vikasnkumar / hotpatch Goto Github PK

Hot patching executables on Linux using .so file injection

Home Page: http://www.selectiveintellect.com/hotpatch.html

License: BSD 3-Clause "New" or "Revised" License

C 80.78% Perl 0.57% Assembly 0.46% C++ 1.59% CMake 13.48% Makefile 3.12%

hotpatch's Introduction

Introduction to Hotpatch
=========================
Hotpatch is a library that can be used to dynamically load a shared library
(.so) file on Linux from one process into another already running process,
without affecting the execution of the target process. The API is a C API, but
also supported in C++.

The current version is 0.2.

The limitations, directions on how to use, and possible uses of hotpatch will be
explained in this document.

The main idea of hotpatch stems from the fact that in Linux, it is not easy to
load a library into another already running process. In Windows, there is an API
called CreateRemoteThread() that can load a library into another process very
easily with a couple of API calls. Hotpatch makes this functionality available
to Linux users and developers, with a single API call. Unlike other available
injection libraries, hotpatch restores the execution of the process to its
original state.

The user can do the following with hotpatch:
- load his/her own .so file into an already running process
- invoke a custom symbol/function in that .so file
- pass arguments to that function as long as it is serialized to the form of a
  byte buffer and length of the buffer. This shall be explained more later.

Hotpatch is available as an API with a header file called "hotpatch.h" and a
.so file called "libhotpatch.so", and also a commandline application called
"hotpatcher" which can inject .so files into processes via the commandline
itself. Hotpatch also comes with a test .so called "libhotpatchtest.so"
which can be used via the commandline "hotpatcher" application to test out
the working of hotpatch on any system. The "libhotpatchtest.so" has a symbol
"mysym" that can be invoked, and it writes to the "/tmp/hotpatchtest.log" file
with the timestamp at which the .so file was injected and anything else.

Limitations
============
NOTE: Currently if hotpatch is compiled in 64-bit mode, it can inject libraries
only in 64-bit processes, and if compiled in 32-bit mode can inject libraries
only in 32-bit processes. It cannot inject from a 64-bit to a 32-bit process or
from a 32-bit to a 64-bit process.

There are some limitations, the main being that the user can inject a library
.so file only in a process on which the user has privileges over. For example,
as the root user, hotpatch can inject libraries into any process, but as a
regular non-root user, hotpatch can inject libraries into only those processes
that hotpatch has access to, i.e. the user's processes and any other via sudo
privileges.

The other limitation is that if the user needs to compile his shared library
with the linker options "-fPIC -nostartfiles" so that hotpatch can reliably load
the .so file.

Another limitation is that injection for a particular .so file can happen only
once in the target process. Each library that is injected can be injected only
once into the target process.


Ubuntu Ptrace()
===============

On Ubuntu, `ptrace()` of non-child processes has been blocked as a security
feature. To get around it you will need to set
`/proc/sys/kernel/yama/ptrace_scope` to 0 as below


bash> echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope



Usage: API
===========

The "hotpatch.h" header file needs to be included by the user. There are 3 main
API calls that matter. Each of them have to be called in the order as shown
below in the sample program.

- hotpatch_t *hotpatch_create(pid_t pid, int verbose);

This function takes a PID of the target process, and the verbosity level
(between 0 to 6), and returns an opaque object which contains further intimate
details about the process such as current library mappings, and locations of the
important functions needed for hotpatch to do its work.

- int hotpatch_inject_library(hotpatch_t *hp,
							  const char *sofile,
							  const char *symbol,
							  const unsigned char *data,
							  size_t datalen,
							  uintptr_t *out_addr,
							  uintptr_t *out_result);

This function takes the newly created hotpatch object, along with a path to the
shared library in the variable "sofile", the optional function "symbol" to invoke,
along with the serialized arguments to the function provided in "data" and
"datalen" which are also optional. The return address of where the library was
loaded is returned in "out_addr" and the return value of the invocation of
"symbol" is returned in "out_result". On success this returns 0 and on failure
returns -1.

The verbosity levels can be adjusted accordingly from 0 to 6 to see debugging
information for investigating errors.

