refacto: get_code_cave + algo name
This commit is contained in:
parent
f163f8f81a
commit
8e6dec0237
|
|
@ -22,6 +22,7 @@ typedef struct s_map {
|
||||||
typedef struct s_payload64 {
|
typedef struct s_payload64 {
|
||||||
int (*encrypt)(t_map, void *, Elf64_Phdr);
|
int (*encrypt)(t_map, void *, Elf64_Phdr);
|
||||||
int (*gen_key)(void **);
|
int (*gen_key)(void **);
|
||||||
|
char *algo_name;
|
||||||
size_t jump_offset;
|
size_t jump_offset;
|
||||||
size_t woody_offset;
|
size_t woody_offset;
|
||||||
size_t load_ptr_offset;
|
size_t load_ptr_offset;
|
||||||
|
|
|
||||||
|
|
@ -3,6 +3,7 @@
|
||||||
t_payload64 get_debug_payload64(void) {
|
t_payload64 get_debug_payload64(void) {
|
||||||
t_payload64 payload;
|
t_payload64 payload;
|
||||||
|
|
||||||
|
payload.algo_name = ft_strdup("debug");
|
||||||
payload.len = 55;
|
payload.len = 55;
|
||||||
payload.jump_offset = 37;
|
payload.jump_offset = 37;
|
||||||
payload.encrypt = NULL;
|
payload.encrypt = NULL;
|
||||||
|
|
|
||||||
|
|
@ -49,19 +49,13 @@ int get_load_segment64(
|
||||||
return RET_ERR;
|
return RET_ERR;
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO refacto
|
int get_code_cave64(t_map file, Elf64_Phdr load_segment, t_map *code_cave) {
|
||||||
t_map get_code_cave(t_map file, Elf64_Phdr load_segment) {
|
|
||||||
size_t page_size = load_segment.p_align;
|
size_t page_size = load_segment.p_align;
|
||||||
size_t len = page_size - load_segment.p_filesz % page_size;
|
size_t len = page_size - load_segment.p_filesz % page_size;
|
||||||
size_t offset = load_segment.p_offset + load_segment.p_filesz;
|
size_t offset = load_segment.p_offset + load_segment.p_filesz;
|
||||||
unsigned char *seg = fetch(file, offset, len);
|
unsigned char *seg = fetch(file, offset, len);
|
||||||
if (!seg) {
|
if (!seg) {
|
||||||
printf("fallback to weird code cave finder\n");
|
return RET_ERR;
|
||||||
seg = fetch(file, offset, file.size - offset);
|
|
||||||
len = file.size - offset;
|
|
||||||
if (!seg) {
|
|
||||||
ft_printf("unreachable !!!\n");
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
size_t longest = 0;
|
size_t longest = 0;
|
||||||
|
|
@ -72,23 +66,17 @@ t_map get_code_cave(t_map file, Elf64_Phdr load_segment) {
|
||||||
while (i + j < len && seg[i + j] == 0) {
|
while (i + j < len && seg[i + j] == 0) {
|
||||||
j++;
|
j++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (j > longest) {
|
if (j > longest) {
|
||||||
longest_i = i;
|
longest_i = i;
|
||||||
longest = j;
|
longest = j;
|
||||||
}
|
}
|
||||||
i += j;
|
i += j;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
t_map code_cave;
|
code_cave->data = fetch(file, longest_i + offset, longest);
|
||||||
code_cave.data = fetch(file, longest_i + offset, longest);
|
code_cave->size = longest;
|
||||||
code_cave.size = longest;
|
return RET_OK;
|
||||||
if (!code_cave.data) {
|
|
||||||
ft_printf("unreachable !!!\n");
|
|
||||||
}
|
|
||||||
return code_cave;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int pack_elf64(t_map file) {
|
int pack_elf64(t_map file) {
|
||||||
|
|
@ -121,9 +109,13 @@ int pack_elf64(t_map file) {
|
||||||
to_encrypt.size = load_segment.p_filesz + encryption_block_size - load_segment.p_filesz % encryption_block_size;
|
to_encrypt.size = load_segment.p_filesz + encryption_block_size - load_segment.p_filesz % encryption_block_size;
|
||||||
*/
|
*/
|
||||||
|
|
||||||
t_map code_cave = get_code_cave(file, *load_segment);
|
t_map code_cave;
|
||||||
|
if (get_code_cave64(file, *load_segment, &code_cave) == RET_ERR) {
|
||||||
|
return wdy_error("can't get code cave");
|
||||||
|
}
|
||||||
|
|
||||||
t_payload64 payload = get_xor_payload64();
|
t_payload64 payload = get_xor_payload64();
|
||||||
|
ft_printf("info: using %s algorithm\n", payload.algo_name);
|
||||||
// This should fallback to compression algorithm, or smaller payload (eg rsa->xor)
|
// This should fallback to compression algorithm, or smaller payload (eg rsa->xor)
|
||||||
if (payload.len > (size_t)code_cave.size) {
|
if (payload.len > (size_t)code_cave.size) {
|
||||||
printf("code cave size: %ld (0x%lx) bytes\n", code_cave.size, code_cave.size);
|
printf("code cave size: %ld (0x%lx) bytes\n", code_cave.size, code_cave.size);
|
||||||
|
|
|
||||||
|
|
@ -54,6 +54,7 @@ int encrypt_xor(t_map file, void *key_ptr, Elf64_Phdr load_segment) {
|
||||||
t_payload64 get_xor_payload64(void) {
|
t_payload64 get_xor_payload64(void) {
|
||||||
t_payload64 payload;
|
t_payload64 payload;
|
||||||
|
|
||||||
|
payload.algo_name = ft_strdup("xor");
|
||||||
payload.len = 155;
|
payload.len = 155;
|
||||||
payload.jump_offset = 113;
|
payload.jump_offset = 113;
|
||||||
payload.load_ptr_offset = 131;
|
payload.load_ptr_offset = 131;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue