Modifying ELF files
roam at ringlet.net
Thu Apr 8 15:33:33 UTC 2010
On Thu, Apr 08, 2010 at 07:17:46AM -0700, Patrick Mahan wrote:
> In my job, we are producing applications and KLM's for our product
> that require them to be signed so that our installer will recognize
> and validate our images.
> The signature is stored in each app as
> unsigned char signature __attribute__((section(".compsign")));
> What I need to do is open the file for writing, locate the ".compsign"
> section and stuff in the signature, write it out and close the file.
> (simple ELF manipulation)
> An 'ls -l' shows the following:
> % ls compklm.ko
> -rw-r--r-- 1 pmahan pmahan 125296 Apr 6 22:50 /home/pmahan/temp/compklm.ko
> When I try to run my program
> ./signfile --signature=A203239897C8EB360D1EB2C84E8E77B16E5B7C9A compklm.ko
> open: Text file busy
> Googling and looking at the kernel sources, it seems that it detects
> this file contains 'shared text', that is, it is an executable file
> and does not allow me to open it for writing.
> I understand (from my google search) this is a means to keep you from
> shooting yourself in the foot. But there has got to be a way and I
> really don't want to grovel through the compiler code to find it. I
> looked at using libelf.so but it also requires that the file be open
> for writing. So I am kinda of stuck. If I cannot find a quick solution
> we might need to do all of our signing on our FC11 box which does not
> have this issue.
It's not the compiler code you want to find it, but the install(1)
program that is used to, well, install files into e.g. /bin, /usr/bin,
etc. What it does is create a temporary file in the directory where
it wants to place the final file, write into the temporary file, and
then, when the file is complete and only when it is complete, it
does a rename(2) syscall, moving the temporary file "over" the real
one. If a program (or the kernel) is using the old version of
the real file, its inode and its data blocks are still present on
the disk and they are only deleted when the last consumer closes
the file (or rather, the file descriptor it's holding on that inode).
This also guarantees that anyone who tries to open the file will
only open it "when it's ready", and will not try to execute
a partially-written-out executable or something.
So, what you need to do if you want to modify a file is create
a new one in the same directory (well, it's really "on the same
filesystem", but the most portable way to ensure that is to
use the same directory - unless you require from the user to
specify a temporary directory you can use on the same filesystem).
Then, read the original file, write into the new one, and when
you're ready, do a rename(tempfile, realfile).
Hope that helps.
Peter Pentchev roam at space.bg roam at ringlet.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: Digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20100408/97dcc91a/attachment.pgp
More information about the freebsd-hackers