diff --git a/includes/woody.h b/includes/woody.h index bb61913..4b4fb19 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -37,6 +37,8 @@ typedef struct elf_content Elf64_Phdr *Phdr; Elf64_Shdr *Shdr; Elf64_Shdr *symbols_table; + int num_symbols; + Elf64_Shdr *text_section; Elf64_Sym *symbols; } t_elf_content; diff --git a/print.s b/print.s index 0b5475f..9347f3e 100644 --- a/print.s +++ b/print.s @@ -18,7 +18,7 @@ _start: cmp r8, r9 je end_encrypt movzx r10, byte[rax + r9] - inc r10b ;rot + 1 + ;inc r10b ;rot + 1 mov byte[rax + r9], r10b inc r9 jmp encrypt diff --git a/srcs/encrypt.c b/srcs/encrypt.c index c57c8f1..f5b5f58 100644 --- a/srcs/encrypt.c +++ b/srcs/encrypt.c @@ -5,7 +5,7 @@ void encrypt(char *file, unsigned long int offset, unsigned long int size) size_t i = 0; while (i < size) { - file[offset + i] = file[offset + i] - 1; + file[offset + i] = file[offset + i];// - 1; ++i; } printf("\nENCRYPTION : \n"); diff --git a/srcs/woody.c b/srcs/woody.c index 8c7c21c..bf6321a 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -63,27 +63,60 @@ void offset_sections(t_elf_content *woody, unsigned int from, unsigned int offse woody->Shdr[i].sh_addr += offset_ammount; } } - int num_symbols = get_symbols_count(woody->symbols_table->sh_size, woody->symbols_table->sh_entsize); - for (int i = 1; i < num_symbols; i++) { + for (int i = 1; i < woody->num_symbols; i++) + { if (woody->symbols[i].st_value >= from) { woody->symbols[i].st_value += offset_ammount; } - // printf("symbol value = %lx\n", symbols[i].st_value); } + for (int i = 0; i < woody->Ehdr->e_shnum; i++) { + if (woody->Shdr[i].sh_type == SHT_REL) + { + printf("SHT_RE = %ld %ld\n", sizeof(Elf64_Rel), woody->Shdr[i].sh_entsize); + int num_entries = woody->Shdr[i].sh_size / woody->Shdr[i].sh_entsize; + for (int j = 0; j < num_entries; j++) { + Elf64_Rel *rel = (Elf64_Rel *)fetch(woody->file, woody->file_size, woody->Shdr[i].sh_offset + (j * woody->Shdr[i].sh_entsize), sizeof(Elf64_Rel)); + rel->r_offset += offset_ammount; + // printf(" Offset: 0x%lx, Info: 0x%lx, Type: %u, Symbol: %u\n", + // (unsigned long)rel[j].r_offset, (unsigned long)rel[j].r_info, + // (unsigned int)ELF64_R_TYPE(rel[j].r_info), (unsigned int)ELF64_R_SYM(rel[j].r_info)); + } + } + if (woody->Shdr[i].sh_type == SHT_RELA) + { + // printf("SHT_RELA = %ld %ld\n", sizeof(Elf64_Rela), woody->Shdr[i].sh_entsize); + int num_entries = woody->Shdr[i].sh_size / woody->Shdr[i].sh_entsize; + for (int j = 0; j < num_entries; j++) { + Elf64_Rela *rela = (Elf64_Rela *)fetch(woody->file, woody->file_size, woody->Shdr[i].sh_offset + (j * woody->Shdr[i].sh_entsize), sizeof(Elf64_Rela)); + rela->r_offset += offset_ammount; + // printf(" Offset: 0x%lx, Info: 0x%lx, Type: %u, Symbol: %u, Addend: %ld\n", + // (unsigned long)rela[j].r_offset, (unsigned long)rela[j].r_info, + // (unsigned int)ELF64_R_TYPE(rela[j].r_info), (unsigned int)ELF64_R_SYM(rela[j].r_info), + // (long)rela[j].r_addend); + if (rela->r_addend >= from) + { + rela->r_addend += offset_ammount; + } + + } + } + } + } -void create_codecave(t_elf_content *woody, t_payload *payload, size_t payload_position) +void create_codecave(t_elf_content *woody, t_payload *payload, size_t enlarge_position) { const unsigned int page_size = 4096; // getpagesize(); not authorized unsigned int padding_size = ((payload->len / page_size) + 1) * page_size; - offset_sections(woody, payload_position, padding_size); + printf("padding size = %d\n", padding_size); + offset_sections(woody, enlarge_position, padding_size); char *new_woody = malloc(woody->file_size + padding_size); + ft_bzero(new_woody, woody->file_size + padding_size); if (!new_woody) return ; - ft_memcpy(new_woody, woody->file, payload_position); - ft_bzero(new_woody + payload_position, padding_size); - ft_memcpy(new_woody + payload_position + padding_size, woody->file + payload_position, woody->file_size - payload_position); + ft_memcpy(new_woody, woody->file, enlarge_position); + ft_memcpy(new_woody + enlarge_position + padding_size, woody->file + enlarge_position, woody->file_size - enlarge_position); munmap(woody->file, woody->file_size); woody->file = new_woody; woody->file_size += padding_size; @@ -152,20 +185,34 @@ void inject(t_elf_content *woody) size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); size_t payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz; + // printf("Load segment p_offset = %lx\n", woody->Phdr[i].p_offset); + // printf("Load segment p_filesz = %lx\n", woody->Phdr[i].p_filesz); + // printf("Load segment p_memsz = %lx\n", woody->Phdr[i].p_memsz); + + // printf("Load segment p_offset = %lx\n", woody->Phdr[i + 1].p_offset); + // printf("Load segment p_filesz = %lx\n", woody->Phdr[i + 1].p_filesz); + // printf("Load segment p_memsz = %lx\n", woody->Phdr[i + 1].p_memsz); + + // printf("text section sh_offset = %lx\n", woody->text_section->sh_offset); + // printf("text section sh_size = %lx\n", woody->text_section->sh_size); + // printf("text section sh_addr = %lx\n", woody->text_section->sh_addr); + if (code_cave_size < payload->len) // inverse here to test the other technique { - printf("Create a codecave\n"); - create_codecave(woody, payload, payload_position); + printf("create code_Cave %ld\n", code_cave_size); + create_codecave(woody, payload, woody->Phdr[j].p_offset); } - encrypt(woody->file, woody->Phdr[i].p_offset, woody->Phdr[i].p_memsz); - insert_payload(woody, payload, payload_position, i); - - woody->Ehdr->e_entry = payload_position; woody->Phdr[i].p_filesz += payload->len; woody->Phdr[i].p_memsz += payload->len; - woody->Phdr[i].p_flags = PF_X | PF_W | PF_R; + printf("%ld\n", woody->Phdr[i].p_align); + (void)payload_position; + insert_payload(woody, payload, payload_position, i); + //woody->Ehdr->e_entry = payload_position; printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); + printf("Load segment p_filesz = %lx\n", woody->Phdr[i].p_filesz); + printf("Load segment p_memsz = %lx\n", woody->Phdr[i].p_memsz); + woody->Phdr[i].p_flags = PF_X | PF_W | PF_R; } int get_elf_sections(t_elf_content *woody) @@ -186,12 +233,19 @@ int get_elf_sections(t_elf_content *woody) if (woody->Shdr[i].sh_type == SHT_SYMTAB) { woody->symbols_table = fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); } + if (woody->Shdr[i].sh_type == SHT_PROGBITS && (woody->Shdr[i].sh_flags & SHF_EXECINSTR) && (woody->Shdr[i].sh_flags & SHF_ALLOC)) { + woody->text_section = fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (i * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr)); + } } - if (woody->symbols_table == NULL) + if (woody->symbols_table == NULL || woody->text_section == NULL) return EXIT_FAILURE; //Not sure about this woody->symbols = (Elf64_Sym *)fetch(woody->file, woody->file_size, woody->symbols_table->sh_offset, sizeof(Elf64_Sym)); if (woody->symbols == NULL) return EXIT_FAILURE;//Not sure about this + woody->num_symbols = get_symbols_count(woody->symbols_table->sh_size, woody->symbols_table->sh_entsize); + if (!fetch(woody->file, woody->file_size, woody->symbols_table->sh_offset + (sizeof(Elf64_Sym) * (woody->num_symbols)), 0)) + return EXIT_FAILURE; + return EXIT_SUCCESS; }