It is simply compiled with GCC and lives as a binary executable a.out. How can we hook that libc write function in such a way that we can run our own code without the application breaking?
First lets list the symbols that glibc exports.
Notice how there is a write and a __write symbol? What’s all that about? Let’s look at the source code.
Notice in particular the weak_alias macros near the bottom. It wouldn’t be too much of a stretch to conclude from this that write and __write will both do the same thing; although you’re free to dig further into the code if you’d like.
Let’s put this hypothosis to the test by creating a shared library.
We can compile this as a shared library like so.
Unix-like operating systems include an environmental variable called LD_PRELOAD which allows us t specify a shared library which will be loaded ahead of all others, including libc. Using this method we can trick the application into using the write function we wrote instead of the official libc one.
This approach may seem flakly since we are relying on some illicit knowledge of glibc’s internal workings however, the official documentation states that this is actually part of the reason that double underscore functions exist in the library.
Unfortunantly not all libraries offer duplicate symbols in this way. Is there a another way to hook library functions? That’s an answer we will answer in part 2.