QBDIPreload API

Introduction

QBDIPreload is a small utility library that provides code injection capabilities using dynamic library injection. It currently only works under Linux using the LD_PRELOAD mechanism and macOS using the DYLD_INSERT_LIBRARIES mechanism. For other platforms please check out Frida/QBDI API instead.

QBDIPreload exploits these library injection mechanisms to hijack the normal program startup. During the hijacking process QBDIPreload will call your code allowing you to setup and start your instrumentation. The compilation should produce a dynamic library (.so under Linux, .dylib under macOS) which should then be added to the matching environment variable (LD_PRELOAD under Linux and DYLD_INSERT_LIBRARIES under macOS) when running the target binary.

You can look at Generate a template for a working example with build and usage instructions.

Note

QBDIPreload automatically takes care of blacklisting instrumentation of the C standard library and the OS loader as described in Limitations.

Note

Please note that QBDIPreload does not allow instrumenting a binary before the main function (inside the loader and the library constructors / init) as explained in Limitations.

Note

QBDIPreload is supposed to be used with LD_PRELOAD or DYLD_INSERT_LIBRARIES mechanisms to inject some code into the target process. Hence, the limitations of these also affect QBDIPreload (cannot inject suid binary, …).

Initialisation

QBDIPRELOAD_INIT

A C pre-processor macro declaring a constructor.

Warning

QBDIPRELOAD_INIT must be used once in any project using QBDIPreload. It declares a constructor, so it must be placed like a function declaration on a single line.

Return codes

QBDIPRELOAD_NO_ERROR

No error.

QBDIPRELOAD_NOT_HANDLED

Startup step not handled by callback.

QBDIPRELOAD_ERR_STARTUP_FAILED

Error in the startup (preload) process.

User callbacks

int qbdipreload_on_start(void *main)

Function called when preload is on a program entry point (interposed start or an early constructor). It provides the main function address, that can be used to place a hook using the qbdipreload_hook_main API.

Return

int QBDIPreload state

Parameters
  • [in] main: Address of the main function

int qbdipreload_on_premain(void *gprCtx, void *fpuCtx)

Function called when preload hook on main function is triggered. It provides original (and platforms dependent) GPR and FPR contexts. They can be converted to QBDI states, using qbdipreload_threadCtxToGPRState and qbdipreload_floatCtxToFPRState APIs.

Return

int QBDIPreload state

Parameters
  • [in] gprCtx: Original GPR context

  • [in] fpuCtx: Original FPU context

int qbdipreload_on_main(int argc, char **argv)

Function called when preload has successfully hijacked the main thread and we are in place of the original main function (with the same thread state).

Return

int QBDIPreload state

Parameters
  • [in] argc: Original argc

  • [in] argv: Original argv

int qbdipreload_on_run(VMInstanceRef vm, rword start, rword stop)

Function called when preload is done and we have a valid QBDI VM object on which we can call run (after some last initializations).

Return

int QBDIPreload state

Parameters
  • [in] vm: VM instance.

  • [in] start: Start address of the range (included).

  • [in] stop: End address of the range (excluded).

int qbdipreload_on_exit(int status)

Function called when process is exiting (using _exit or exit).

Return

int QBDIPreload state

Parameters
  • [in] status: exit status

Helpers

int qbdipreload_hook_main(void *main)

Enable QBDIPreload hook on the main function (using its address)

Warning

It MUST be used in qbdipreload_on_start if you want to handle this step. The assumed main address is provided as a callback argument.

Parameters
  • [in] main: Pointer to the main function

void qbdipreload_threadCtxToGPRState(const void *gprCtx, GPRState *gprState)

Convert a QBDIPreload GPR context (platform dependent) to a QBDI GPR state.

Parameters
  • [in] gprCtx: Platform GPRState pointer

  • [in] gprState: QBDI GPRState pointer

void qbdipreload_floatCtxToFPRState(const void *fprCtx, FPRState *fprState)

Convert a QBDIPreload FPR context (platform dependent) to a QBDI FPR state.

Parameters
  • [in] fprCtx: Platform FPRState pointer

  • [in] fprState: QBDI FPRState pointer