From owner-freebsd-hackers@FreeBSD.ORG Sun May 22 18:24:17 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEE5E16A41C for ; Sun, 22 May 2005 18:24:17 +0000 (GMT) (envelope-from jake@locore.ca) Received: from gw-kit.locore.ca (gw-kit.locore.ca [67.43.130.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D15D43D48 for ; Sun, 22 May 2005 18:24:17 +0000 (GMT) (envelope-from jake@locore.ca) Received: from [10.0.0.3] (ws.locore.ca [10.0.0.3]) by gw-kit.locore.ca (Postfix) with ESMTP id 90F9D2BC6A4; Sun, 22 May 2005 14:24:16 -0400 (EDT) Message-ID: <4290CE4F.1060902@locore.ca> Date: Sun, 22 May 2005 14:24:15 -0400 From: Jake Burkholder User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050424) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Marcin References: <20050416232855.GA8698@daedalus.desk.pl> In-Reply-To: <20050416232855.GA8698@daedalus.desk.pl> Content-Type: text/plain; charset=iso-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-hackers@freebsd.org Subject: Re: Determine location of LD_PRELOAD'ed shared libraries/functions. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 May 2005 18:24:17 -0000 Marcin wrote: >Hello Hackers, > >I'd like to find locations of functions exported by shared lib loaded into >the running ptrace'd process via LD_PRELOAD. I want do determine this from tracing process. >For shared libraries linked with a program i can just open the program file and >search for relocation sections, which eventually point to the plt function entries. > >My problem is that i cannot figure out how to start searching for symbols which are loaded >with LD_PRELOAD. I can see where the library is mapped in /proc/*/map >(isn't there a better, less freebsd-specific place to search for this info?) >but I'm not quite sure how to interpret the mmapped pages. > >Searching Elf doc's just makes me run in circles; usually the LD_PRELOAD option is just >mentioned as it was obvious; I't isn't quite. Sections describing program memory image are in >program file. LD_PRELOAD'ed lib is only in the memory, to which programs sections do not apply. >Libraries sections can't know to what address they will be mmapped to, so where to search? >Program has relocation entries, but there is no spare space there for something unexpected like >LD_PRELOADed library (?) >Please point me to right direction, because i've got only one idea left: grep dynamic loader for LD_PRELOAD ;). > > > I think you will need to use the linkmap created by rtld. I guess you need the address of the dynamic linker to find it, I've only ever done this on core dumps before. Its in r_debug.r_map in rtld's bss, a linked list of link_map structures. This tells you the filename and relocation address of what was actually loaded into memory, regardless of what the binary says (which may be modified with libmap, etc). Jake