How can I detect IMG load? Im trying to detect when the program is loaded into memory in order to put interrupts before each function. I'm trying to do something like PIN's IMG_AddInstrumentFunction.
I'm lost and I can't found info about it.
Thx
Asked
Active
Viewed 98 times
1 Answers
1
This is exactly what r_brk is for. See include/link.h:
struct r_debug
{
.....
/* This is the address of a function internal to the run-time linker,
that will always be called when the linker begins to map in a
library or unmap it, and again when the mapping change is complete.
The debugger can set a breakpoint at this address if it wants to
notice shared object mapping changes. */
ElfW(Addr) r_brk;
....
};
They even go on and explain how to find this value in the debugee:
/* This symbol refers to the "dynamic structure" in the `.dynamic' section
of whatever module refers to `_DYNAMIC'. So, to find its own
`struct r_debug', a program could do:
for (dyn = _DYNAMIC; dyn->d_tag != DT_NULL; ++dyn)
if (dyn->d_tag == DT_DEBUG)
r_debug = (struct r_debug *) dyn->d_un.d_ptr;
*/
rydberg
- 63
- 6