Runtime hooks

I was looking for a way to improve the hook mechanism in the XZ backdoor and found a method that allows you to achieve the same thing without disassembling functions or performing other expensive operations. To intercept symbol resolution, the backdoor impersonates an audit library and patches the runtime linker. It needs the offsets of the dl_naudit and dl_audit fields in _rtld_global_ro, and l_audit_any_plt in link_map:

Searching for non-exported symbols

To install hooks, we need to know the address of the required function. If debugging information is available or the function is present in the symbol table, that’s simple — but what if it’s declared as static? If the function we need contains strings, we’ll try to search for those.