Is it possible to invoke a private method of a class exported from a DLL?
Will it be hidden from people who would like to use it but are not supposed to?
thanks :)
Yes, it's possible, but you need to use dirty casting tricks or rely on semi-undefined behaviour, but for certainty you can call an exported function, no matter it's private/public status.
The language does not provide security against malicious attackers. It will help everyone play by the rules, but it will not guard against those who try to break the system.
For instance:
use GetProcAddress() to get the function's address, cast it to the right member function type, and call it.
create a modified header file of the class, declaring everything as public (or just add a static function, void crowbar() ), compile against that. (Undefined behaviour, since you're violating the One Defintion Rule, but it will probably work...)
Do not rely on C++ private keyword for security.
If it appears in the DLL's export table, it can be invoked by using GetProcAddress and calling the returned function pointer. There are some technical hurdles to get the right calling convention, but it is possible (most likely some assembly language will be required).
Strictly speaking, any function for which the compiler generates an out-of-line instance can be called by any native code. Being exported by a DLL just makes it far easier to find the address of the code for the function.
Related
My codebase is C++ on NXP ARM M4 with custom C++ RTOS.
There exists a certain function, DWB() aka DangerWillRobinson(), that if called could have unexpected side-effects (which are valid when it's used correctly).
DWB() could be called in a very deeply nested manner as in
A()->B()->C()->D()->...->DWB()
I want author of any functions that, directly or indirectly, call DWB() to be aware that DWB() is called and I want to force them to acknowledge that they know DWB() is called.
I know this could be accomplished by parsing the linker's generated call-trees using Python but I'd much prefer this to be a compile-time error thing.
Here's how I'd like this to work:
void A()
{
B();
}
Author goes to compile:
ERROR: DWB() is called. Please acknowledge.
Author then thinks about side-effects of calling DWB() and finds no issues.
void A()
{
// some macro-thing ... ?
B();
}
If possible, I do not want this to be a runtime check. I think in theory, this is possible. If Base is inherited, I would like all possible classes' call-trees to be considered; it's ok if none of them are even instantiated but not ideal.
QUESTION
Is this compile-time metadata/behavior of a function possible?
Is this compile-time metadata/behavior of a function possible?
No, it isn't. There might be some configurable SCA tools available (consider a commercial high level one), but not with plain c-preprocessing or meta-template-programming magic.
I want author of any functions that, directly or indirectly, call DWB() to be aware that DWB() is called and I want to force them to acknowledge that they know DWB() is called.
The least intrusive way to do that is to mark the DWB() function [[deprecated]].
I just suppose you prefer to factor out such error prone function in a midterm roadmap, and replace it with something more stable.
The most quick way in case you are sure what all the conditions of a correct DWB() call are is to apply a bunch of assert() calls at the start of that function.
There might come up complaints from fellow developers, which are trying to use that function incorrectly. Give them best advice as you can in the assertion messages.
I have a function (actually from ATL, it is ATL::CSoapMSXMLInetClient::SendRequest(LPCTSTR)) whose behaviour should slightly be modified. That is, I just have to add one function call somewhere in the middle of the function.
Taking into consideration that this is not a template method, what is the best practice of changing its behaviour? Do I have to re-write the whole function?
Thanks in advance.
EDIT: Deriving from the class ATL::CSoapMSXMLInetClient and copy-pasting whole function code with a slight modification in subclass function definition does not work because most of the members used in ATL::CSoapMSXMLInetClient::SendRequest are "private" and accessing them in subclass is a compile time error.
Rather than best practice I am looking for a way to do it now, if there is any. :(
Yes you will. If it's in the middle of the function there is no way of getting around it.
There are some refactoring methods you can use. But I cannot think of any pretty ones, and all depend heavily on the code within the class, although for you case it might be tough to find any that works.
Like if you have a line:
do_frobnicate();
dingbat->pling();
And you need to call somefunc() after the dingbat plings. You can, if the dingbat is an interface that you provide, make a new dingbat that also do somefunc() when it plings. Given that the only place this dingbat plings is in this function.
Also, if do_frobnicate() is a free function and you want to add the somefunc() after this, you could create a function within the class, or within its namespace that is called the same. That way you make your own do_frobnicate() that also does somefunc().
I'm in the process of writing a kind of runtime system/interpreter, and one of things that I need to be able to do is call c/c++ functions located in external libraries.
