grsecurity forums

[sinlock]

Hello,

I have a little question. What is the official endorsed way for f.e. a plugin to a specific software to hook some functionality in the original software through direct code manipulation.

The problem I have is, that I need to exchange functionality of some functions in a Software, that are not meant to be hooked. Without anything like PAX/Grsecurity I would simply get the address of the function and overwrite the beginning with a stub that jumps to me. (Much like you would see it in a virus or rootkit or so...)

Obviously self modifying code like this should not work with PAX. Is there any "compatible" way to get parts of the code writeable, write to it and later remove the writeable bit?

-s

[PaX Team]

Obviously self modifying code like this should not work with PAX. Is there any "compatible" way to get parts of the code writeable, write to it and later remove the writeable bit?

in the 'best' PaX/grsec setup, there's no such way (modulo kernel bugs but using that in a product is a sure way of its quick getting fixed ;-). if you (or your users) are willing to weaken their setup (even if per app only) then there're a few ways.

1. disable MPROTECT, that will allow runtime code generation, both within the app and through ptrace.

2. if the target binary has textrelocs (not too likely in practice), then you can patch it at the time the text relocs are performed.

3. if you can get your own code run within the app (through file mapping, e.g., LD_PRELOAD), then you can also replace the app's file mapping with your own via mmap(MAP_FIXED), obviously you will have to produce the new file containing the patched code yourself beforehand (and you don't need to replace the whole mapping, only the pages that you want to modify). note that this gets around PaX but can still run against the grsec policy.