Thread: modifying and saving global variables on a executable file using libelf !!!!

And which OS are you trying to accomplish this on?

The first big question is are you even allowed to open your own executable image for writing?

Took about 5 seconds
libelf by Example

The project description says "You can use libelf", not that you MUST. There are far easier ways of doing this than mucking with ELF format. In fact, you can do this in a completely portable way with no knowledge at all of the underlying executable format.

The trick is to embed a large block of data (as a global array) into the program. The beginning of this data is marked by some kind of unique signature. To read or write from this data block, then, all you need to do is open the file, scan until you find the signature, and then you know you are in the correct position to read or write data.

Of course, this is not even possible if the OS doesn't allow you to alter the program file while the program is executing. But most UNIX-like operating systems do allow you to do this.

Originally Posted by brewbuck

Of course, this is not even possible if the OS doesn't allow you to alter the program file while the program is executing. But most UNIX-like operating systems do allow you to do this.

Neat trick. Linux will presumably allow it, since you can recompile an executable while it is running.

Originally Posted by MK27

Neat trick. Linux will presumably allow it, since you can recompile an executable while it is running.

When I was working at a document imaging company, we did something exactly like that to embed customer license information into the executable. We supported 7 different platforms (officially) and had a single tool to read and write this information (we called it a "DIB" which I think stands for "deployment info block" which is a weird name but that's what it was)

The tool didn't need any knowledge of the executable format, it just scanned the file for the signature and then it knew where the data was. The downside is that the size of the DIB is fixed and can't be changed, but we didn't need something like that anyway.

Originally Posted by redone

how do i know the signature of the variable if possible give a source code example
thanksi advance

There may be some problems with this idea, in fact, altho I haven't done any reading about the structure of executables, so I'm kind of acting blindly, but:

Code:

#include <string.h>

int main() {
	char sig[1029]="XOXOX", *start=&sig[5];
	memset(start,'Z',1024);
	strcpy(start,"hello world");
	return 0;
}

Looking at that with hexdump -c ./a.out, it's possible to find XOXOX, or at least XOXO, which is to say that is not always contiguous. It is also possible to find "hello world", altho it is no where near XOXOX. And there is not a single Z in the file.

There are some interesting things in the hexdump that imply to me you could access the data segment without using libelf but probably not in as naive a way as this...

ps. anyone know why gcc's default output file is still called a.out? AFAIK an "a.out" binary is historically not the same as an ELF binary, but of course the a.out from gcc on linux is an ELF binary.

> how do i know the signature of the variable if possible give a source code example
You mean it's not YOUR executable?
And why does it seem like we're the ones doing all the work all of a sudden.

Originally Posted by redone

Normally what i understood is that I should scan my executable file until i find the the location of the global variable is that right ?? if it's right then how can compare a file descriptor with the my global variable

Try hexdump, it's probably installed by default. There's also readelf, which "readelf -h ./a.out" gives you output like this:

Code:

ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x400420
  Start of program headers:          64 (bytes into file)
  Start of section headers:          2992 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         8
  Size of section headers:           64 (bytes)
  Number of section headers:         30
  Section header string table index: 27

It looks to me like it may be more complicated than just finding an offset and writing to it. Brewbuck is a smart cookie, but he didn't say he had done this, he said "we", which might imply he has actually not, and therefore may be unaware of some complications.

On the other hand, it must be possible:
http://www.cse.iitm.ac.in/moodle/mod...iew.php?id=459

But you are the one studying this stuff! Since you have to write something to the binary anyway, you might as well start experimenting. It is not as if it will matter if you accidentally wreck your executable.

Originally Posted by Sebastiani

>> if it's right then how can compare a file descriptor with the my global variable

Why would you want to do that? The point is simply to find the target block so that you can read/replace the stored data. Does that make sense?

I think the OP understands that and perhaps by fd meant like, what is in the file.

You won't find the name of the variable (eg, from my previous example, "sig" or "start"), but what you will find is the content ("XOXOX" and "hello world").

Now get busy, try some code and then ask more questions.