ltrace, was Re: RE: Administrivia

[silvio () big net au (silvio () big net au)]

On Thu, Sep 19, 2002 at 03:07:51PM -0700, winterslip () hushmail com wrote:
> Like the rest of the people on this list I am still sub'd to bugtraq and
> it's still pounding out vulnerabilities (including symantec ones..) and
> all your doomsaying has come to naught. Outside of the playschool
> environment here being highly entertaining you've done nothing, status quo for you of course.
 
doomsaying?

I can't talk about doomsaying very well..

so perhaps something on topic.

---->

some interesting ltrace behaviour..

i've never seen anyone mention it before (i did talk about it a little at
cansecwest, heh), so i guess it wont hurt here.

ltrace works by basically looking at the dynamic symbol table and getting
the st_value from the dynamic symbols, and then setting a breakpoint
where that address is.

however, if we look at linux, then st_value is not used for dynamic
linking, and hence can be arbitrarily modified without changing
execution behaviour.

thus you can use this to 

a) have ltrace produce no results
b) have ltrace produce incorrect results
c) have ltrace poke 0xC3 (x86) to where you want in memory, when being traced

how to do all this -->

a) set all st_value to 0
b) try swapping some symbols' st_value and have ltrace show u different calls
c) change st_value to whatever you want

solution -->

there are other ways to determine where a plt entry is, without looking
at a symbol st_value obviously.

> The no moderation call was very obviously a stellar judgment call. Hey,
> you have a server I can store some documents on by any chance????

i'll put them up on www.big.net.au if you want?

if anyone wants stuff up at www.big.net.au, i'll be open to suggestions
or linking, hosting content etc.

--
Silvio