C++ Name Mangling
While building our C++ application, I got interested in looking at C++ name mangling conventions used in GCC and learned quite a few things. I have always known about name mangling as a mechanism for determining C++ functions, classes and name spaces. But I have not studied the details of it. Turns out that there is a lot of documentation on it.
One of the first things that I discovered was this document: C++ Name Mangling Demystified. It proved to be an excellent starting point. It provided a quick overview and I learned that GCC used the IA64 name mangling convention.
I also learned that there is a tool – c++filt – that helps demangle a C++ mangled name, to reveal a lot of information about that function. An example of using this tool is like this:
$ c++filt _ZN2NS7myClass10MyFunctionEi
What is more useful to me was the discovery that there is actually an ABI library function – abi::__cxa_demangle() – that provides the capability to demangle C++ names programmatically. This API can be used from any C/C++ application.
But what I learned about the applications of name mangling is what got me to think. I know that manipulating name mangling is the way by which one can interface C++ and C code directly. What I learned from the documents was a more nefarious use of this mechanism to do the following:
- Reverse Engineering
If a vendor ships a binary blob without the API, it is trivial to reverse engineer the entire API by simply demangling all the function names. I should show my guys how to do this for fun.
- Function Replacement
By exploiting the fact that the GNU linker has an
-allow-multiple-definitionoption, we can hijack the existing function with our custom made one by simply linking against our custom C function written with the same name. This is wicked.
- Library Replacement
Taking things one step further by using
LD_PRELOAD mechanism to do it during run-time instead of compile-time. This mechanism could actually come in useful for the purpose of patching applications.