The usefulness of the "data" and "datalen" parameters is extremely high. Suppose
the user has a custom function they want to invoke, and the arguments of the
function is a big struct or a class. The user can then write a wrapper function
that takes a serialized buffer of this struct/class along with the length of the
buffer and invoke that wrapper function. This wrapper function can then
deserialize this buffer into the struct/class as needed and call the actual
function that the user really wanted to invoke. This functionality is only
available by the API and not by the "hotpatcher" executable.

- void hotpatch_destroy(hotpatch_t *hp);

This function cleans up memory and resources used by the hotpatch opaque object.

Sample Program
==============

#include <hotpatch.h>

int main(int argc, char **argv)
{
	pid_t pid = argc > 1 ? atoi(argv[1]) : 0;
	hotpatch_t *hp = hotpatch_create(pid, 1);
	if (hp) {
		unsigned char *data = (unsigned char *)"my custom serialized data";
		size_t datalen = strlen((char *)data) + 1;
		uintptr_t result1, result2;
		hotpatch_inject_library(hp, "libhotpatchtest.so", "mysym",
						data, datalen, &result1, &result2);
		hotpatch_destroy(hp);
	}
	return 0;
}

Usage: Hotpatcher
==================

The commandline "hotpatcher" can be executed with the "-h" option to see the
various options that are supported.

A sample execution of "hotpatcher" into the current running shell can be done as
below. 

We can compile a fresh one to make sure we are picking up the correct library.


bash> make release
bash> cd Release
bash> ./src/hotpatcher -vvvv -l $PWD/test/libhotpatchtest.so -s mysym $$


On success the "/tmp/hotpatchtest.log" file can be checked if it has the
timestamp of the injection.

Uses of Hotpatch
=================
Most uses of hotpatch are related to custom modifications of processes for which
the users do not have source code available.

- System administrators can use hotpatch to inject their own custom libraries in
  already running processes and change behavior as per requirement. Some such
behavior could be adding a library that creates a thread and heartbeats to a
monitoring system.

- Many software applications, that are not mission critical, are not built with
  mechanisms to update their software without having to stop the application and
restarting it. Hotpatch can help modify applications to restart and do other
fancy tricks without losing the PID and the other states such as file handles of
the applications that might be very useful or too risky to let go.

- Users can inject a library and then set up RPC service calls for the target
  application without changing any code.

- Users can inject a library and with import table modifications can instrument
  the target application for things like profiling, reverse engineering and also
debugging. This is useful as it does not necessarily need the application to be
recompiled and performance numbers can be extracted. The code to do import table
modifications is currently outside the scope of hotpatch.

- Users can create threads in other processes and make them work like a cluster
  of processes that they control.

- Users can modify another application and make it perform better by doing
  tricks in the injected code.

License & Copyright
===================

The license/copyright can be found in the COPYRIGHT document in the source code.

==THE END==

hotpatch's People

Contributors

Stargazers

Watchers

Forkers

jvshahid strcrzy terminus atoun zakar whunmr lulufei gittoken ujsmk ntop001 bigship slunski ballacky13 allly166 clflush tuhaizhi 1587 lmhit andymg fabioz climber-chaoran boys xyfeng298 rafzi hfeeki winsun timegone ishukone howknows royschiffmann cnbird1999 douglas-larocca yufeixuan zhanghaihua safe3 shekkbuilder iguchunhui ele7enxxh list3nt0 kernux melbshark jfzhang2 rhmoult gavin4code bigfool 26597925 push-edx igpg tangshiqiang contestjia jarlene yimingkoy chenbk85 fengliqiang bypasscc std-vector re6hat happyj jrelo craneez chimelab n3t1ab7 husttsq jingfg123 gubaojian houbin zbb775885 grail sigma-random saberlion juviliu cloudxtreme jxingzha mingruizhou wanghan12138 dylanhe215 tysgywj haidragon fengjixuchui seabreg zengzhuqing taskset zhangdaolong eminsight nealscarffery wzugang hanyingzhong rdbo emmco htang2012 5l1v3r1 njustmemszj georgejguo yangboyd firdin chengtontom yucl80 azulabula lotusexpeditor firefly8

hotpatch's Issues

Segmentation fault after injecting library

hi, im trying comand line version of hotpatcher by your test library and symbol, it was done and date has written in log file, but right after injection,the target application get crashed and segfault error shown.

