refacto: get_code_cave + algo name

This commit is contained in:
gbrochar 2024-09-06 21:26:35 +02:00
parent f163f8f81a
commit 8e6dec0237
4 changed files with 13 additions and 18 deletions

View File

@ -22,6 +22,7 @@ typedef struct s_map {
typedef struct s_payload64 { typedef struct s_payload64 {
int (*encrypt)(t_map, void *, Elf64_Phdr); int (*encrypt)(t_map, void *, Elf64_Phdr);
int (*gen_key)(void **); int (*gen_key)(void **);
char *algo_name;
size_t jump_offset; size_t jump_offset;
size_t woody_offset; size_t woody_offset;
size_t load_ptr_offset; size_t load_ptr_offset;

View File

@ -3,6 +3,7 @@
t_payload64 get_debug_payload64(void) { t_payload64 get_debug_payload64(void) {
t_payload64 payload; t_payload64 payload;
payload.algo_name = ft_strdup("debug");
payload.len = 55; payload.len = 55;
payload.jump_offset = 37; payload.jump_offset = 37;
payload.encrypt = NULL; payload.encrypt = NULL;

View File

@ -49,19 +49,13 @@ int get_load_segment64(
return RET_ERR; return RET_ERR;
} }
// TODO refacto int get_code_cave64(t_map file, Elf64_Phdr load_segment, t_map *code_cave) {
t_map get_code_cave(t_map file, Elf64_Phdr load_segment) {
size_t page_size = load_segment.p_align; size_t page_size = load_segment.p_align;
size_t len = page_size - load_segment.p_filesz % page_size; size_t len = page_size - load_segment.p_filesz % page_size;
size_t offset = load_segment.p_offset + load_segment.p_filesz; size_t offset = load_segment.p_offset + load_segment.p_filesz;
unsigned char *seg = fetch(file, offset, len); unsigned char *seg = fetch(file, offset, len);
if (!seg) { if (!seg) {
printf("fallback to weird code cave finder\n"); return RET_ERR;
seg = fetch(file, offset, file.size - offset);
len = file.size - offset;
if (!seg) {
ft_printf("unreachable !!!\n");
}
} }
size_t longest = 0; size_t longest = 0;
@ -72,23 +66,17 @@ t_map get_code_cave(t_map file, Elf64_Phdr load_segment) {
while (i + j < len && seg[i + j] == 0) { while (i + j < len && seg[i + j] == 0) {
j++; j++;
} }
if (j > longest) { if (j > longest) {
longest_i = i; longest_i = i;
longest = j; longest = j;
} }
i += j; i += j;
} }
} }
t_map code_cave; code_cave->data = fetch(file, longest_i + offset, longest);
code_cave.data = fetch(file, longest_i + offset, longest); code_cave->size = longest;
code_cave.size = longest; return RET_OK;
if (!code_cave.data) {
ft_printf("unreachable !!!\n");
}
return code_cave;
} }
int pack_elf64(t_map file) { int pack_elf64(t_map file) {
@ -121,9 +109,13 @@ int pack_elf64(t_map file) {
to_encrypt.size = load_segment.p_filesz + encryption_block_size - load_segment.p_filesz % encryption_block_size; to_encrypt.size = load_segment.p_filesz + encryption_block_size - load_segment.p_filesz % encryption_block_size;
*/ */
t_map code_cave = get_code_cave(file, *load_segment); t_map code_cave;
if (get_code_cave64(file, *load_segment, &code_cave) == RET_ERR) {
return wdy_error("can't get code cave");
}
t_payload64 payload = get_xor_payload64(); t_payload64 payload = get_xor_payload64();
ft_printf("info: using %s algorithm\n", payload.algo_name);
// This should fallback to compression algorithm, or smaller payload (eg rsa->xor) // This should fallback to compression algorithm, or smaller payload (eg rsa->xor)
if (payload.len > (size_t)code_cave.size) { if (payload.len > (size_t)code_cave.size) {
printf("code cave size: %ld (0x%lx) bytes\n", code_cave.size, code_cave.size); printf("code cave size: %ld (0x%lx) bytes\n", code_cave.size, code_cave.size);

View File

@ -54,6 +54,7 @@ int encrypt_xor(t_map file, void *key_ptr, Elf64_Phdr load_segment) {
t_payload64 get_xor_payload64(void) { t_payload64 get_xor_payload64(void) {
t_payload64 payload; t_payload64 payload;
payload.algo_name = ft_strdup("xor");
payload.len = 155; payload.len = 155;
payload.jump_offset = 113; payload.jump_offset = 113;
payload.load_ptr_offset = 131; payload.load_ptr_offset = 131;