Resolve symbol in elf at runtime and call a function with arguments

[et-ness]

I have an elf linux mipsel uClibc and I'm running on linux x86_64.
How can I find the addresses of functions at runtime? As with dlsym. I can't find an example.

Can I call a function with arguments, without run main?
I tried this example but doesn't work. At 0x00476163 there is the function which I want run. It want 2 arguments, but with stack_push I got always the same situation, as if I didn't pass the arguments on to it.

#!/usr/bin/env python3

from qiling import Qiling
from qiling.const import QL_VERBOSE

if __name__ == "__main__":
    ql = Qiling([r'httpd'], r'./', verbose=QL_VERBOSE.DEFAULT)

    ql.stack_push(1)
    ql.stack_push(2)

    ql.run(begin=0x00476163)

[cq674350529]

Yeah, of course you can run arbitrary functions without running main() in the target binary. I called this partial emulation, and have used it many times. Here is a related issue: #593.

The following is an example of how to run arbitrary functions I did.

def partial_emulation():
    def partial_run(ql):
        # set up context for function calls
        # ...

        ql.arch.regs.arch_pc = 0x4508A0     # hijack control flow to target function

    ql = Qiling([bin_path], rootfs, console=True, verbose=QL_VERBOSE.DEBUG)

    ql.hook_address(partial_run, 0x455240)  # hook at the first instruction in main()

    ql.run()

[cq674350529]

It depends on your need, usually including setup corresponding memory, registers for the function to be called.

[et-ness]

sure, I asked an example just for understand better why my code doesn't work, so I can compare.

[cq674350529]

There is an uboot example in the repo: https://github.com/qilingframework/qiling/blob/master/examples/hello_arm_uboot.py#L42, it shows how to setup context for function calls.

Hope it helps.

[et-ness]

Thanks for this example, I expected qiling to be more independent from the architecture, but instead you have to know the architecture you are going to emulate to be able to do something serious.
With qemu-user and a library injected with LD_PRELOAD I can intercept calls and call other functions without having to worry about configuring a stack, just a simple definition like int (*function)(int); and I can call it with function(1), on arm, mips etc, without having to worry about anything, the compiler and qemu will take care of it.
Reading qiling's README it seemed like who knows what, but it's disappointing.

[cq674350529]

This is the method I used, which provides great flexibility and controllability. Of course, there might be a more elegant way.