1

I know that in libaaa.so there is an exported (the symbol is in the text/code section) function obj1() at address 0x12345 from the start of the library.

CLibrary libaaa = (CLibrary)Native.load("aaa", CLibrary.class);

I want to invoke a function obj2() which I know to be at address 0x12444 from the start of the library OR the address of (obj1() + 0xff) (0x12444-0x12345=0xff)

The obj2() symbol is NOT in the text/code section, so I can only invoke it by its address (which I know.) I understand that I could use Function.getFunction(new Pointer(funcAddr), 0, "utf8"); if I had the function's address, but I do not know what address JNA will load the library.

I can easily access the obj1() function (aaa.obj1()) that's trivial, but how could I access the aaa.obj2() function which is not in the text section, and thereby only referable from its offset in the library (or offset from another function in the text/code section.)

Thank you.

Jerome Ibanes
  • 123
  • 5
  • 2
    Out of curiosity, what is the scenario that creates this problem? What does this " which is not in the text section" mean? – matt Oct 30 '22 at 23:43
  • @matt I do not have the source code of the library, and there is a function I need to call from java. Unfortunately I know the function's offset (from the start of the library, but there is not .text entry for it, so I can't simply invoke it by name. I suppose it would be workable if I knew which address the libaaa library is loaded. – Jerome Ibanes Oct 31 '22 at 01:28
  • Can you access the function from c? You could check the [Unsafe](https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.base/share/classes/jdk/internal/misc/Unsafe.java) class, it lets you access native features and addresses. – matt Oct 31 '22 at 10:04
  • From C I just use the offset from where the library is loaded. – Jerome Ibanes Oct 31 '22 at 14:43
  • If you can do it in C it seems reasonable that you could write a small wrapper that is the same function, but with a name so you can access it. – matt Nov 01 '22 at 11:44
  • Why don't you get a pointer for obj1 and offset from that? – matt Nov 01 '22 at 12:34

2 Answers2

2

It seems like if you get Function obj1,

Function obj1 = Function.getFunction(libraryName, functionName);

The Function Object is a pointer. Then you should be able to get the address of obj1, Accessing JNA Pointer's peer value so you would have the address and you can try to create a function based on that.

matt
  • 10,892
  • 3
  • 22
  • 34
0

IIUC, you could compute the address of your second function, if you had the address of the first function. Is that right?

I've never tried it with Functions but I have a use case where I need to get the address of a Callback and what I'm doing to get that is to put it in a dummy Structure then read the structure's raw bytes.

Edit: forget that. It's only Callbacks that don't let you access their address directly. You can easily get another Pointer/Function at an offset from a given Function. No need for workarounds.

user2543253
  • 2,143
  • 19
  • 20
  • I tried something along those lines, the closest I got was to get the address of the CLibrary object libaaa; but that's not the address of where the library is loaded, just the object itself. – Jerome Ibanes Oct 31 '22 at 14:50
  • From your question it sounded like "obj1" was in the symbol table (so you could create a JNA `Function` for it), and "obj2" was at a fixed offset from that. If that is not the case. I have no other ideas – user2543253 Oct 31 '22 at 15:17
  • you are right, obj1 is in the symbol table, but not obj2; but I know the offset of obj2 compared to obj1, that's how I can invoke obj2 from C. – Jerome Ibanes Oct 31 '22 at 19:32
  • ```You can easily get another Pointer/Function at an offset from a given Function. No need for workarounds.``` But how do I know which address the library is loaded at? – Jerome Ibanes Nov 01 '22 at 05:28
  • No idea about the library, but I don't understand why you need that when you can use the offset from obj1. – user2543253 Nov 02 '22 at 10:30