11

How do I, at run-time (no LD_PRELOAD), intercept/hook a C function like fopen() on Linux, a la Detours for Windows? I'd like to do this from Python (hence, I'm assuming that the program is already running a CPython VM) and also reroute to Python code. I'm fine with just hooking shared library functions. I'd also like to do this without having to change the way the program is run.

One idea is to roll my own tool based on ptrace(), or on rewriting code found with dlsym() or in the PLT, and targeting ctypes-generated C-callable functions, but I thought I'd ask here first. Thanks.

Improve this question
13
  • How would you do it with LD_PRELOAD? Commented Feb 4, 2011 at 0:10
  • You'll need to write a native module to do the low-level work for you. Even if you manage to access and modify the PLT from Python (which is probably possible), you'll need code to launch the Python VM. Commented Feb 4, 2011 at 0:43
  • 1
    @Matt Joiner: By the way you're asking your question, I take it you don't like something I said, in which case it would be productive/constructive if you could be more specific. But in case you were really just asking, this is how you do function interposition non-dynamically: stackoverflow.com/questions/426230/what-is-the-ld-preload-trick (and, yes, I've applied this many a time before) Commented Feb 4, 2011 at 0:51
  • @Glenn Maynard: Sorry if my question wasn't clear - I mentioned I'd like to do this from Python, so the assumption is that the VM is already running. But anyway I tweaked the question to clarify this. Manipulating the PLT from Python is precisely what I was getting at with my strawman. Commented Feb 4, 2011 at 0:59
  • It's not about creating the VM instance, it's about calling into it; you can't point the PLT at a Python function, after all, you need to point it at native code that calls the Python runtime and runs the function you want. Commented Feb 4, 2011 at 1:29

2 Answers 2

Reset to default
2

You'll find from one of ltrace developer a way to do this. See this post, which includes a full patch in order to catch dynamically loaded library. In order to call it from python, you'll probably need to make a C module.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

google-perftools has their own implementation of Detour under src/windows/preamble_patcher* . This is windows-only at the moment, but I don't see any reason it wouldn't work on any x86 machine except for the fact that it uses win32 functions to look up symbol addresses.

A quick scan of the code and I see these win32 functions used, all of which have linux versions:

  • GetModuleHandle/GetProcAddress : get the function address. dlsym can do this.
  • VirtualProtect : to allow modification of the assembly. mprotect.
  • GetCurrentProcess: getpid
  • FlushInstructionCache (apparently a nop according to the comments)

It doesn't seem too hard to get this compiled and linked into python, but I'd send a message to the perftools devs and see what they think.

Improve this answer

3 Comments

Care to explain what assembly is modified?
Please link to the mentioned source file.
code.google.com/codesearch#BGeH2W13jNw/trunk/src/windows/…, win32 function calls leave a few instructions at the start of every function call that can be changed into a jump to whatever function you want.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.