使用dlsym()的RTLD_NEXT来实现库函数拦截
需求描述
需要对文件的打开与执行,加日志收集。
需求分析
本文对该需求,使用库函数钩子的方案。
库函数钩子
#define _GNU_SOURCE
#include <dlfcn.h>
#define _FCNTL_H
#include <sys/types.h>
#include <bits/fcntl.h>
#include <stddef.h>
extern int errorno;
int __thread (*_open)(const char * pathname, int flags, ...) = NULL;
int __thread (*_open64)(const char * pathname, int flags, ...) = NULL;
int open(const char * pathname, int flags, mode_t mode)
{
if (NULL == _open) {
_open = (int (*)(const char * pathname, int flags, ...)) dlsym(RTLD_NEXT, "open");
}
printf("intercepted open: %s\n",pathname);
if(flags & O_CREAT)
return _open(pathname, flags | O_NOATIME, mode);
else
return _open(pathname, flags | O_NOATIME, 0);
}
int open64(const char * pathname, int flags, mode_t mode)
{
if (NULL == _open64) {
_open64 = (int (*)(const char * pathname, int flags, ...)) dlsym(RTLD_NEXT, "open64");
}
printf("intercepted open64: %s\n",pathname);
if(flags & O_CREAT)
return _open64(pathname, flags | O_NOATIME, mode);
else
return _open64(pathname, flags | O_NOATIME, 0);
}
static int (*real_execve)(const char *filename, char *const argv[], char *const envp[])=0;
int execve(const char *filename, char *const argv[], char *const envp[])
{
if (!real_execve) {
real_execve = dlsym(RTLD_NEXT, "execve");
}
printf("intercepted execve: %s\n", filename);
return real_execve(filename, argv, envp);
}
为了方便演示,这里对库函数的修改部分只加了打印,执行时可以看到效果。
编译
thesre@HP-Z420-Workstation:~/library_call_intercept$ gcc -fPIC -c -o library_calls_hook.o library_calls_hook.c
library_calls_hook.c: In function ‘open’:
library_calls_hook.c:32:5: warning: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
32 | printf("intercepted open: %s\n",pathname);
| ^~~~~~
library_calls_hook.c:32:5: warning: incompatible implicit declaration of built-in function ‘printf’
library_calls_hook.c:21:1: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
20 |
+++ |+
21 |
library_calls_hook.c: In function ‘open64’:
library_calls_hook.c:44:5: warning: incompatible implicit declaration of built-in function ‘printf’
44 | printf("intercepted open64: %s\n",pathname);
| ^~~~~~
library_calls_hook.c:44:5: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
library_calls_hook.c: In function ‘execve’:
library_calls_hook.c:57:5: warning: incompatible implicit declaration of built-in function ‘printf’
57 | printf("intercepted execve: %s\n", filename);
| ^~~~~~
library_calls_hook.c:57:5: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
thesre@HP-Z420-Workstation:~/library_call_intercept$ gcc -shared -o library_calls_hook.so library_calls_hook.o -ldl
通过LD_PRELOAD使用
thesre@HP-Z420-Workstation:~/library_call_intercept$ LD_PRELOAD=./library_calls_hook.so ./test
intercepted execve: /bin/date
intercepted open: /home/thesre/library_call_intercept/hello.txt
openfile succeeded!
thesre@HP-Z420-Workstation:~/library_call_intercept$ LD_PRELOAD=./library_calls_hook.so cat hello.txt
intercepted open: hello.txt
line 1
line 2
line 3
line 4
line 5
参考资料
http://optumsoft.com/dangers-of-using-dlsym-with-rtld_next/
|