is it regular or something is wrong
im using ubuntu 14.04 i386

edit:
it has arbitrary functionality! sometimes is done correctly ,but now, it just inject in my self-written app and for other processes like firefox (in -vvv mode) prints:

...
[hotpatch_inject_library:783] mysym not invoked as dlsym() wasn't found.
...

how to solve it?
thanks

Usage instructions

I looked at the help instructions

Usage: ./bin/hotpatcher [options]

Options:
-h This help message
-V Version number.
-v[vvvv] Enable verbose logging. Add more 'v's for more
-N Dry run. Do not modify anything in process
-l <.so> Path or name of the .so file to load. Switches off execution pointer reset
-s Symbol to invoke during the dll inject. Optional.
-x Set execution pointer to symbol. Cannot be set with -s option

I still do not understand how to use this however... let's say I have a process with a PID x, and I want to instrument function foo, with an instrumentation in a function bar.

Could you explain the steps I need to take?

Dll was injected at (nil).

Hello,

I can't inject my library. Command used (as root) : hotpatcher -v -l hook.so -s start_here $$. Here is the stdout :

Options Given:
Verbose Level: 1
Process PID: 4324
Symbol name: start_here
Library name: hook.so
Dry run: false
[ld_load_maps:278] Max number of mappings present: 48
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/ld-2.23.so matching /lib64/ld-linux-x86-64.so.2
[ld_find_library:376] Doing best substring search for libc.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/libc-2.23.so matching libc
[ld_find_library:376] Doing best substring search for libdl.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/libdl-2.23.so matching libdl
[ld_find_library:376] Doing best substring search for libpthread.
[ld_find_library:447] Library libpthread not found in procmaps
[hotpatch_gather_functions:104] libpthread not mapped.
[hotpatch_gather_functions:106] Found malloc at 0x7f062f3f0550 in libc
[hotpatch_gather_functions:107] Found realloc at 0x7f062f3f0c40 in libc
[hotpatch_gather_functions:108] Found free at 0x7f062f3f0a70 in libc
[hotpatch_gather_functions:122] Found dlopen at 0x7f062f736f70 in libdl
[hotpatch_gather_functions:123] Found dlclose at 0x7f062f736fe0 in libdl
[hotpatch_gather_functions:124] Found dlsym at 0x7f062f737040 in libdl
[hotpatch_inject_library:620] Allocating 1024 bytes in the target.
[hotpatch_inject_library:741] Dll opened at 0x0
Dll was injected at (nil)
Invocation of start_here() returned (nil)

In case it's needed, the source code of hook.cpp (I compiled with g++ -shared -fPIC -nostartfiles -o hook.so hook.cpp) :

#include <stdio.h>

int start_here() {
    printf("Starting to hook...\n");
    return 0xff;
}

I suspect the libpthread not mapped to be the source of the problem.

fail to run test

Hi, I tried to run as commands written in README, i,e., bash> ./hotpatcher -l ./libhotpatchtest.so -s mysym -v1 $$; but this invocation of injection didn't create any file nor write anything.
The following is standard output from my bash.

Options Given:
Verbose Level: 1
Process PID: 3840
Symbol name: mysym
Library name: ./libhotpatchtest.so
Dry run: false
[ld_load_maps:278] Max number of mappings present: 53
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/ld-2.27.so matching /lib64/ld-linux-x86-64.so.2
[ld_find_library:376] Doing best substring search for libc.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/libc-2.27.so matching libc
[ld_find_library:376] Doing best substring search for libdl.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/libdl-2.27.so matching libdl
[ld_find_library:376] Doing best substring search for libpthread.
[ld_find_library:447] Library libpthread not found in procmaps
[hotpatch_gather_functions:104] libpthread not mapped.
[hotpatch_gather_functions:106] Found malloc at 0x7f8d8b5fb070 in libc
[hotpatch_gather_functions:107] Found realloc at 0x7f8d8b5fcc30 in libc
[hotpatch_gather_functions:108] Found free at 0x7f8d8b5fb950 in libc
[hotpatch_gather_functions:122] Found dlopen at 0x7f8d8b955fe0 in libdl
[hotpatch_gather_functions:123] Found dlclose at 0x7f8d8b956080 in libdl
[hotpatch_gather_functions:124] Found dlsym at 0x7f8d8b9560f0 in libdl
[hotpatch_inject_library:620] Allocating 1024 bytes in the target.
[hotpatch_inject_library:741] Dll opened at 0x55b287077a30
[hotpatch_inject_library:755] Symbol mysym found at 0x7f8d89f4f5ad
[hotpatch_inject_library:769] Return value from invoking mysym(): (nil)
Dll was injected at 0x55b287077a30
Invocation of mysym() returned (nil)

