Home/ Questions/Q 1079867
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T21:56:17+00:00

I’ll explain: Let’s say I’m interested in replacing the rand() function used by a

  • 0

I’ll explain:

Let’s say I’m interested in replacing the rand() function used by a certain application.

So I attach gdb to this process and make it load my custom shared library (which has a customized rand() function): 

call (int) dlopen("path_to_library/asdf.so")

This would place the customized rand() function inside the process’ memory. However, at this point the symbol rand will still point to the default rand() function. Is there a way to make gdb point the symbol to the new rand() function, forcing the process to use my version?

I must say I’m also not allowed to use the LD_PRELOAD (linux) nor DYLD_INSERT_LIBRARIES (mac os x) methods for this, because they allow code injection only in the beginning of the program execution.

The application that I would like to replace rand(), starts several threads and some of them start new processes, and I’m interested in injecting code on one of these new processes. As I mentioned above, GDB is great for this purpose because it allows code injection into a specific process.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I followed this post and this presentation and came up with the following set of gdb commands for OSX with x86-64 executable, which can be loaded with -x option when attaching to the process:

    set $s = dyld_stub_rand
set $p = ($s+6+*(int*)($s+2))
call (void*)dlsym((void*)dlopen("myrand.dylib"), "my_rand")
set *(void**)$p = my_rand
c

    The magic is in set $p = ... command. dyld_stub_rand is a 6-byte jump instruction. Jump offset is at dyld_stub_rand+2 (4 bytes). This is a $rip-relative jump, so add offset to what $rip would be at this point (right after the instruction, dyld_stub_rand+6).

    This points to a symbol table entry, which should be either real rand or dynamic linker routine to load it (if it was never called). It is then replaced by my_rand.

    Sometimes gdb will pick up dyld_stub_rand from libSystem or another shared library, if that happens, unload them first with remove-symbol-file before running other commands.

    • 0