Function Hooking for Mac OSX and Linux

Presented at DEF CON 18 (2010), Aug. 1, 2010, 5 p.m. (50 minutes).

This talk will cover three different methods of function hooking for Mac OSX and Linux. The talk will begin by describing useful bits of Intel64 assembly followed up with 3 different binary rewriting techniques to hook a range of different functions, including some inlined functions, too. We'll finish up with a demo of two nice things that these techniques make possible (a memory profiler and a function call tracer), and one slightly more evil thing.

Presenters:

• Joe Damato
  Joe Damato is a systems programmer who spends his days hacking on the Ruby VM and tools for analyzing the performance characteristics of complex software systems. He maintains a blog (http://timetobleed.com) where he releases code, patches to the Ruby VM, and his thoughts on low level systems programming. He maintains memprof, a Ruby level memory profiler and added support for libdl to trace.

Links:

• https://defcon.org/html/defcon-18/dc-18-speakers.html#Damato
• https://infocon.org/cons/DEF CON/DEF CON 18/DEF CON 18 video and slides/DEF CON 18 - Joe Damato - Function Hooking for Mac OSX and Linux - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=rXvvex-Cd74

Similar Presentations:

• REcon 2015 / Hooking Nirvana: Stealthy Instrumentation Techniques for Windows 10
• DerbyCon 2.0 Reunion (2012) / Ambush – Catching Intruders At Any Point