{"id":15997313,"url":"https://github.com/ohchase/plt-rs","last_synced_at":"2025-12-25T04:56:17.160Z","repository":{"id":162147946,"uuid":"560171014","full_name":"ohchase/plt-rs","owner":"ohchase","description":"Featureful library for iterating and hooking linux and android applications PLT (Procedure Linkage Table) at runtime","archived":false,"fork":false,"pushed_at":"2025-01-25T13:07:47.000Z","size":72,"stargazers_count":33,"open_issues_count":1,"forks_count":6,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-01-25T14:18:38.717Z","etag":null,"topics":["android","arm","arm64","armv7","bionic","hacking","hook","linux","plt","reverse-engineering","x86","x86-64"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ohchase.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-10-31T22:15:50.000Z","updated_at":"2025-01-25T13:07:50.000Z","dependencies_parsed_at":"2024-04-20T13:44:26.941Z","dependency_job_id":"1b6d32d7-b606-4746-9926-4818bc786f5f","html_url":"https://github.com/ohchase/plt-rs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohchase%2Fplt-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohchase%2Fplt-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohchase%2Fplt-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ohchase%2Fplt-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ohchase","download_url":"https://codeload.github.com/ohchase/plt-rs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237436572,"owners_count":19309935,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","arm","arm64","armv7","bionic","hacking","hook","linux","plt","reverse-engineering","x86","x86-64"],"created_at":"2024-10-08T08:01:37.809Z","updated_at":"2025-10-21T05:30:20.982Z","avatar_url":"https://github.com/ohchase.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# Plt-rs\r\n![Crates.io](https://img.shields.io/crates/v/plt-rs)\r\n![Crates.io License](https://img.shields.io/crates/l/plt-rs)\r\n\r\n## Overview\r\nBy crawling the dynamically loaded objects of an executable we can hook exported functions.\r\nGenerally, PLT hooking is an ideal solution for hooking given you can guarantee a Unix Like environment.\r\nThis library does not do any inline hooking, so there is no architecture (i686, arm, etc.) specific assembly magic going on, \r\nmaking cross compatibility very easy. There IS architecture specific constants, but its very minimal. \r\n\r\n## Why\r\nVideo game modding, reverse engineering, etc\r\n- Can hook networking calls: recv / send\r\n- Rendering calls: eglSwapBuffers / video game mods and overlays\r\n- Application hardening and monitoring\r\n- Defensive and Offensive usages\r\n\r\n## Supports and tests against many targets\r\nhighlighted builds\r\n- ![i686-unknown-linux-gnu](https://github.com/ohchase/plt-rs/actions/workflows/i686-unknown-linux-gnu.yml/badge.svg)\r\n- ![x86_64-unknown-linux-gnu](https://github.com/ohchase/plt-rs/actions/workflows/x86_64-unknown-linux-gnu.yml/badge.svg)\r\n- ![aarch64-unknown-linux-gnu](https://github.com/ohchase/plt-rs/actions/workflows/aarch64-unknown-linux-gnu.yml/badge.svg)\r\n- ![aarch64-linux-android](https://github.com/ohchase/plt-rs/actions/workflows/aarch64-linux-android.yml/badge.svg)\r\n- ![armv7-linux-androideabi](https://github.com/ohchase/plt-rs/actions/workflows/armv7-linux-androideabi.yml/badge.svg)\r\n\r\n## Worked Example hooking `getpid`\r\nHere we are hooking our own executables usages of libc getpid.\r\nRefer to `examples/hook_getpid.rs` for the full example, supporting android and 32 bit.\r\nA good chunk of the code is for the actual pointer replacement to hook the function!\r\n\r\n```rust\r\n\r\n/// our own get pid function\r\nunsafe fn getpid() -\u003e u32 {\r\n    999\r\n}\r\n\r\nfn main() -\u003e Result\u003c()\u003e {\r\n    let my_pid = unsafe { libc::getpid() };\r\n    println!(\"application pid is {my_pid}\");\r\n\r\n    let executable_entry = find_executable().ok_or(anyhow!(\"unable to find target executable\"))?;\r\n    println!(\"successfully identified executable\");\r\n\r\n    let dyn_lib = DynamicLibrary::initialize(executable_entry)?;\r\n    println!(\"successfully initialied dynamic library for instrumentation\");\r\n\r\n    let target_function =\r\n        dyn_lib.try_find_function(\"getpid\").ok_or(anyhow!(\"unable to find getpid symbol\"))?;\r\n    println!(\r\n        \"successfully identified libc getpid offset: {:#X?}\",\r\n        target_function.r_offset\r\n    );\r\n\r\n    let base_addr = dyn_lib.library().addr();\r\n    let plt_fn_ptr = (base_addr + target_function.r_offset as usize) as *mut *mut c_void;\r\n    let page_size = unsafe { libc::sysconf(libc::_SC_PAGE_SIZE) as usize };\r\n    let plt_page = ((plt_fn_ptr as usize / page_size) * page_size) as *mut c_void;\r\n    println!(\"page start for function is {plt_page:#X?}\");\r\n\r\n    let _stored_address = unsafe {\r\n        // Set the memory page to read, write\r\n        let prot_res = libc::mprotect(plt_page, page_size, libc::PROT_WRITE | libc::PROT_READ);\r\n        if prot_res != 0 {\r\n            println!(\"protection res: {prot_res}\");\r\n            return Err(anyhow!(\"mprotect to rw\"));\r\n        }\r\n\r\n        // Replace the function address\r\n        let previous_address = std::ptr::replace(plt_fn_ptr, getpid as *mut _);\r\n\r\n        // Set the memory page protection back to read only\r\n        let prot_res = libc::mprotect(plt_page, page_size, libc::PROT_READ);\r\n        if prot_res != 0 {\r\n            return Err(anyhow!(\"mprotect to r\"));\r\n        }\r\n\r\n        previous_address as *const c_void\r\n    };\r\n\r\n    let get_pid = unsafe { libc::getpid() };\r\n    println!(\"new pid is: {get_pid}\");\r\n\r\n    Ok(())\r\n}\r\n```\r\n\r\n```terminal\r\napplication pid is 127765\r\nsuccessfully identified executable\r\nsuccessfully initialied dynamic library for instrumentation\r\nsuccessfully identified libc getpid offset: 0x7E460\r\npage start for function is 0x000061019c41b000\r\nnew pid is: 999\r\n```\r\n\r\n## References / Inspirations\r\nProjects I referenced and was heavily inspired by while working on this.\r\n- [Plthook by Kubo] https://github.com/kubo/plthook\r\n- [Bhook by bytedance] https://github.com/bytedance/bhook\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fohchase%2Fplt-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fohchase%2Fplt-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fohchase%2Fplt-rs/lists"}