Hello me, this is going to be a short post that is very interesting to me and I don’t know how I have missed this all this time, I’ve known to break binary files directly by directly debugging them, mostly the windows files are binary extensions, I have worked even on dll files, which is somewhat similar to .so files on linux, both perform the same functions except that linux part is open source, and i’ve seen many articles using this partuclar approrach in many different ways(ofcourse after knowing about this only, I searched for those articles), A bit of personal update - so its been a tough month actually, progress interms of self development is zero, progress in terms of social level is a wip, but still a development. So you understand this right!. anyway the memorable thing that i did this month is going on a office trip to kerala, personally i would prefer to go alone, (only a few people accompanying me!) but gosh dang it!, anyway lets not talk about it. :(. In terms of development work (tech related) that is big zero on the professional side as well as personal side, except a few python scripts & spjs(that is a different topic to discuss entirely)
ld_preload is actually pretty basic if you think about it, ld_preload is a linux feature of linux, which is for? so u take a library for example “lib that resolves ip address for hostname” - lib_curl , get the source, modfify the source for evil purposes, compile it and then load that library for the application you want to run.
actually this could go south even if a small mistake is made, the development process looks like this, okey take an example of some app or a program, ex: ping, ping google.com -> gives you the ip address, time delay etc. You do strace ping somewebsite then you get all the system calls that the ping binary makes, you could theoritcally make a list of method calls that the app makes to system, write a custom implementation of the system calls probally malicious and take over the app.
system calls that ping made during ping google.com
execve("/bin/ping", ["ping", "google.com"], 0x7fffe83a4978 /* 62 vars */) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
brk(NULL) = 0x559075d1a000
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=113810, ...}) = 0
mmap(NULL, 113810, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f76c189a000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\30\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=22768, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f76c1898000
mmap(NULL, 2117976, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f76c1489000
mprotect(0x7f76c148d000, 2097152, PROT_NONE) = 0
mmap(0x7f76c168d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7f76c168d000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libidn.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0+\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=206872, ...}) = 0
mmap(NULL, 2302000, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f76c1256000
mprotect(0x7f76c1288000, 2093056, PROT_NONE) = 0
mmap(0x7f76c1487000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x31000) = 0x7f76c1487000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libnettle.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\200\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=219304, ...}) = 0
mmap(NULL, 2314384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f76c1020000
mprotect(0x7f76c1054000, 2093056, PROT_NONE) = 0
mmap(0x7f76c1253000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x33000) = 0x7f76c1253000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\00008\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=101168, ...}) = 0
mmap(NULL, 2206336, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f76c0e05000
mprotect(0x7f76c0e1c000, 2097152, PROT_NONE) = 0
mmap(0x7f76c101c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f76c101c000
mmap(0x7f76c101e000, 6784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f76c101e000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\34\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2030544, ...}) = 0
mmap(NULL, 4131552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f76c0a14000
mprotect(0x7f76c0bfb000, 2097152, PROT_NONE) = 0
mmap(0x7f76c0dfb000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f76c0dfb000
mmap(0x7f76c0e01000, 15072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f76c0e01000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f76c1896000
arch_prctl(ARCH_SET_FS, 0x7f76c1896f00) = 0
mprotect(0x7f76c0dfb000, 16384, PROT_READ) = 0
mprotect(0x7f76c101c000, 4096, PROT_READ) = 0
mprotect(0x7f76c1253000, 8192, PROT_READ) = 0
mprotect(0x7f76c1487000, 4096, PROT_READ) = 0
mprotect(0x7f76c168d000, 4096, PROT_READ) = 0
mprotect(0x559075bcc000, 4096, PROT_READ) = 0
mprotect(0x7f76c18b6000, 4096, PROT_READ) = 0
munmap(0x7f76c189a000, 113810) = 0
brk(NULL) = 0x559075d1a000
brk(0x559075d3b000) = 0x559075d3b000
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=0, inheritable=0}) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=0, inheritable=0}) = 0
prctl(PR_SET_KEEPCAPS, 1) = 0
getuid() = 1000
setuid(1000) = 0
prctl(PR_SET_KEEPCAPS, 0) = 0
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=10756928, ...}) = 0
mmap(NULL, 10756928, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f76bffd1000
close(3) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=0, inheritable=0}) = 0
socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP) = -1 EACCES (Permission denied)
socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
socket(AF_INET6, SOCK_DGRAM, IPPROTO_ICMPV6) = -1 EACCES (Permission denied)
socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
read(3, "# Locale name alias data base.\n#"..., 4096) = 2995
read(3, "", 4096) = 0
close(3) = 0
openat(AT_FDCWD, "/usr/share/locale/en_IN.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_IN.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_IN/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale-langpack/en_IN.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale-langpack/en_IN.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale-langpack/en_IN/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale-langpack/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale-langpack/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "ping: socket: Operation not perm"..., 38ping: socket: Operation not permitted
) = 38
exit_group(2) = ?
+++ exited with 2 +++
I saw a similar implementation recently that looks really awsome, that made me write about this, i have known this for some time now, but i can not just let it go, the repository link is this ld_preload. I’m not supporting this particular implementation (adblock) to be used everywhere, im just curious!.
Look at the source its very facinating how things are done in the linux world, how come i never knew about this untill a few months ago, obviously you can argue that you can make a custom network filter in the linux machine to achieve this (only allow certain apps to make api calls), there are several apps that do this, I’m not disaggreing with you on that matter, but you can not deny this also.
I want to make something similar with this usecase, “lp_preload to make life better!“, If you have any ideas just throw them in the comment section, or dm me personlly!. I’d love to do it. Anyway see ya next time And Merry Christmas, And a happy new year.