Could anyone help me out of this trap?

Support for arm and ppc

Hotpatch for 32-bit Linux applications

Make hotpatch work for 32-bit Linux applications as well.

Trouble attaching to container processes.

Hi Vikas,

I'm trying to attach to a container process. This is what I get

[ld_load_maps:278] Max number of mappings present: 19
[ld_find_library:447] Library /lib64/ld-linux-x86-64.so.2 not found in procmaps
[hotpatch_gather_functions:93] /lib64/ld-linux-x86-64.so.2 not mapped.
[ld_find_library:376] Doing best substring search for ld.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/ld-2.19.so matching ld
[ld_find_library:376] Doing best substring search for libc.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/libc-2.19.so matching libc
[ld_find_library:376] Doing best substring search for libdl.
[ld_find_library:447] Library libdl not found in procmaps
[hotpatch_gather_functions:102] libdl not mapped.
[ld_find_library:376] Doing best substring search for libpthread.
[ld_find_library:447] Library libpthread not found in procmaps
[hotpatch_gather_functions:104] libpthread not mapped.
[exe_open_filename:99] File(/lib/x86_64-linux-gnu/libc-2.19.so) open error. Error: No such file or directory
[ld_find_address:515] No symbols found in /lib/x86_64-linux-gnu/libc-2.19.so
[hotpatch_gather_functions:106] malloc not found in libc.
[exe_open_filename:99] File(/lib/x86_64-linux-gnu/libc-2.19.so) open error. Error: No such file or directory
[ld_find_address:515] No symbols found in /lib/x86_64-linux-gnu/libc-2.19.so
[hotpatch_gather_functions:107] realloc not found in libc.
[exe_open_filename:99] File(/lib/x86_64-linux-gnu/libc-2.19.so) open error. Error: No such file or directory
[ld_find_address:515] No symbols found in /lib/x86_64-linux-gnu/libc-2.19.so
[hotpatch_gather_functions:108] free not found in libc.
[exe_open_filename:99] File(/lib/x86_64-linux-gnu/ld-2.19.so) open error. Error: No such file or directory
[ld_find_address:515] No symbols found in /lib/x86_64-linux-gnu/ld-2.19.so
[hotpatch_gather_functions:111] malloc not found in ld.
[exe_open_filename:99] File(/lib/x86_64-linux-gnu/ld-2.19.so) open error. Error: No such file or directory
[ld_find_address:515] No symbols found in /lib/x86_64-linux-gnu/ld-2.19.so
[hotpatch_gather_functions:112] realloc not found in ld.
[exe_open_filename:99] File(/lib/x86_64-linux-gnu/ld-2.19.so) open error. Error: No such file or directory
[ld_find_address:515] No symbols found in /lib/x86_64-linux-gnu/ld-2.19.so
[hotpatch_gather_functions:113] free not found in ld.
[hotpatch_gather_functions:118] Some memory allocation routines are unavailable. Cannot proceed.
[hotpatch_create:224] Unable to find all the functions needed. Cannot proceed.
[hotpatch_inject_library:594] No malloc/dlopen found.
lib injection failed wit rc -1

I checked, those files exist within the containers filesystem, but it can't be opened. any clues why? This is a docker container.

print not invoked as dlsym() wasn't found.

