[Help-bash] Question: Capturing command output (on-screen keyword colorizer/prettifier).

[Matthew Giassa]

Good day,

        I'm working on a means of assisting some testers with unit testing some
scripts and applications they wrote. I'm using LD_PRELOAD to hook the
output
functions used by BASh so that each line can be analyzed, and if a
specific
keyword (ERROR_CUSTOM_DB, NOTE_CUSTOM_DB_APP, etc) is detected, it
modifies the
output stream by putting in BASh-specific color codes so that the text
is
obvious on-screen.

        Obviously, the task can be automated via `grep`, but the tool operates
only in an interactive mode, so a person needs to be present to manually
make
decisions with respect to program flow (can't be automated in a trivial
manner).
Additionally, the tools under test cannot be modified, and we are not
allowed
to use modify .bashrc. Hence, my LD_PRELOAD efforts to make certain
error
codes more obvious.

        I've hooked the following functions so far, and have implemented a
linker version script and logging functions to confirm they are being
used.
* __printf_chk
* __fprintf_chk
* __vfprintf_chk
* write
* fwrite

        While I'm able to get the output of echo commands, the PS1/PS2/etc
variables, and so on, I can't seem to get the output of the "ls" command
for
example. I've checked the symbols used to write data out to the console
via the
following: readelf --dyn-syms /bin/bash | grep -i -e write -e printf

Output:
     6: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (5)
    13: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (5)
    39: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (2)
    98: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (8)
   142: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (5)
   152: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (5)
   191: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (2)
   192: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (5)
   213: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND
address@hidden (5)

        So as far as I can see, I'm hooking all of the typical commands BASh
would use to write to the console, yet there is still output which I'm
not
capturing.

        Is there yet another function BASh uses which I would need to hook in
order to capture all command output within the LD_PRELOAD'ed C library?

Thank you.



============================================================
Matthew Giassa, MASc, BASc, EIT
Security and Embedded Systems Specialist
linkedin: https://ca.linkedin.com/in/giassa
e-mail:   address@hidden
website:  www.giassa.net