xzre
Public Member Functions | Data Fields
ldso_ctx Struct Reference

Public Member Functions

 PADDING (0x40)
 
 PADDING (0x4)
 
 PADDING (0x4)
 
 PADDING (0x7)
 
 PADDING (0x30)
 

Data Fields

u32 * libcrypto_auditstate_bindflags_ptr
 the location of libcrypto's auditstate::bindflags field More...
 
u32 libcrypto_auditstate_bindflags_old_value
 backup of the old value of libcrypto's libname_list::next field
 
u32 * sshd_auditstate_bindflags_ptr
 the location of sshd's auditstate::bindflags field More...
 
u32 sshd_auditstate_bindflags_old_value
 backup of the old value of sshd's libname_list::next field
 
void * sshd_link_map_l_audit_any_plt_addr
 location of sshd's link_map::l_audit_any_plt flag More...
 
u8 link_map_l_audit_any_plt_bitmask
 bitmask that sets the link_map::l_audit_any_plt flag More...
 
struct audit_ifaces ** _dl_audit_ptr
 location of ld.so's _rtld_global_ro::_dl_audit_ptr field More...
 
unsigned int * _dl_naudit_ptr
 location of ld.so's _rtld_global_ro::_dl_naudit_ptr field More...
 
struct audit_ifaces hooked_audit_ifaces
 the struct audit_ifaces that points to backdoor_symbind() More...
 
char ** libcrypto_l_name
 location of libcrypto's link_map::l_name field More...
 
void(* _dl_audit_symbind_alt )(struct link_map *l, const ElfW(Sym) *ref, void **value, lookup_t result)
 address of ld.so's _dl_audit_symbind_alt() function More...
 
size_t _dl_audit_symbind_alt__size
 code size of ld.so's _dl_audit_symbind_alt() function
 
pfn_RSA_public_decrypt_t hook_RSA_public_decrypt
 pointer to the function that will replace RSA_public_decrypt()
 
pfn_EVP_PKEY_set1_RSA_t hook_EVP_PKEY_set1_RSA
 
pfn_RSA_get0_key_t hook_RSA_get0_key
 pointer to the function that will replace RSA_get0_key()
 
imported_funcs_timported_funcs
 
u64 hooks_installed
 

Field Documentation

◆ _dl_audit_ptr

struct audit_ifaces** ldso_ctx::_dl_audit_ptr

location of ld.so's _rtld_global_ro::_dl_audit_ptr field

ld.so's _dl_audit_symbind_alt() uses the struct at this location to call the backdor_symbind() callback function

this field is set to hooked_audit_ifaces to activate backdoor_symbind()

◆ _dl_audit_symbind_alt

void(* ldso_ctx::_dl_audit_symbind_alt) (struct link_map *l, const ElfW(Sym) *ref, void **value, lookup_t result)

address of ld.so's _dl_audit_symbind_alt() function

this function is called when ld.so is binding all the dynamic linking symbols between ELFs

◆ _dl_naudit_ptr

unsigned int* ldso_ctx::_dl_naudit_ptr

location of ld.so's _rtld_global_ro::_dl_naudit_ptr field

this field controls whether ld.so's _dl_audit_symbind_alt() will expect any struct audit_ifaces

this field is set to 1 to activate backdoor_symbind()

◆ hook_EVP_PKEY_set1_RSA

pfn_EVP_PKEY_set1_RSA_t ldso_ctx::hook_EVP_PKEY_set1_RSA

this field is set to a value from backdoor_shared_globals_t which is different to the other hook_ fields that are coped from backdoor_hooks_ctx_t

◆ hooked_audit_ifaces

struct audit_ifaces ldso_ctx::hooked_audit_ifaces

the struct audit_ifaces that points to backdoor_symbind()

the audit_ifaces::symbind64 field is set to backdoor_symbind()

_dl_audit_symbind_alt() will use this struct to check for a audit_ifaces::symbind64 callback function

◆ libcrypto_auditstate_bindflags_ptr

u32* ldso_ctx::libcrypto_auditstate_bindflags_ptr

the location of libcrypto's auditstate::bindflags field

_dl_audit_symbind_alt() will check this field to see backdoor_symbind() should be called for this ELF

this field is set to LA_FLG_BINDTO to activate backdoor_symbind()

before _dl_naudit is set to 1 this is actually the location of libname_list::next

◆ libcrypto_l_name

char** ldso_ctx::libcrypto_l_name

location of libcrypto's link_map::l_name field

used by backdoor_setup() to store a pointer to the backdoor_hooks_data_t struct

◆ link_map_l_audit_any_plt_bitmask

u8 ldso_ctx::link_map_l_audit_any_plt_bitmask

bitmask that sets the link_map::l_audit_any_plt flag

used with ldso_ctx_t::sshd_link_map_l_audit_any_plt_addr to set the correct bit

◆ sshd_auditstate_bindflags_ptr

u32* ldso_ctx::sshd_auditstate_bindflags_ptr

the location of sshd's auditstate::bindflags field

_dl_audit_symbind_alt() will check this field to see backdoor_symbind() should be called for this ELF

this field is set to LA_FLG_BINDFROM to activate backdoor_symbind()

before _dl_naudit is set to 1 this is actually the location of libname_list::next

◆ sshd_link_map_l_audit_any_plt_addr

void* ldso_ctx::sshd_link_map_l_audit_any_plt_addr

location of sshd's link_map::l_audit_any_plt flag

this flag controls whether ld.so's _dl_audit_symbind_alt() will even check the struct auditstate for sshd

this flag is set to 1 to activate backdoor_symbind()


The documentation for this struct was generated from the following file: