assembly simplified

This commit is contained in:
pbonilla 2024-02-23 14:17:23 +01:00
parent 086bda7642
commit b714716094
6 changed files with 53 additions and 53 deletions

6
README
View File

@ -1,5 +1,5 @@
Transform payload code in hexa : Transform payload code in hexa :
nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload
nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload To get it in the clipboad directly append :
| xclip -sel clip to directly
Append : | xclip -sel clip to directly get it in clipboard

View File

@ -1,4 +0,0 @@
2c2
< resources/sample64: file format elf64-x86-64
---
> woody: file format elf64-x86-64

View File

@ -14,8 +14,8 @@
#include <elf.h> #include <elf.h>
#include <stdint.h> #include <stdint.h>
#define PAYLOAD "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x0c\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xdf\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" #define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a"
#define JUMP "\xe9";//\xdf\xff\xff\xff"; #define JUMP "\xe9"
typedef struct efl_content typedef struct efl_content
{ {

64
print.s
View File

@ -1,28 +1,52 @@
; bits 64
; default rel
; global _start
; _start:
; push rax
; push rdi
; push rsi
; push rdx
; push rbx
; xor eax, eax
; cdq
; mov dl, 10
; inc eax
; mov edi, eax
; lea rsi, [rel msg]
; syscall
; pop rbx
; pop rdx
; pop rsi
; pop rdi
; pop rax
; jmp 0x00000000
; msg db "..WOODY..",10
bits 64 bits 64
default rel default rel
global _start global _start
_start: _start:
push rax push rax
push rdi push rdi
push rsi push rsi
push rdx push rdx
push rbx push rbx
xor eax, eax mov rdi, 1
cdq lea rsi, [rel msg]
mov dl, 10 mov rdx, 10
inc eax mov rax, 1
mov edi, eax syscall
lea rsi, [rel msg]
syscall pop rbx
pop rbx pop rdx
pop rdx pop rsi
pop rsi pop rdi
pop rdi pop rax
pop rax jmp 0x00000000
jmp 0x00000000
msg db "..WOODY..",10 msg db "..WOODY..",10

View File

@ -1,17 +0,0 @@
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/mman.h>
char code[] = "\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x12\x00\x00\x00\x0f\x05\xb2\x2a\x31\xc0\xff\xc0\xf6\xe2\x89\xc7\x31\xc0\xb0\x3c\x0f\x05\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a";
typedef void (*ShellcodeFunc)();
int main() {
ShellcodeFunc func = (ShellcodeFunc)code;
size_t pagesize = 4096; // 4KB, a common page size
uintptr_t page_start = (uintptr_t)code & ~(pagesize - 1);
mprotect((void *)page_start, pagesize, PROT_READ | PROT_EXEC);
func();
return 0;
}

View File

@ -45,7 +45,6 @@ int get_load_segment(t_efl_content *woody, int start, bool executable)
return -1; return -1;
} }
int32_t find_jmp(char *code, size_t len) int32_t find_jmp(char *code, size_t len)
{ {
char *jump = JUMP; char *jump = JUMP;
@ -70,7 +69,7 @@ void inject(t_efl_content *woody)
size_t payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; size_t payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz;
printf("Old entry : %ld\n", woody->Ehdr->e_entry); printf("Old entry : %ld\n", woody->Ehdr->e_entry);
printf("Code_cave_start = %ld\n", woody->Phdr[i].p_offset); printf("Code_cave_start = %ld\n", payload_off);
printf("Code_cave_size = %ld\n", code_cave_size); printf("Code_cave_size = %ld\n", code_cave_size);
printf("Payload size = %ld\n", len_payload); printf("Payload size = %ld\n", len_payload);
@ -80,12 +79,11 @@ void inject(t_efl_content *woody)
ft_memcpy(&payload[jmp_index + 1], &backward_len, sizeof(backward_len)); ft_memcpy(&payload[jmp_index + 1], &backward_len, sizeof(backward_len));
ft_memcpy(woody->file + payload_off, payload, len_payload); ft_memcpy(woody->file + payload_off, payload, len_payload);
printf("Backward offset = %d\n", backward_len); printf("Backward offset = %d (%x)\n", backward_len, backward_len);
woody->Ehdr->e_entry = payload_off; woody->Ehdr->e_entry = payload_off;
woody->Phdr[i].p_filesz += len_payload; woody->Phdr[i].p_filesz += len_payload;
woody->Phdr[i].p_memsz += len_payload; woody->Phdr[i].p_memsz += len_payload;
woody->file_size += len_payload;
printf("New entry = %ld\n", woody->Ehdr->e_entry); printf("New entry = %ld\n", woody->Ehdr->e_entry);
} }
@ -93,7 +91,7 @@ void inject(t_efl_content *woody)
int get_elf_sections(t_efl_content *woody) int get_elf_sections(t_efl_content *woody)
{ {
woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr));
if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != 2) if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != ELFCLASS64)
{ {
ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path);
return EXIT_FAILURE; return EXIT_FAILURE;
@ -150,7 +148,6 @@ int prepare_injection(t_efl_content *woody)
ft_memcpy(woody_file, woody->file, woody->file_size); ft_memcpy(woody_file, woody->file, woody->file_size);
// encrypt(woody_file, strtab_header->sh_offset , strtab_header->sh_size); // encrypt(woody_file, strtab_header->sh_offset , strtab_header->sh_size);
munmap(woody_file, woody->file_size); munmap(woody_file, woody->file_size);
save_elf("woody", woody_file, woody->file_size); save_elf("woody", woody_file, woody->file_size);
free(woody_file); free(woody_file);