I am trying to injection my .so file to the "dummy " program in your project and invoke a print function in it.

my .so look like this:
// dynlib.cpp

include <stdlib.h>

include

include "dynlib.hpp"

using namespace std;
extern "C" void print()
{
static unsigned int counter = 0;
++counter;
cout << counter << ": PID " << getpid() << ": In print() " << endl;
}

I compile it using the following command:
g++ -ggdb -Wall dynlib.cpp -fPIC -shared -o libdynlib.so

I invoke hotpatch using following command:
hotpatcher -l libdynlib.so 15167 -vvv -s print

I got the following result
BTW: 15167 is the PID of dummy
[root@yongle tests]# hotpatcher -l libdynlib.so 15167 -vvv -s print
Options Given:
Verbose Level: 2
Process PID: 15167
Symbol name: print
Library name: libdynlib.so
Dry run: false
[exe_load_headers:490] Entry point 0x4006e0
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x400200
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_load_maps:278] Max number of mappings present: 20
[ld_load_maps:288] Allocated memory to load proc maps.
[ld_find_library:440] Found entry /lib64/ld-2.12.so matching /lib64/ld-linux-x86-64.so.2
[ld_find_library:376] Doing best substring search for libc.
[ld_find_library:440] Found entry /lib64/libc-2.12.so matching libc
[ld_find_library:376] Doing best substring search for libdl.
[ld_find_library:447] Library libdl not found in procmaps
[hotpatch_gather_functions:102] libdl not mapped.
[ld_find_library:376] Doing best substring search for libpthread.
[ld_find_library:447] Library libpthread not found in procmaps
[hotpatch_gather_functions:104] libpthread not mapped.
[exe_load_headers:490] Entry point 0x364381ee30
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x364395a900
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 9655 symbols found in /lib64/libc-2.12.so
[hotpatch_gather_functions:106] Found malloc at 0x364387a930 in libc
[exe_load_headers:490] Entry point 0x364381ee30
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x364395a900
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 9655 symbols found in /lib64/libc-2.12.so
[hotpatch_gather_functions:107] Found realloc at 0x364387bd00 in libc
[exe_load_headers:490] Entry point 0x364381ee30
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x364395a900
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 9655 symbols found in /lib64/libc-2.12.so
[hotpatch_gather_functions:108] Found free at 0x364387b810 in libc
[exe_load_headers:490] Entry point 0x364381ee30
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x364395a900
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 9655 symbols found in /lib64/libc-2.12.so
[hotpatch_gather_functions:126] Found __libc_dlopen_mode at 0x3643926f10 in libc
[exe_load_headers:490] Entry point 0x364381ee30
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x364395a900
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 9655 symbols found in /lib64/libc-2.12.so
[hotpatch_gather_functions:127] Found __libc_dlclose at 0x3643926f90 in libc
[exe_load_headers:490] Entry point 0x364381ee30
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x364395a900
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 9655 symbols found in /lib64/libc-2.12.so
[hotpatch_gather_functions:128] Found __libc_dlsym at 0x3643926e70 in libc
[hotpatch_gather_functions:150] Pthread's symbol not found. Will disable pthread usage in injection.
[hotpatch_inject_library:620] Allocating 1024 bytes in the target.
[hotpatch_inject_library:697] Attaching to PID 15167
[hotpatch_inject_library:701] Waiting...
[hotpatch_inject_library:706] Getting original registers.
[hotpatch_inject_library:712] Copying stack out.
[hotpatch_inject_library:721] Copying Null to stack.
[hotpatch_inject_library:723] Setting registers and invoking malloc.
[hotpatch_inject_library:723] Executing...
[hotpatch_inject_library:723] Waiting...
[hotpatch_inject_library:723] Getting registers.
[hotpatch_inject_library:729] Copying 1024 bytes to 0x6050a0.
[hotpatch_inject_library:735] Copying Null to stack.
[hotpatch_inject_library:738] Setting registers and invoking dlopen.
[hotpatch_inject_library:738] Executing...
[hotpatch_inject_library:738] Waiting...
[hotpatch_inject_library:738] Getting registers.
[hotpatch_inject_library:741] Dll opened at 0x0
[hotpatch_inject_library:783] print not invoked as dlsym() wasn't found.
[hotpatch_inject_library:793] Setting original registers.
[hotpatch_inject_library:801] Copying stack back.
[hotpatch_inject_library:810] Executing...
Dll was injected at (nil)
Invocation of print() returned (nil)

