From owner-freebsd-hackers Sun Dec 10 12: 8:53 2000 From owner-freebsd-hackers@FreeBSD.ORG Sun Dec 10 12:08:51 2000 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A81B637B6A0 for ; Sun, 10 Dec 2000 12:08:49 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.1/8.11.1) with SMTP id eBAK8Ww28011; Sun, 10 Dec 2000 15:08:32 -0500 (EST) (envelope-from arr@watson.org) Date: Sun, 10 Dec 2000 15:08:31 -0500 (EST) From: "Andrew R. Reiter" To: Alfred Perlstein Cc: hackers@FreeBSD.ORG, silvio@big.net.au Subject: Re: Patching live kernels In-Reply-To: <20001210044232.D16205@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG afaik, Yes. There are two articles that I know of that deal with the specifics of modifying binaries to inject ones own code. The first is one that deals mostly with libbfd (binary file descriptor) and linux. iirc, libbfd worked a great deal better under linux than under FreeBSD. I recall that libbfd under FreeBSD only supported a.out format. (yikes!) This article can be viewed at: http://phrack.infonexus.com/search.phtml?view&article=p56-9 The second article that I know of deals with hijacking functions in the kernel even if they do not have a function ptr to them. Obviously functions that have ptrs to them can easily be hijacked via a KLD (check out the examples.tar.gz in the Daemonnews article on KLDs). However, I am not sure if the author has yet published this article and I don't feel it my place to publish it for him. Perhaps, silvio, the author, will want to publish it here ;) Anyway, hope this helps. Andrew On Sun, 10 Dec 2000, Alfred Perlstein wrote: > Ok, sometimes we find a bug in a particular release where what's > needed is a function replaced with fixed code. > > I'm wondering if it's possible to: > > 1) look at the kernel symbol table for a particular function in a > particular object file (static functions would be even better?) > 2) replace the first instruction in the function with a jmp to > our newly loaded code > 3) have our newly loaded code be "anonymous" meaning no symbols > from it enter the kernel symbol namespace (i want to be able to > re-patch a patched kernel) > > Is it possible? > > Are there any takers? :) > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > "I have the heart of a child; I keep it in a jar on my desk." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message