While building our C++ application, I got interested in looking at C++ name mangling conventions used in GCC and learned quite a few things. I have always known about name mangling as a mechanism for determining C++ functions, classes and name spaces. But I have not studied the details of it. Turns out that there is a lot of documentation on it.

One of the first things that I discovered was this document: C++ Name Mangling Demystified. It proved to be an excellent starting point. It provided a quick overview and I learned that GCC used the IA64 name mangling convention.

I also learned that there is a toolc++filt – that helps demangle a C++ mangled name, to reveal a lot of information about that function. An example of using this tool is like this:

$ c++filt _ZN2NS7myClass10MyFunctionEi

What is more useful to me was the discovery that there is actually an ABI library functionabi::__cxa_demangle() – that provides the capability to demangle C++ names programmatically. This API can be used from any C/C++ application.

But what I learned about the applications of name mangling is what got me to think. I know that manipulating name mangling is the way by which one can interface C++ and C code directly. What I learned from the documents was a more nefarious use of this mechanism to do the following:

  • Reverse Engineering
    If a vendor ships a binary blob without the API, it is trivial to reverse engineer the entire API by simply demangling all the function names. I should show my guys how to do this for fun.
  • Function Replacement
    By exploiting the fact that the GNU linker has an -allow-multiple-definition option, we can hijack the existing function with our custom made one by simply linking against our custom C function written with the same name. This is wicked.
  • Library Replacement
  • Taking things one step further by using LD_PRELOAD mechanism to do it during run-time instead of compile-time. This mechanism could actually come in useful for the purpose of patching applications.