Determine location of LD_PRELOAD'ed shared libraries/functions.

[Jake Burkholder]

Marcin wrote:

>Hello Hackers,
>
>I'd like to find locations of functions exported by shared lib loaded into 
>the running ptrace'd process via LD_PRELOAD. I want do determine this from tracing process.
>For shared libraries linked with a program i can just open the program file and 
>search for relocation sections, which eventually point to the plt function entries.
>
>My problem is that i cannot figure out how to start searching for symbols which are loaded
>with LD_PRELOAD. I can see where the library is mapped in /proc/*/map 
>(isn't there a better, less freebsd-specific place to search for this info?)
>but I'm not quite sure how to interpret the mmapped pages. 
>
>Searching Elf doc's just makes me run in circles; usually the LD_PRELOAD option is just 
>mentioned as it was obvious; I't isn't quite. Sections describing program memory image are in
>program file. LD_PRELOAD'ed lib is only in the memory, to which programs sections do not apply.
>Libraries sections can't know to what address they will be mmapped to, so where to search?
>Program has relocation entries, but there is no spare space there for something unexpected like
>LD_PRELOADed library (?)
>Please point me to right direction, because i've got only one idea left: grep dynamic loader for LD_PRELOAD ;).
>
>  
>
I think you will need to use the linkmap created by rtld.  I guess you 
need the address of the dynamic linker to find it, I've only ever done 
this on core dumps before.  Its in r_debug.r_map in rtld's bss, a linked 
list of link_map structures.  This tells you the filename and relocation 
address of what was actually loaded into memory, regardless of what the 
binary says (which may be modified with libmap, etc).

Jake