How can I use this project with ExternalProject_Add

Hi Vikas,
This is not an issue, but I am having trouble using this project with ExternalProject_Add(). I'm expecting it to build/install and have the include directories available even before my project is considered. But when I include hotpatch.h it cannot find it. I'm new to cmake so please forgive me for being a noob.
This is what I have so far.

cmake_minimum_required(VERSION 3.10)
project(agentloader)
set(CMAKE_C_STANDARD 99)
include(ExternalProject)
ExternalProject_Add(project_hotpatch
        GIT_REPOSITORY https://github.com/vikasnkumar/hotpatch.git
        PREFIX ${CMAKE_CURRENT_BINARY_DIR}/hotpatch)
ExternalProject_Get_Property(project_hotpatch install_dir)
add_library(hotpatch STATIC IMPORTED)
set_property(TARGET hotpatch PROPERTY IMPORTED_LOCATION ${install_dir}/lib/hotpatch_s)
add_dependencies(hotpatch project_hotpatch)
include_directories(${install_dir}/include)
add_executable(agentloader main.c agentloader.h)
target_link_libraries(agentloader hotpatch)

x86-64 redzone

The version of hotpatcher that I looked at appears to overwrite the red zone on x86-64. Not sure if this was ever fixed. ie it will overwrite the 128 byte stack area beyond the stack when malloc and dlopen are called which some programs may use according to the AMD-64 abi:
http://en.wikipedia.org/wiki/Red_zone_(computing)
I don't believe this is an issue on 32-bit systems.

I tried bumping the stack by more that 128 bytes at the start of hotpatch_inject_library() and it seems to remove the intermittent crashes I was getting on 64-bit linux (32-bit already worked perfectly).

Thanks,
David

client_main not invoked as dlsym() wasn't found.

