Spoofing Solaris version using dtrace

There are applications which check Solaris version when it starts up. I recently installed such an application. I didn't know that the app is only certified on older Solaris. Also, the app's installer was not kind enough to check the OS version!

So...., did I waste my time ? No! 'dtrace' came to rescue. I used the dtrace script which I found on internal mailing list.

  1. Let's call the executable 'fubar'. Let's see how fubar gets Solaris version. We know it. uname() system call.
    $ truss ./fubar 2>&1 | grep uname
    uname(0xFFBFF898)                               = 1

  2. Let's see which Solaris version 'fubar' expects.
    $ strings fubar | grep 'SunOS '
    SunOS 5.5.1
    SunOS 5.6
    SunOS 5.7
    SunOS 5.8
    SunOS 5.7 Generic_106541-05 sun4u
    Had I known this beforehand, I could install it in Solaris8 Migration Assistant environment.

  3. Here's the dtrace to spoof 'fubar'. 'fubar' only cares "SunOS" and "5.5.1". So, it's OK even if the Solaris was running on 8086 in 1986.
    $ cat unameSol8.d
    #!/usr/sbin/dtrace -s

    #pragma D option destructive

    syscall::uname:entry
    /execname == "fubar"/
    {
            self->addr = arg0;
    }

    syscall::uname:return
    /execname == "fubar"/
    {
            copyoutstr("SunOS", self->addr, 257);
            copyoutstr("PowerPC", self->addr+257, 257);
            copyoutstr("5.5.1", self->addr+(257*2), 257);
            copyoutstr("gate:1996-12-01", self->addr+(257*3), 257);
            copyoutstr("PPC", self->addr+(257*4), 257);
    }

Posted on: Mar 08, 2008

Posted by: Katsumi Inoue

Category: Sun

Trackback URL: http://blogs.sun.com/LetTheSunShineIn/entry/spoofing_solaris_version_using_dtrace

Comments:

[Trackback] Katsumi Inoue published a nice trick for DTrace. Sometimes, all between you and a running old programm is the version check. But even here DTrace can help you: How to spoof the Solaris version with DTrace. Neat trick.

Posted by c0t0d0s0.org on March 08, 2008 at 05:23 AM JST #

I had a similar issue with a monitoring agent that supported Solaris 8, 9 or 10, but did not work on OpenSolaris (11) so i used a hexeditor to hack the executable so it was happy with Solaris 11.

Posted by Aaron Theodore on March 25, 2008 at 05:37 PM JST #

Thanks Aaron. In fact, that was the first workaround I came up with. But never tried. I thought I could use 'elfedit' on 'fubar' to modify strings inside it. But 'elfedit' seems only available on Nevada. Do you have 'elfedit' on your OpenSolaris?

Posted by Katsumi INOUE on March 25, 2008 at 05:47 PM JST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by Katsumi Inoue