ancat
Does not seem to work
Hi. Thanks for writing this demonstration. I enjoyed your writeup, though I am unable to get it to work. I was hoping to use this in my own research for looking at memory analysis...
Given this is from a while ago, I did try this on a Centos 7 from 2017. It does seem to run, after updating the library names, but the injection library doesnt seem to get loaded or run. This is with dl 2.17. Each time I run it, it does seem to add an anonymous block of 0x1000 bytes to the map in the target, but nothing else. Target remains running. Is there a good way to debug this?
I had initially tried this on Python3 using the latest fedora 38. There are some easy changes, such as the filter now returns as an iterator and not a list, "libc-" search needs "libc.", and that null terminated strings seem to need to be handled differently. However I can never get it to find __libc_dlopen_mode. I had some success loading libc with dlopen using mode 2 (RTDL_NOW) rather than your mode 0, but I can never locate the __libc_dlopen_mode function. I can however still see it using: readelf -Ws /usr/lib64/libc.so.6 | grep dlopen I did use the offset from readelf to get past this point, but although I get an address back which looks promising for the injection DL, the target then crashes. Happy to try something to debug that if you can suggest something?
Any help appreciated.
I have updated the code and fixed the issues in general. You can get it from my fork, or from the push request here.