How to hook a C function?

[fripSide]

I try to hook a C function using hook_address but failed.
What addresses should I pass to hook_address, the offset shown in IDA? Should I add a base address?

def hook_function(ql):
    print("Function hooked!")

base_addr = ql.loader.images[0].base
offset = 0x1234  # From readelf or IDA
real_addr = base_addr + offset
ql.hook_address(hook_function, real_addr)

ql.hook_address(hook_function, offset)

I tried many ways, but they all not work.

Here are my codes. My environment is amd64/arm64 with ubuntu 24.04.

C code:

// gcc main.c -o main.exe

#include <stdio.h>
#include <stdlib.h>

int func1(int argc) {
	if (argc > 5) {
		return 1;
	}
	return 0;
}

int main(int argc, char *argv[]) {
	if (argc < 2) {
		printf("Usage: %s num\n", argv[0]);
		return 0;
	}
	int num = atoi(argv[1]);
	int ret = func1(num);
	printf("ret: %d\n", ret);
	return ret;
}

qiling code:

from qiling import *
from qiling.const import QL_INTERCEPT, QL_VERBOSE
from unicorn.x86_const import UC_X86_INS_CPUID
from unicorn.unicorn_const import UC_HOOK_INSN
from qiling.extensions.r2 import R2
from pprint import pprint

EXE = "/work/test-bin/main.exe"
ROOTFS = "/work/test-bin/rootfs/"

""" 
support for binary compiled in ubuntu 24.04
https://github.com/qilingframework/qiling/issues/1201#issuecomment-2424259376
https://cloud.tencent.com/developer/article/2144036
"""

# CPUID leafs description : https://en.wikipedia.org/wiki/CPUID
# ISA level distribution : https://sources.debian.org/src/glibc/2.36-9%2Bdeb12u7/sysdeps/x86/get-isa-level.h/
def hook_cpuid(uc, ql):
    leaf = ql.arch.regs.eax
    res = None
    if leaf == 0x0: # Amount of leafs
        res = [0x10, 0x68747541, 0x444d4163, 0x69746e65]
    elif leaf == 0x1: # Base features (removed XSAVE and OSXSAVE among others)
        res = [0xa20f12, 0x030c0800, 0x72f8320b, 0x178bfbff]
    elif leaf == 0x7: # Extended features
        param = ql.arch.regs.ecx
        if param == 0x0:
            res = [0x0, 0x219C97A9, 0x40069C, 0x10]
        elif param == 0x1:
            res = [0x0, 0x0, 0x0, 0x0]
    elif leaf == 0xD: # XSAVE features
        res = [0xF, 0x358, 0x1800, 0]
    elif leaf == 0x80000000:
        res = [0x80000023, 0x68747541, 0x444D4163, 0x69746E65]
    elif leaf == 0x80000001:
        res = [0x00A20F12, 0x20000000, 0x75C237FF, 0x2FD3FBFF]
    elif leaf == 0x80000005:
        res = [0xFF40FF40, 0xFF40FF40, 0x20080140, 0x20080140]
    elif leaf == 0x80000007:
        res = [0x00000000, 0x0000003B, 0x00000000, 0x00006799]
    elif leaf == 0x80000008:
        res = [0x00003030, 0x111EF657, 0x0000400B, 0x00010000]
    elif leaf == 0x8000001D:
        param = ql.arch.regs.ecx
        if param == 0:
            res = [0x00004121, 0x01C0003F, 0x0000003F, 0x00000000]
        elif param == 1:
            res = [0x00004122, 0x01C0003F, 0x0000003F, 0x00000000]
        elif param == 2:
            res = [0x00004143, 0x01C0003F, 0x000003FF, 0x00000002]
        elif param == 3:
            res = [0x0002C163, 0x03C0003F, 0x00007FFF, 0x00000001]
    if res is not None:
        ql.arch.regs.eax, ql.arch.regs.ebx, ql.arch.regs.ecx, ql.arch.regs.edx = res
    return res is not None

def null_rseq_impl(ql: Qiling, abi: int, length: int, flags: int, sig: int):
    # do nothing
    pass

def hook_func(ql):
    val = ql.mem.read(ql.arch.regs.eax, 4)
    print(f"triggered hook: {val=}")
    pass

def my_sandbox():
    ql = Qiling([EXE, "6"], ROOTFS)
    ql.verbose = QL_VERBOSE.OFF

    r2 = R2(ql)

    print(f"{ql.uc.ctl_get_cpu_model()=}")
    ql.uc.hook_add(UC_HOOK_INSN, hook_cpuid, ql, 1, 0, UC_X86_INS_CPUID)

    X64BASE = int(ql.profile.get("OS64", "load_address"), 16)
    image_base_addr = ql.loader.load_address
    base_addr = ql.loader.images[0].base

    print(f"{ql.os.entry_point}")
    print(f"{hex(image_base_addr)} {hex(base_addr)} {hex(X64BASE)}")

    # print(hex(r2.functions["sym.func1"].offset))
    ql.hook_address(hook_func, 0x1169)
    ql.hook_address(hook_func, X64BASE  + 0x1169)
    ql.hook_address(hook_func, r2.functions["main"].offset)
    pprint(ql.mem.map_info)

    ql.os.set_syscall('rseq', null_rseq_impl, QL_INTERCEPT.CALL)
    ql.run()

if __name__ == '__main__':
    my_sandbox()

