Automatically Generating Binary Hot Patches for Linux Applications

Overview

In the previous article we introduced basic hot‑patch principles and a simple patch, but manual patching is error‑prone and cannot target local functions. This article presents a technique to automatically generate hot patches for any function in an application or shared library.

Automatic Generation of Replacement Code

Automatic generation relies on a tool that processes the original source and a patched version, producing binary replacement code. The core idea is to compare the object files produced by compiling the original and patched programs, extract differences, and assemble them into a patch.

The process assumes a Linux x86/x86_64 environment, C‑compiled ELF executables, and access to the original source.

Generating Replacement Code

We compile the original sources, retain all intermediate object files, then apply the fix, re‑compile, and keep the newly generated objects. By comparing the two sets of object files at the ELF section level (each function resides in its own section thanks to -ffunction‑sections and -fdata‑sections), we can identify changed functions.

Different section size → function changed.

Byte‑wise differences outside relocation entries → function changed.

No size or content change → function unchanged.

Parsing Symbols Used by Replacement Code

Changed functions may reference unchanged symbols; we must resolve these references manually. Symbol addresses are determined at link time: for PIE or shared libraries they are relative offsets, otherwise absolute. When multiple symbols share a name, we locate the correct one using the file‑symbol rule (STT_FILE).

After locating a symbol, we record its relocation type, addend, and compute the runtime address (Addr = Base + Offset) to rewrite the reference in the patch.

Proof‑of‑Concept Validation

Using objdump and gdb, we demonstrate extracting the .text.func section from a patched object, recording a relocation (type R_X86_64_PLT32, addend –4, symbol print), and applying the calculated fix (V = S + A – P) when the patch is loaded.

Other Considerations

The method requires source code and identical compiler versions and options; mismatches can produce incorrect patches and cause crashes.

Conclusion

Automatic binary‑diff based hot‑patch generation eliminates manual errors, supports local and global functions, works across C, C++, and assembly, and can remediate security vulnerabilities such as CVE‑2017‑2615.