Hullo there,
I’m writing a simple debugger and have found myself way out of my depth. A Google search on my questions only turns up dodgy black hat websites and obsolete tutorials.
I’d like to know:
1) With Address Space Layout Randomisation, obviously the traced executable and any libraries it uses could be loaded anywhere in memory. So how do I interpret DWARF info that says, for example, that “main” lives at 0x4F0? Do I add a constant to it? What library call will get me the true offset of the target program at runtime?
2) I have successfully managed to patch jmp instructions in the tracee to call libc functions indirectly via my own diagnostic functions. However I’ve hit a big problem. Because I’m patching the Procedure Linkage Table via an injected .so, the functions are only patched locally in the shared object. Calling from the tracee results in the real functions being called. I’d like to access the main program’s PLT. How can I calculate its location programmatically? I’d rather the debugee doesn’t have to be recompiled or cooperate with this in any way, i.e. it shouldn’t need to know it’s being debugged.
And yes, I’m using Linux. I have FreeBSD installed in a virtual machine and intend to switch to that once the project has matured a bit. So Linuxy answers or better still a cross platform solution would be great.
Thanks in advance.
I’m writing a simple debugger and have found myself way out of my depth. A Google search on my questions only turns up dodgy black hat websites and obsolete tutorials.
I’d like to know:
1) With Address Space Layout Randomisation, obviously the traced executable and any libraries it uses could be loaded anywhere in memory. So how do I interpret DWARF info that says, for example, that “main” lives at 0x4F0? Do I add a constant to it? What library call will get me the true offset of the target program at runtime?
2) I have successfully managed to patch jmp instructions in the tracee to call libc functions indirectly via my own diagnostic functions. However I’ve hit a big problem. Because I’m patching the Procedure Linkage Table via an injected .so, the functions are only patched locally in the shared object. Calling from the tracee results in the real functions being called. I’d like to access the main program’s PLT. How can I calculate its location programmatically? I’d rather the debugee doesn’t have to be recompiled or cooperate with this in any way, i.e. it shouldn’t need to know it’s being debugged.
And yes, I’m using Linux. I have FreeBSD installed in a virtual machine and intend to switch to that once the project has matured a bit. So Linuxy answers or better still a cross platform solution would be great.
Thanks in advance.