0

I am currently investigating a compiled C program. I know that it makes several network requests due to several calls to socket, gethostbyname and connect throughout the code. Furthermore, I know it is making a GETrequest because i have run strings on the program and found one.

I would like to run this program so that I can investigate it without it making any network calls; however to do this I would have to simulate a get request just with the functions given.

I have the following code, which I have compiled and added to LD_PRELOAD:

#include <netdb.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>

int socket(int domain, int type, int protocol) {
    fprintf(stderr, "socket(%d, %d, %d)\n", domain, type, protocol);
    // TODO Return actual socket which contains request
    return 1;
}

struct hostent HOST;
struct hostent *gethostbyname(const char*name) {
    fprintf(stderr, "gethostbyname(%s)\n", name);
    return &HOST;
}

int connect(int sockfd, const struct sockaddr *addr, socklen_t addr_len) {
    int name_len = addr_len - sizeof(struct sockaddr);
    fprintf(stderr, "Connecting to: %*.s\n", name_len, addr->sa_data);
    return 0;
}

Which appears to work, but I can make little sense of what it prints to and receives from the socket.

I am also open to other solutions to the problem.

4e554c4c
  • 478
  • 3
  • 12
  • `sa_data` is not a string, it's an IP address in binary. – Barmar Jan 25 '19 at 22:58
  • See https://stackoverflow.com/questions/5328070/how-to-convert-string-to-ip-address-and-vice-versa for how to convert an IP address to a string like `"192.168.10.1"` – Barmar Jan 25 '19 at 23:00
  • Running `strings` on a program file to see its behaviour is not reliable. There could be libraries statically linked with functionality that the program does not use. Better to use something like `strace` or `ltrace`. – cdarke Jan 25 '19 at 23:01
  • You need to provide replacements for `read()`, `write()`, `recv()`, and `send()`. – Barmar Jan 25 '19 at 23:01
  • @cdarke I think the fact that he saw the string `GET` is pretty good evidence that it's doing an HTTP request. – Barmar Jan 25 '19 at 23:02
  • Ah good points! I didn't know it was an IP address. I'll change that up. Do I have to make a replacement for `read` and all though? I would think I could create file descriptors here and manipulate them in another thread or similar – 4e554c4c Jan 25 '19 at 23:02
  • @Barmar: true, and presumably that's critical to the program behaviour anyway, but as a general technique for seeing what a program does, `strings` is inferior to the programs I mentioned. – cdarke Jan 25 '19 at 23:03
  • Also as a note: I have looked at the program binary (it is quite small) and it only contains a few syscalls: mostly these and some reads and writes. I would run with strace, but I wouldn't want to make any HTTP requests :p – 4e554c4c Jan 25 '19 at 23:05
  • Why are you trying to prevent the network connections? How do these harm your analysis of the binary? – Ctx Jan 25 '19 at 23:13
  • The call is to my university (as this is an assignment) so they can know exactly how often i run the binary. I wish to minimize this and I think this is a good way to do it. – 4e554c4c Jan 25 '19 at 23:15
  • För example with linux you could alternaively install a firewall rule, which redirects the connection to localhost; this might be easier than the approach you propose. – Ctx Jan 25 '19 at 23:24

0 Answers0