|
From: Alfonso A. <alf...@gm...> - 2012-12-12 21:48:14
|
On Wed, Dec 12, 2012 at 9:03 PM, John Reiser <jr...@bi...> wrote: > > Read and understand valgrind's code for re-direction. Apply some low-level debugger > such as gdb (or perhaps valgrind's internal vgdb) to see what actually happens. Thanks for the vgdb tip! By using vgdb together with --trace-redir I managed to further diagnose the problem. I think I already know what's happening but I am not sure how to solve it (I still need to dive into valgrind's sources though). I will illustrate the situation with a simplified example. Let this be a function to hijack, calloc for instance: calloc: instruction1 instruction2 instruction3 ... In order to hijack it, we patch the first instruction so that it jumps to our own hijacker calloc: jmp calloc_hijacker instruction2 instruction3 ... calloc_hijacker: .... But, since we want to still call the original version of calloc, we allocate a buffer to save the first instruction (orig_calloc): orig_calloc: instruction1 jmp calloc+1 I believe that the problem is that valgrind has a redirection for calloc, that is: calloc -> _vgr10070ZU_libcZdsoZa_calloc But after "moving" the start of calloc to orig_calloc, we want: orig_calloc -> _vgr10070ZU_libcZdsoZa_calloc Is there a way to reassign redirections? > > Or, use LD_PRELOAD, which is the "blessed" mechanism for hooking. It works! > and it takes only a few hours to try. > See the thread in [valgrind-users] Subject: __malloc_hook by Amir Szekely on 2012-10-19, > my response on Oct.22, and Amir's confirmation of success on Oct.23 (which includes > his actual code.) We initially implemented hijacking using LD_PRELOAD, exactly as described in the thread you are pointing to. Later I resorted to this approach for a few reasons that, as I mentioned, I believe not to be worth discussing. |