# TLDR

Calls within libc are generally pre-linked. As a result, they can't be interposed using `LD_PRELOAD`. This makes it tricky to use `LD_PRELOAD` to intercept, e.g., all calls to `write`. 

## An example program

For demo purposes we'll use a program that makes a single call to `fwrite`:

In [10]:
cat ./fwrite.c

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {
    const char *msg = "Hello fwrite\n";
    fwrite(msg, 1, strlen(msg), stdout);
    return 0;
}


## Interposing fwrite works

Let's look at what happens when interposition works as expected. We'll interpose on `fwrite` itself, to make each such call twice.

In [2]:
cat interpose_fwrite.c

#define _GNU_SOURCE

#include <stdio.h>
#include <dlfcn.h>

size_t fwrite(const void* ptr, size_t size, size_t nmemb, FILE* stream) {
    size_t (*orig_fwrite)(const void* ptr, size_t size, size_t nmemb,
                          FILE* stream) = dlsym(RTLD_NEXT, "fwrite");
    orig_fwrite(ptr, size, nmemb, stream);
    return orig_fwrite(ptr, size, nmemb, stream);
}


In [4]:
LD_PRELOAD=$PWD/interpose_fwrite.so ./fwrite

Hello fwrite
Hello fwrite


This works because the call to fwrite happens via the PLT:

In [5]:
objdump -D fwrite | grep 'call.*fwrite'

  4005b6:	e8 a5 fe ff ff       	callq  400460 <fwrite@plt>


We can also turn on the dynamic linker's debug output to see this binding happen. Without `LD_PRELOAD`, `fwrite` gets bound to libc's symbol:

In [6]:
LD_DEBUG=bindings ./fwrite 2>&1 | grep 'symbol.*fwrite'

      3618:	binding file ./fwrite [0] to /lib/x86_64-linux-gnu/libc.so.6 [0]: normal symbol `fwrite' [GLIBC_2.2.5]


With `LD_PRELOAD`, it gets bound to our preloaded library instead:

In [7]:
LD_DEBUG=bindings LD_PRELOAD=$PWD/interpose_fwrite.so ./fwrite 2>&1 | grep 'symbol.*fwrite'

      3630:	binding file ./fwrite [0] to /home/jnewsome/projects/dev-journal/interposing-fwrite/interpose_fwrite.so [0]: normal symbol `fwrite' [GLIBC_2.2.5]
      3630:	binding file /home/jnewsome/projects/dev-journal/interposing-fwrite/interpose_fwrite.so [0] to /lib/x86_64-linux-gnu/libc.so.6 [0]: normal symbol `fwrite'


## Interposing write alone doesn't work

So far so good. But if we want to apply our doubling to *all* writes, there are a bunch of other output functions we'll need to intercept. e.g. `printf`, `fprintf`, `puts`, ... Can we do so without writing wrappers for all of these and duplicating our doubling logic in all of them?

Ultimately these all end up making a `write` system call. Maybe we

In [9]:
strace -k -e write ./fwrite 2>&1

write(1, "Hello fwrite\n", 13Hello fwrite
)          = 13
 > /lib/x86_64-linux-gnu/libc-2.27.so(__write+0x14) [0x110154]
 > /lib/x86_64-linux-gnu/libc-2.27.so(_IO_file_write+0x2d) [0x8b1bd]
 > /lib/x86_64-linux-gnu/libc-2.27.so(_IO_do_write+0xb1) [0x8cf51]
 > /lib/x86_64-linux-gnu/libc-2.27.so(_IO_file_overflow+0x103) [0x8d403]
 > /lib/x86_64-linux-gnu/libc-2.27.so(_IO_default_xsputn+0x74) [0x8e494]
 > /lib/x86_64-linux-gnu/libc-2.27.so(_IO_file_xsputn+0x103) [0x8ba33]
 > /lib/x86_64-linux-gnu/libc-2.27.so(fwrite+0xd7) [0x7f977]
 > /home/jnewsome/projects/dev-journal/interposing-fwrite/fwrite(main+0x5b) [0x5bb]
 > /lib/x86_64-linux-gnu/libc-2.27.so(__libc_start_main+0xe7) [0x21b97]
 > /home/jnewsome/projects/dev-journal/interposing-fwrite/fwrite(_start+0x2a) [0x49a]
+++ exited with 0 +++


In [12]:
LD_PRELOAD=$PWD/interpose_write.so ./fwrite

Hello fwrite


## strace

We can use strace with the -k option to get the callstack at each syscall. Here we're interested in the call stack of the `write` syscall, so we grep for just that bit:

In [1]:
pwd

/home/jnewsome/projects/dev-journal/interposing-fwrite
