These are chat archives for Snaipe/Criterion

28th
Feb 2016
Dominik
@kaidowei
Feb 28 2016 09:53
@Snaipe looks cool. Haven't had to check out the details, so could you maybe elaborate one technique you're using? Seems to me, you're not generating code?
and while we're at it, I'd like to help :)
Franklin Mathieu
@Snaipe
Feb 28 2016 09:56
I first assume that the functions one is mocking are not static nor inlined (if they were, mocking would be useless in this case because they would be tightly coupled to one or more non-static functions)
Since these functions are external, they are registered in the PLT, so I change the PLT to have it jump to the mock function when called
In the case of linux it means finding the GOT offset of a particular symbol, then overwriting it
Windows ought to be a bit trickier, but should follow the same logic (finding the DLL base address, iterate through the relocations and find our symbol reloc, then changing the address)
Dominik
@kaidowei
Feb 28 2016 10:01
okay, I see.
It would be cool to mock static functions too :)
http://novaprova.org/faq.html#mocking maybe this can be an inspiration for you
Franklin Mathieu
@Snaipe
Feb 28 2016 10:02
The thing is when calling a static address, the address used is the direct address of the function, while non static functions are called through the PLT
This means that if I want to mock these, I have to change the assembly of the user code
Which also means disassembling the user code at runtime
I could still use capstone for this, but then the project becomes quite massive
Anyways, you can't mock static functions, but it's usually not a problem, because if you need to mock it, it probably also needs to be exported.
What novaprova does though is interesting
Franklin Mathieu
@Snaipe
Feb 28 2016 10:08
They use the capabilities of valgrind and some symbol hacking to change the call address at runtime
This is only possible because they run all of their code under valgrind
Franklin Mathieu
@Snaipe
Feb 28 2016 11:15
By the way, if you want to help, and aren't scared of tearing through pages of documentation, you could try to see how the process goes wich Mach-O binaries
(Needed for OS X support)
It shouldn't be that much different from ELF/linux, but still requires a fair share of work