5 years ago, I said in one of my articles that I shall return, one day, with a method of hot patching functions inside live processes; So… I guess this is that day.

What we’ll try to achieve here is to replace, from outside, a function inside a running executable, without stopping/freezing the process (or crashing it…).

In my opinion, applying hot patches is quite a daunting task, if implemented from scratch, since:

• it requires access to a different process’ memory (most operating systems are fans of process isolation)
• has software compatibility constraints (Windows binaries vs Linux binaries)
• has architecture compatibility contrains (32bit vs 64bit)
• it implies working with machine code and brings certain issues to the table
• it has only a didactic purpose - probably no one would actually use a ‘from-scratch’ method since there are tools that do this better

Considering these, I guess it is better to use something that was actually written for this task and not coding something manually. Therefore, we’ll be looking at a way to do this with Intel Pin. I stumbled upon this tool while working at a completely different project but it seems to be quite versatile. Basically, it is described as a Dynamic Binary Instrumentation Tool, however we’ll be using it to facilitate the procedure of writing code to another process’ memory.

## Initial Preparations

##### I’m doing this tutorial on Ubuntu x86_64, but I’m expecting the code to be highly similar on Windows or other operating systems.

Now, I imagine this turns out to be useful for endpoints that provide remote services to clients - i.e.: a server receives some sort of input and is expected to also return something. Let’s say that someone discovered that a  service is vulnerable to certain inputs - so it can be comprimised by the first attacker who submits a specially crafted request. We’ll consider that taking the service down, compiling, deploying and launching a new instance is not a desirable solution so hot patching is wanted until a new version is ready.

I’ll use the following dummy C program to illustrate the aforementioned model - to keep it simple, I’m reading inputs from stdin (instead of a tcp stream / network).

Some of you probably noticed that the read_input() function is not very well written since it’s reading inputs using scanf("%s", name); and thus enabling an attacker to hijack the program’s execution using buffer overflow.

We intend to patch this vulnerability by “replacing” the vulnerable reading function (read_input()) with another that we know it’s actually safe. I’m using quotes there to express the fact that it will act more like a re-routing procedure - the code of the original (vulnerable) function will still be in the process’ memory, but all the calls will be forwarded to the new (patched) method.

I hope it makes sense for now.

## Project’s Structure

Intel Pin works by performing actions, indicated in tools, to targeted binaries or processes. As an example, you may have a tool that says ‘increase a counter each time you find a RET instruction’ that you can attach to an executable and get the value of the counter at a certain time.

It offers a directory with examples of tools which can be found at: pin/source/tools/. In order to avoid updating makefile dependencies, we’ll work here so continue by creating a new directory (mine’s named Hotpatch) - this is where the coding happens.

Also, copy a makefile to your new directory, if you don’t feel like writing one:

And use the following as your makefile.rules file:

Finally, create a file named hotpatch.cpp with some dummy code and run the make command. If everything works fine, you should end up with something like this…

## Coding the Hot Patcher

The whole idea revolves around registering a callback which is called everytime the binary loads an image (see IMG_AddInstrumentFunction()). Since the method is defined in the running program, we’re interested when the process loads its own image. In this callback, we look for the method that we want to hot patch (replace) - in my example, it’s read_input().

You can list the functions that are present in a binary using:

The process of replacing a function (RTN_ReplaceSignatureProbed()) is based on probes - as you can tell by the name, which, according to Intel’s claims, ensure less overhead and are less intrusive. Under the hood, Intel Pin will overwrite the original function’s instructions with a JMP that points to the replacement function. It is up to you to call the original function, if needed.

Without further ado, the code I ended up with:

After running make, use a command like the following one to attach Intel Pin to a running instance of the targeted process.

## Results and Conclusions

Aaand it seems to be working:

To conclude, I’m pretty sure Intel Pin is capable of more complex stuff than what I’m presenting here - which I believe is examples-level (actually it’s inspired by an example). To me, it seems rather strange that it is not a more popular tool - and no, I’m not paid by Intel to endorse it.

However, I hope this article manages to provide support and solutions/ideas to those who are looking at hot patching methods and who, like me, never heard of Intel Pin before.