. The graphic representation is as follows: