ELF - Getting a SEGFAULT when changing the entry point











up vote
0
down vote

favorite












I'm trying to patch the entry point of an ELF file directly via the e_entry field:



ehdr->e_entry = test_addr;


For a start, I wanted this new address to simply execute an exit(1) syscall:



memmove(test_addr, exit_opcode, opcode_len);



I made sure to adjust the segments and sections that come after this new code, but the problem is that as soon as I patch the entry point the program crashes, why is that?










share|improve this question
























  • Can you post gdb stacktrace?
    – yugr
    Nov 17 at 2:05










  • @yugr #0 0x00007ffff7e7cb09 in __memmove_sse2_unaligned_erms()
    – Trey
    Nov 17 at 4:50










  • So it aborts when you are modifying the entry point or when you execute resulting ELF?
    – yugr
    Nov 17 at 6:20










  • @yugr As I said, it segfaults as soon as ehdr->e_entry = test_addr; is executed.
    – Trey
    Nov 17 at 16:19












  • Please provide a stackoverflow.com/help/mcve. Without it, it's anyone's guess what you did wrong (and the outputs you provided so far appear inconsistent with one another).
    – Employed Russian
    yesterday















up vote
0
down vote

favorite












I'm trying to patch the entry point of an ELF file directly via the e_entry field:



ehdr->e_entry = test_addr;


For a start, I wanted this new address to simply execute an exit(1) syscall:



memmove(test_addr, exit_opcode, opcode_len);



I made sure to adjust the segments and sections that come after this new code, but the problem is that as soon as I patch the entry point the program crashes, why is that?










share|improve this question
























  • Can you post gdb stacktrace?
    – yugr
    Nov 17 at 2:05










  • @yugr #0 0x00007ffff7e7cb09 in __memmove_sse2_unaligned_erms()
    – Trey
    Nov 17 at 4:50










  • So it aborts when you are modifying the entry point or when you execute resulting ELF?
    – yugr
    Nov 17 at 6:20










  • @yugr As I said, it segfaults as soon as ehdr->e_entry = test_addr; is executed.
    – Trey
    Nov 17 at 16:19












  • Please provide a stackoverflow.com/help/mcve. Without it, it's anyone's guess what you did wrong (and the outputs you provided so far appear inconsistent with one another).
    – Employed Russian
    yesterday













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm trying to patch the entry point of an ELF file directly via the e_entry field:



ehdr->e_entry = test_addr;


For a start, I wanted this new address to simply execute an exit(1) syscall:



memmove(test_addr, exit_opcode, opcode_len);



I made sure to adjust the segments and sections that come after this new code, but the problem is that as soon as I patch the entry point the program crashes, why is that?










share|improve this question















I'm trying to patch the entry point of an ELF file directly via the e_entry field:



ehdr->e_entry = test_addr;


For a start, I wanted this new address to simply execute an exit(1) syscall:



memmove(test_addr, exit_opcode, opcode_len);



I made sure to adjust the segments and sections that come after this new code, but the problem is that as soon as I patch the entry point the program crashes, why is that?







elf






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 17 at 8:52









yugr

6,73221339




6,73221339










asked Nov 17 at 0:09









Trey

179214




179214












  • Can you post gdb stacktrace?
    – yugr
    Nov 17 at 2:05










  • @yugr #0 0x00007ffff7e7cb09 in __memmove_sse2_unaligned_erms()
    – Trey
    Nov 17 at 4:50










  • So it aborts when you are modifying the entry point or when you execute resulting ELF?
    – yugr
    Nov 17 at 6:20










  • @yugr As I said, it segfaults as soon as ehdr->e_entry = test_addr; is executed.
    – Trey
    Nov 17 at 16:19












  • Please provide a stackoverflow.com/help/mcve. Without it, it's anyone's guess what you did wrong (and the outputs you provided so far appear inconsistent with one another).
    – Employed Russian
    yesterday


















  • Can you post gdb stacktrace?
    – yugr
    Nov 17 at 2:05










  • @yugr #0 0x00007ffff7e7cb09 in __memmove_sse2_unaligned_erms()
    – Trey
    Nov 17 at 4:50










  • So it aborts when you are modifying the entry point or when you execute resulting ELF?
    – yugr
    Nov 17 at 6:20










  • @yugr As I said, it segfaults as soon as ehdr->e_entry = test_addr; is executed.
    – Trey
    Nov 17 at 16:19












  • Please provide a stackoverflow.com/help/mcve. Without it, it's anyone's guess what you did wrong (and the outputs you provided so far appear inconsistent with one another).
    – Employed Russian
    yesterday
















Can you post gdb stacktrace?
– yugr
Nov 17 at 2:05




Can you post gdb stacktrace?
– yugr
Nov 17 at 2:05












@yugr #0 0x00007ffff7e7cb09 in __memmove_sse2_unaligned_erms()
– Trey
Nov 17 at 4:50




@yugr #0 0x00007ffff7e7cb09 in __memmove_sse2_unaligned_erms()
– Trey
Nov 17 at 4:50












So it aborts when you are modifying the entry point or when you execute resulting ELF?
– yugr
Nov 17 at 6:20




So it aborts when you are modifying the entry point or when you execute resulting ELF?
– yugr
Nov 17 at 6:20












@yugr As I said, it segfaults as soon as ehdr->e_entry = test_addr; is executed.
– Trey
Nov 17 at 16:19






@yugr As I said, it segfaults as soon as ehdr->e_entry = test_addr; is executed.
– Trey
Nov 17 at 16:19














Please provide a stackoverflow.com/help/mcve. Without it, it's anyone's guess what you did wrong (and the outputs you provided so far appear inconsistent with one another).
– Employed Russian
yesterday




Please provide a stackoverflow.com/help/mcve. Without it, it's anyone's guess what you did wrong (and the outputs you provided so far appear inconsistent with one another).
– Employed Russian
yesterday












1 Answer
1






active

oldest

votes

















up vote
0
down vote













I suspect that you haven't enable write-access to program's header. You can do this via something like



const uintptr_t page_size = 4096;
mprotect((void *)((uintptr_t)&ehdr->e_entry & ~(uintptr_t)4095), 4096, PROT_READ | PROT_WRITE);
ehdr->e_entry = test_addr;





share|improve this answer





















  • I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
    – Trey
    Nov 17 at 23:56












  • Also, I just tried to use mprotect but it still faults
    – Trey
    Nov 18 at 0:01











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53346965%2felf-getting-a-segfault-when-changing-the-entry-point%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
0
down vote













I suspect that you haven't enable write-access to program's header. You can do this via something like



const uintptr_t page_size = 4096;
mprotect((void *)((uintptr_t)&ehdr->e_entry & ~(uintptr_t)4095), 4096, PROT_READ | PROT_WRITE);
ehdr->e_entry = test_addr;





share|improve this answer





















  • I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
    – Trey
    Nov 17 at 23:56












  • Also, I just tried to use mprotect but it still faults
    – Trey
    Nov 18 at 0:01















up vote
0
down vote













I suspect that you haven't enable write-access to program's header. You can do this via something like



const uintptr_t page_size = 4096;
mprotect((void *)((uintptr_t)&ehdr->e_entry & ~(uintptr_t)4095), 4096, PROT_READ | PROT_WRITE);
ehdr->e_entry = test_addr;





share|improve this answer





















  • I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
    – Trey
    Nov 17 at 23:56












  • Also, I just tried to use mprotect but it still faults
    – Trey
    Nov 18 at 0:01













up vote
0
down vote










up vote
0
down vote









I suspect that you haven't enable write-access to program's header. You can do this via something like



const uintptr_t page_size = 4096;
mprotect((void *)((uintptr_t)&ehdr->e_entry & ~(uintptr_t)4095), 4096, PROT_READ | PROT_WRITE);
ehdr->e_entry = test_addr;





share|improve this answer












I suspect that you haven't enable write-access to program's header. You can do this via something like



const uintptr_t page_size = 4096;
mprotect((void *)((uintptr_t)&ehdr->e_entry & ~(uintptr_t)4095), 4096, PROT_READ | PROT_WRITE);
ehdr->e_entry = test_addr;






share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 17 at 17:40









yugr

6,73221339




6,73221339












  • I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
    – Trey
    Nov 17 at 23:56












  • Also, I just tried to use mprotect but it still faults
    – Trey
    Nov 18 at 0:01


















  • I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
    – Trey
    Nov 17 at 23:56












  • Also, I just tried to use mprotect but it still faults
    – Trey
    Nov 18 at 0:01
















I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
– Trey
Nov 17 at 23:56






I'm afraid that might not be the case, since I mapped the file with the following: mmap(NULL, st.st_size, PROT |READ | PROT_WRITE | MAP_SHARED, fd, 0); which I reckon, has the same effect as mprotect right?
– Trey
Nov 17 at 23:56














Also, I just tried to use mprotect but it still faults
– Trey
Nov 18 at 0:01




Also, I just tried to use mprotect but it still faults
– Trey
Nov 18 at 0:01


















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53346965%2felf-getting-a-segfault-when-changing-the-entry-point%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?