Setting or accessing library load addresses

[novafacing]

Is there a way to either explicitly set or access the address libraries are loaded at? I'm using angr to extract some PLT information and trying to set a callback in maat on the PLT stub address in the loaded library, but the addresses don't match up.

I'm using the Python interface. Thanks!

[Boyan-MILANOV]

There's a manual way to get the library load addresses (provided that they have been loaded with mmap), by simply printing the MaatEngine memory. Taken from your example in #49 (during load time so not all libraries have been loaded yet):

>>> stage1.engine.mem

Mappings:

Start               End                 Name
-----               ---                 ----
0x1000              0x1fff              ld-linux-x86-64.so.2
0x2000              0x24fff             ld-linux-x86-64.so.2
0x25000             0x2cfff             ld-linux-x86-64.so.2
0x2e000             0x30fff             ld-linux-x86-64.so.2
0x31000             0x430fff            Interp. Heap
0x431000            0x806fff            Heap
0x4000000           0x4001fff           map_anon
0x4002000           0x4003fff           /usr/lib/libcgc.so
0x4004000           0x4005fff           /usr/lib/libcgc.so
0x4006000           0x4006fff           /usr/lib/libcgc.so
0x4007000           0x4008fff           /usr/lib/libcgc.so
0x7ffffe00000       0x7ffffffffff       Stack

It is possible to get the mappings programmatically using the C++ API, but unfortunately we haven't yet written the Python bindings for it.

As regards setting the load addresses for libraries, as of today there isn't a simple way. The solution I see would be to overwrite the mmap emulation callback to load the files manually at the desired addresses, but that's easier said than done.

@novafacing If you're interested in having Python bindings for accessing the memory mappings I can convert this discussion into an issue and add it in the TODO list :)

[novafacing]

Oh excellent, this works just fine for my purposes (I just need start address), thank you! Of course Python API would be great eventually, but I'm sure y'all have a long TODO list and this does the job for the moment :)

[novafacing]

For anyone who discovers this after me but before ToB folks get around to adding the python interface:

from maat import MaatEngine
from typing import Dict, List, Tuple
from collections import defaultdict
from bisect import insort
<...snip...>
    def get_mappings(self, engine: MaatEngine) -> Dict[str, List[Tuple[int]]]:
        """
        Get the mappings of the binary.

        :param engine: Maat engine
        """
        mappings = defaultdict(list)
        rawmaps = list(map(lambda l: l.strip(), str(engine.mem).splitlines()))
        maps = map(
            lambda l: l.split(),
            filter(
                lambda l: l and l.startswith("0x"),
                rawmaps[: rawmaps.index("Page permissions:")],
            ),
        )

        for mp in maps:
            insort(mappings[mp[2]], (int(mp[0], 16), int(mp[1], 16)))

        return dict(mappings)

This will grab the current mappings as a dict of map name to list of mapped regions.