On linux I'm using the dlfcn.h functions to open a library, and call a function located within. The problem is that, when using dlsysm() the function pointer returned need to be cast to an appropriate type before being called so that the function arguments and return type are know, however if I’m calling some arbitrary function in a library then obviously I will not know this prototype at compile time.
So what I’m asking is, is there a way to call a dynamically loaded function and pass it arguments, and retrieve it’s return value without knowing it’s prototype?
So far I’ve come to the conclusion there is not easy way to do this, but some workarounds that I’ve found are:
Ensure all the functions I want to load have the same prototype, and provide some sort mechanism for these functions to retrieve parameters and return values. This is what I am doing currently.
Use inline asm to push the parameters onto the stack, and to read the return value. I really want to steer clear of doing this if possible!
If anyone has any ideas then it would be much appreciated.
Edit:
I have now found exactly what I was looking for:
http://sourceware.org/libffi/
"A Portable Foreign Function Interface Library"
(Although I’ll admit I could have been clearer in the original question!)
What you are asking for is if C/C++ supports reflection for functions (i.e. getting information about their type at runtime). Sadly the answer is no.
You will have to make the functions conform to a standard contract (as you said you were doing), or start implementing mechanics for trying to call functions at runtime without knowing their arguments.
Since having no knowledge of a function makes it impossible to call it, I assume your interpreter/"runtime system" at least has some user input or similar it can use to deduce that it's trying to call a function that will look like something taking those arguments and returning something not entirely unexpected. That lookup is hard to implement in itself, even with reflection and a decent runtime type system to work with. Mix in calling conventions, linkage styles, and platforms, and things get nasty real soon.
Stick to your plan, enforce a well-defined contract for the functions you load dynamically, and hopefully make due with that.
Can you add a dispatch function to the external libraries, e.g. one that takes a function name and N (optional) parameters of some sort of variant type and returns a variant? That way the dispatch function prototype is known. The dispatch function then does a lookup (or a switch) on the function name and calls the corresponding function.
Obviously it becomes a maintenance problem if there are a lot of functions.
I believe the ruby FFI library achieves what you are asking. It can call functions
in external dynamically linked libraries without specifically linking them in.
http://wiki.github.com/ffi/ffi/
You probably can't use it directly in your scripting language but perhapps the ideas are portable.
--
Brad Phelan
http://xtargets.heroku.com
I'm in the process of writing a kind of runtime system/interpreter, and one of things that I need to be able to do is call c/c++ functions located in external libraries.
You can probably check for examples how Tcl and Python do that. If you are familiar with Perl, you can also check the Perl XS.
General approach is to require extra gateway library sitting between your interpreter and the target C library. From my experience with Perl XS main reasons are the memory management/garbage collection and the C data types which are hard/impossible to map directly on to the interpreter's language.
So what I’m asking is, is there a way to call a dynamically loaded function and pass it arguments, and retrieve it’s return value without knowing it’s prototype?
No known to me.
Ensure all the functions I want to load have the same prototype, and provide some sort mechanism for these functions to retrieve parameters and return values. This is what I am doing currently.
This is what in my project other team is doing too. They have standardized API for external plug-ins on something like that:
typedef std::list< std::string > string_list_t;
string_list_t func1(string_list_t stdin, string_list_t &stderr);
Common tasks for the plug-ins is to perform transformation or mapping or expansion of the input, often using RDBMS.
Previous versions of the interface grew over time unmaintainable causing problems to both customers, products developers and 3rd party plug-in developers. Frivolous use of the std::string is allowed by the fact that the plug-ins are called relatively seldom (and still the overhead is peanuts compared to the SQL used all over the place). The argument stdin is populated with input depending on the plug-in type. Plug-in call considered failed if inside output parameter stderr any string starts with 'E:' ('W:' is for warnings, rest is silently ignored thus can be used for plug-in development/debugging).
The dlsym is used only once on function with predefined name to fetch from the shared library array with the function table (function public name, type, pointer, etc).
My solution is that you can define a generic proxy function which will convert the dynamic function to a uniform prototype, something like this:
#include <string>
#include <functional>
using result = std::function<std::string(std::string)>;
template <class F>
result proxy(F func) {
// some type-traits technologies based on func type
}
In user-defined file, you must add define to do the convert:
double foo(double a) { /*...*/ }
auto local_foo = proxy(foo);
In your runtime system/interpreter, you can use dlsym to define a foo-function. It is the user-defined function foo's responsibility to do calculation.
in C++, I can easily create a function pointer by taking the address of a member function. However, is it possible to change the address of that local function?