$ sudo hotpatcher -l /home/sebastian/prog/libglcapture/build/src/libglcapture-client.so -s client_main -vvv 29673 2>&1
Options Given:
Verbose Level: 2
Process PID: 29673
Symbol name: client_main
Library name: /home/sebastian/prog/libglcapture/build/src/libglcapture-client.so
Dry run: false
[exe_load_headers:490] Entry point 0x400750
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x400238
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_load_maps:278] Max number of mappings present: 23
[ld_load_maps:288] Allocated memory to load proc maps.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/ld-2.15.so matching /lib64/ld-linux-x86-64.so.2
[ld_find_library:376] Doing best substring search for libc.
[ld_find_library:440] Found entry /lib/x86_64-linux-gnu/libc-2.15.so matching libc
[ld_find_library:376] Doing best substring search for libdl.
[ld_find_library:447] Library libdl not found in procmaps
[hotpatch_gather_functions:102] libdl not mapped.
[ld_find_library:376] Doing best substring search for libpthread.
[ld_find_library:447] Library libpthread not found in procmaps
[hotpatch_gather_functions:104] libpthread not mapped.
[exe_load_headers:490] Entry point 0x21880
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x184410
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 2189 symbols found in /lib/x86_64-linux-gnu/libc-2.15.so
[hotpatch_gather_functions:106] Found malloc at 0x7f952cd2df40 in libc
[exe_load_headers:490] Entry point 0x21880
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x184410
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 2189 symbols found in /lib/x86_64-linux-gnu/libc-2.15.so
[hotpatch_gather_functions:107] Found realloc at 0x7f952cd2e680 in libc
[exe_load_headers:490] Entry point 0x21880
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x184410
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 2189 symbols found in /lib/x86_64-linux-gnu/libc-2.15.so
[hotpatch_gather_functions:108] Found free at 0x7f952cd2e580 in libc
[exe_load_headers:490] Entry point 0x21880
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x184410
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 2189 symbols found in /lib/x86_64-linux-gnu/libc-2.15.so
[hotpatch_gather_functions:126] Found __libc_dlopen_mode at 0x7f952cddb690 in libc
[exe_load_headers:490] Entry point 0x21880
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x184410
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 2189 symbols found in /lib/x86_64-linux-gnu/libc-2.15.so
[hotpatch_gather_functions:127] Found __libc_dlclose at 0x7f952cddb7f0 in libc
[exe_load_headers:490] Entry point 0x21880
[exe_load_program_headers:414] PT_INTERP section found
[exe_load_program_headers:441] Found /lib64/ld-linux-x86-64.so.2 at V-Addr 0x184410
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:450] PT_LOAD section found
[exe_load_program_headers:446] PT_DYNAMIC section found
[ld_find_address:489] 2189 symbols found in /lib/x86_64-linux-gnu/libc-2.15.so
[hotpatch_gather_functions:128] Found __libc_dlsym at 0x7f952cddb740 in libc
[hotpatch_gather_functions:150] Pthread's symbol not found. Will disable pthread usage in injection.
[hotpatch_inject_library:620] Allocating 1024 bytes in the target.
[hotpatch_inject_library:694] Attaching to PID 29673
[hotpatch_inject_library:698] Waiting...
[hotpatch_inject_library:703] Getting original registers.
[hotpatch_inject_library:708] Copying stack out.
[hotpatch_inject_library:717] Copying Null to stack.
[hotpatch_inject_library:719] Setting registers and invoking malloc.
[hotpatch_inject_library:719] Executing...
[hotpatch_inject_library:719] Waiting...
[hotpatch_inject_library:719] Getting registers.
[hotpatch_inject_library:725] Copying 1024 bytes to 0x1843010.
[hotpatch_inject_library:731] Copying Null to stack.
[hotpatch_inject_library:734] Setting registers and invoking dlopen.
[hotpatch_inject_library:734] Executing...
[hotpatch_inject_library:734] Waiting...
[hotpatch_inject_library:734] Getting registers.
[hotpatch_inject_library:737] Dll opened at 0x0
[hotpatch_inject_library:779] client_main not invoked as dlsym() wasn't found.
[hotpatch_inject_library:789] Setting original registers.
[hotpatch_inject_library:797] Copying stack back.
[hotpatch_inject_library:806] Executing...
Dll was injected at (nil)
Invocation of client_main() returned (nil)

I'm not sure why it doesn't work.

client_main not invoked as dlsym() wasn't found

even so it says

Found __libc_dlsym at 0x7f952cddb740 in libc

I think the real problem here is that dlopen returns 0:

Dll opened at 0x0

Or maybe it's just me being dumb.

Fail to load ELF for exe

I am running benchmark program GemsFDTD_base.gcc in spec06

I tried the following command : hotpatcher -l ./Release/libhotpatchtest.so -s mysym -vvv 15912
(15912 is the pid of GemsFDTD_base.gcc )

I got the following result:
Options Given:
Verbose Level: 2
Process PID: 15912
Symbol name: mysym
Library name: ./Release/libhotpatchtest.so
Dry run: false
[exe_load_headers:490] Entry point 0x3408048db0
[exe_load_headers:510] Error in loading section headers
[exe_load_symbols:539] Unable to load Elf details for /proc/15912/exe
[hotpatch_create:197] Unable to find any symbols in exe.
[hotpatch_inject_library:594] No malloc/dlopen found.

Dll opened at 0x0, symbol not invoked as dlsym() wasn't found.

I compiled and ran this on CentOS 7, Ubuntu 17.10 vms I'm getting the the exact results. It does find dlsym() at multiple places. I followed all your suggestions reading the previous issues but i'm not making progress. I redirected all outputs with highest level of verbosity to the attached file.
log.txt

Override some functions not working, such as read()

Hi,

Great work. I have tried your code. It works well. However, there is still one problem that I don't know whether your code support? I want to override some functions like read, write, open. So I rewrite these functions and compile to one shared object. And then I use your code to inject this shared object. I check the maps, the shared object has been loaded into the runtime process. But there will be segmentation fault if I continue to run the process which will use the override functions. If I use LD_RELAOD, the execution will use these override functions.

Thank you very much.