[cq674350529]

Hi, I tried with the minimal example you provided, and it worked.

def qiling_test():
    def my_hook(ql):
        print("Function hooked!")
    
    rootfs_path = "/home/xxx/workspace/git/qiling/examples/rootfs/x8664_linux"
    bin_path = "/home/xxx/main_elf"

    ql = Qiling([bin_path, "123"], rootfs_path, console=False, verbose=QL_VERBOSE.DISABLED)

    # image_base = ql.loader.load_address
    image_base = ql.loader.images[0].base
    ql.hook_address(my_hook, image_base + 0x118C)    # the first instruction address of main()

    ql.run()

The output is as follows.

~$ python3 qiling_demo.py 
Function hooked!
ret: 1

Q: What addresses should I pass to hook_address, the offset shown in IDA? Should I add a base address?

A: You should provide a valid virtual address to ql.hook_address(). If no PIE enabled, then the address from IDA Pro is fine. And if PIE enabled, offset from IDA Pro plus the base_addr from ql is needed. As to your case, I guess the PIE is enabled, so the latter is suitable for you.

[fripSide]

Thank you very much. Very great answer!
The gcc version of Ubuntu 24.04 is 13.2.0, which is compiled with the --enable-default-pie configuration. I have tried compiling my code with the -no-pie flag to disable PIE and it works correctly with the function address from IDA.

Can I ask another question here? Is there any way to see if the hook is in the right place?
Currently, I only got a stupid way to dsiam all the code at the hook callback and compare it with the dissam in IDA.

def hook_func_disam_on(ql):
    ql.verbose = QL_VERBOSE.DISASM
    print("hook_func")

[=] 	0000555555555169 [main.exe             + 0x000169]  f3 0f 1e fa          endbr64              
[=] 	000055555555517a [main.exe             + 0x00017a]  b8 01 00 00 00       mov                  eax, 1
[=] 	000055555555517f [main.exe             + 0x00017f]  eb 05                jmp                  0x555555555186
[=] 	0000555555555186 [main.exe             + 0x000186]  5d                   pop                  rbp
[=] 	0000555555555187 [main.exe             + 0x000187]  c3                   ret                  

[cq674350529]

Hi, there is no need to disable the PIE in purpose, it will work in both cases, as shown in the above example.

What do you mean by "Is there any way to see if the hook is in the right place"? If you provide the correct address, then it should be in the right place. By the way, when you try to get offset/address from IDA Pro, if the image base is 0x0, then the PIE might be enabled, and you need to provide the image_base address in Qiling too. If the image base in IDA Pro is not 0x0, then just provide the address in IDA Pro.

[fripSide]

Thank you very much.
I mean, is there any way to debug in the hook callback?
Sometimes I need to hook inside a function to change the behavior (e.g., if condition or return value) of a specific insn. I fill in the correct address but it still goes wrong.
At this point I suspect every line of my code and need an easy way to show that the hooks are working correctly and the problem is my mem/reg operations.

[fripSide]

Now I am familiar with Qiling debugging. Since Qiling's execution is deterministic, we can print everything at the hook function or in qiling's memory map when IDA's disassembly results differ from Qiling's capstone disassembly.

For example,

def simple_diassembler(ql: Qiling, address: int, size: int, md: Cs) -> None:
    buf = ql.mem.read(address, size)
    print("Disassembling from address: ", hex(address))
    for insn in md.disasm(buf, address):
        print(f':: {insn.address:#x} : {insn.mnemonic:24s} {insn.op_str}')

def hook_func1(ql):
    print(hex(ql.arch.regs.arch_pc))
    simple_diassembler(ql, ql.arch.regs.arch_pc, 0x20, ql.arch.disassembler)

[cq674350529]

Hi, sorry for the late response. As far as I know, there are three common ways to debug and check if the hook function works or not.

1. use the gdb debugger: Qiling provides the gdb debugger capability, which allows you to investigate the mem/regs;
2. use the qdb debugger: qdb is another way provided by the Qiling, and allows you to debug the program and views its mem/regs;
3. python debugger: since Qiling is written in python, then you can choose the python debugger to view the mem/regs in Qiling.

As to the third method, which I use mostly (borrowed some functions from qdb utility), an example is as follows. With ql parameter, you can view/investigate almost everything. By the way, in the python debugger, you can call ql.hook_address(debug_hook, <another_ins_addr>) again to setup a hook function at another ins address.

from qiling.debugger.qdb.utils import setup_context_render, setup_branch_predictor

def show_context(ql):
    predictor = setup_branch_predictor(ql)
    render = setup_context_render(ql, predictor)

    saved_regs = dict(filter(lambda d: isinstance(d[0], str), ql.arch.regs.save().items()))
    render.context_reg(saved_regs)
    render.context_stack()
    render.context_asm()

def debug_hook(ql, *args, **kwargs):
    ql.log.info("[***] reach %#x" % (ql.arch.regs.arch_pc))

    show_context(ql)    
    import ipdb; ipdb.set_trace()

# ...
ql.hook_address(debug_hook, <arbitrary_ins_addr>)
# ...

Hope it helps.