Hooking on Linux Introduction

What is hooking?

@what_is_hooking.png

Relies on dynamically linked binaries
\
most binaries are dynamic.
$ file /usr/bin/* | grep dynamic | wc -l
1500

Hooking libc is an obvious choice
- open source
- everything uses libc

Picking a libc function to hook
\
strcmp:
compare two strings

Why?  Because:
\
if strcmp("user password", saved_password) == 0
    Access granted
else
    Access denied

Goal:
print out saved password

Step 1:
Find the source Luke

Step 2:
Find the implementation

Step 3:
Code your goals, you can do it!

☢ Caveats ☢

Caveats
☢ retain the original implementation (or not)

Caveats
☢ retain the original implementation (or not)
☢ segfaults

Caveats
☢ retain the original implementation (or not)
☢ segfaults
☢ low level C can be hard

Caveats
☢ retain the original implementation (or not)
☢ segfaults
☢ low level C can be hard
☢ segfaults

Step 4:
isolate and compile as shared object

Step 5:
trick the linker
\
LD_PRELOAD is bae

Questions?