I.e. say I have funcA() and funcB() in the same class, defined differently. I'm looking to change the address of funcA() to that of funcB(), such that at run time calling funcA() actually results in a call to funcB(). I know this is ugly, but I need to do this, thanks!
EDIT----------
Background on what I'm trying to do:
I'm hoping to implement unit tests for an existing code base, some of the methods in the base class which all of my modules are inheriting from are non-virtual. I'm not allowed to edit any production code. I can fiddle with the build process and substitute in a base class with the relevant methods set to virtual but I thought I'd rather use a hack like this (which I thought was possible).
Also, I'm interested in the topic out of technical curiosity, as through the process of trying to hack around this problem I'm learning quite a bit about how things such as code generation & function look-up work under the hood, which I haven't had a chance to learn in school having just finished 2nd year of university. I'm not sure as to I'll ever be taught such things in school as I'm in a computer engineering program rather than CS.
Back on topic
The the method funcA() and funcB() do indeed have the same signature, so the problem is that I can only get the address of a function using the & operator? Would I be correct in saying that I can't change the address of the function, or swap out the contents at that address without corrupting portions of memory? Would DLL injection be a good approach for a situation like this if the functions are exported to a dll?
No. Functions are compiled into the executable, and their address is fixed throughout the life-time of the program.
The closest thing is virtual functions. Give us an example of what you're trying to accomplish, I promise there's a better way.
It cannot be done the way you describe it. The only way to change the target for a statically bound call is by modifying the actual executable code of your program. C++ language has no features that could accomplish that.
If you want function calls to be resolved at run-time you have to either use explicitly indirect calls (call through function pointers), or use language features that are based on run-time call resolution (like virtual functions), or you can use plain branching with good-old if or switch. Which is more appropriate in your case depends on your specific problem.
Technically it might be possible for virtual functions by modifying the vtable of the type, but you most certainly cannot do it without violating the standard (causing Undefined Behavior) and it would require knowledge of how your specific compiler handles vtables.
For other functions it is not possible because the addresses of the functions are directly written to program code, which is generally on a read-only memory area.
I am fairly sure this is impossible in pure C++. C++ is not a dynamic language.
What you want is a pointer to a function, you can point it to FuncA or FuncB assuming that they have the same signature.
You cannot do what you want to do directly. However, you can achieve a similar result with some slightly different criteria, using something you are already familiar with -- function pointers. Consider:
// This type could be whatever you need, including a member function pointer type.
typedef void (*FunctionPointer)();
struct T {
FunctionPointer Function;
};
Now you can set the Function member on any given T instance, and call it. This is about as close as you can reasonably get, and I presume that since you are already aware of function pointers you're already aware of this solution.
Why don't you edit your question with a more complete description of the problem you're trying to solve? As it stands it really sounds like you're trying to do something horrible.
Its simple!
For
at run time calling funcA() actually results in a call to funcB().
write funcA() similar to following:
int funcA( int a, int b) {
return funcB( a, b );
}
:-)
How would I go about calling an unexported function in Win32 C++?
Calling unexported functions that are defined in the same module (DLL/EXE) as your code is easy: just call them like any other C++ function. Obviously this isn't what you're asking about. If you want to call unexported functions in a different module, you need to find out their addresses somehow.
One way to do this is to have the first module call an exported function in the second module which returns a function pointer. (Or: a struct containing function pointers, a pointer to an instance of a class, etc.) Think factory pattern.
Another way is to export a registration function from the first module and have the second module's initialization code call it, passing it pointers to unexported functions along with some sort of identifying info. (Better also have a corresponding unregistration function which is called before the second module is unloaded.)
Yet another way is to grovel through the debug symbols using dbghelp.dll. This would not be recommended for a real-world application because it would require distributing debug symbols and would be extremely slow, not to mention overly complex.
Additionally to bk1e's answer, there's still another method (not recommended as well).
Obtain the relative Adress of that function in the dll (e.g. via disassembly). This has to be done manually and before compiling.
In the program, you now have to obtain the startadress of the dll in memory (for example using an exported function and some calculation).
Now you can directly call that function using the relative Adress of the function + the startadress of the exported function.
I don't recommend this though. It works only on one defined version of that dll. Any recompile and the adress may change. Or that function may not be needed any more and gets deleted. There must be a reason, why this function is NOT exported. In general - you try to archive something the author of the library intentionally did not want you to do and that's "evil" most of the time.
You mentioned the ida-name. This name includes the startadress.
No two ways about it, you'll have to study the disassembly to figure out what gets pushed on the stack, and how it's used to determine the types.