>>1
If I understood your question right, I think what you want is code hooking. There's many ways to do this, I know all kinds of ways to do this on Windows, but don't know enough about *nix internals to write some code that does it(I did see some examples out there in the past, so I could probably find out how, if I needed it), the concepts are generic enough that they can be applied to other platforms or operating systems, so I'll describe them here:
The most general case is when you need need to hook a function so you would intercept it's calls, but at the same time, you'd like to be able to call the original function. To solve this you:
a. Locate the function(get a pointer to it), Win32 examples:
i) You already have the pointer - you either do &fun for the code you can access, or you reverse engineered some code and know the address (ex.:0x401000)
ii) The function is located in a dynamically loaded module, in which case you find the base address of that module (GetModuleHandleA/W) and then add a RVA(Relative Value Address) of your function
iii) The function is an exported function/API of some module, you use the OS loader's own import resolver (GetProcAddress), or you use knowledge of the executable format(like PE or ELF) to locate the function in the export table of the module.
b) You hook the function, Methods
i) For imports/APIs, you could try to locate the function in the Import Address Table, and just save that pointer as old_function_address, then replace that pointer with your new one. You can call old_function_address if needed from your new code.
ii) For most other code(or just a very reliable hook that would work even if the user resolved the APIs manually), you need to do an overwriting hook, this is most general, and I have no doubt that it would work on other OSes or platforms:
1)Disassemble about sizeof(long_jump)+==5(on x86)+ bytes from the start of the function
2)Patch/Assemble Jump {your_function} at that address(E9 XX XX XX XX = size 5 bytes), where xx is a relative value (go look it up in the Intel manuals for x86). Smarter hooking systems/libraries may generate a special trampouline buffer which checks against some locked memory areas and only jumps to your code once the lock is free. This avoids some nasty concurrency bugs.
3)Generate a trampouline which contains the disassembled first 5+ bytes and a Long jump to the continuing function code. You can call this trampuline whenever you need to call the original function.
Other notes:
- Uninstalling the hook can be done by restoring the IAT if patched, or restoring the patched jump code when code hooking was done.
- Make sure to set memory protection to the buffers you want to write to and restore to original memory protection after you're done. On Windows, see VirtualProtect.
- There are other hooking methods, usually they involve patching tables, like the IAT or the export table(less reliable, for obvious reasons), or some vtables of some objects, or a system descriptor table and so on. There's literally hundreds of methods. The code hooking one is the most generic and reliable for obvious reasons, but it can also be detected by code scanners, so you should know what you're doing.
- On Windows, there are already a couple of such libraries like APIHooks or MadCodeHook(commercial), which are not very hard to use, and save you most of the trouble of doing this by hand, they're also quite reliable and made to be compatible with older Win32 OSes as well as newer ones.
- On Linux and other *nixes, code overwriting should work just fine, as it doesn't depend much on underlying OS APIs, as long as you can write and read other libraries/modules code, you should be able to do it.
I don't know your problem at all OP, so this is just a guess. Some programming languages/implementations offer ways to do hooks and code ADIVISing(wrapping other functions in your own code) which are hundreds of times more friendly then such low-level hacks.