diff --git a/gen_payload.sh b/gen_payload.sh new file mode 100755 index 0000000..2c99491 --- /dev/null +++ b/gen_payload.sh @@ -0,0 +1 @@ +nasm -f elf64 -o print.o print.s && ld -o print print.o && nasm -f bin -o payload print.s && hexdump -v -e '"\\\x\" 1/1 "%02x"' payload diff --git a/includes/woody.h b/includes/woody.h index 2807779..4312212 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -48,4 +48,5 @@ int prepare_injection(t_elf_content *woody); // encrypt.c void encrypt(char *file, unsigned long int offset, unsigned long int size); -#endif \ No newline at end of file +#endif + diff --git a/print.s b/print.s index bfc8337..83badf2 100644 --- a/print.s +++ b/print.s @@ -9,7 +9,7 @@ _start: mov rdi, 1 lea rsi, [rel msg] - mov rdx, 10 + mov rdx, 14 mov rax, 1 syscall pop rdx @@ -17,6 +17,7 @@ _start: pop rdi pop rax jmp 0x00000000 - msg db "..WOODY..",10 + + msg db "....WOODY....",10 text_section dq 0xbabababababababa - section_sisze dq 0xcacacacacacacaca \ No newline at end of file + section_sisze dq 0xcacacacacacacaca diff --git a/srcs/main.c b/srcs/main.c index 8578041..807f492 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -42,4 +42,5 @@ int main(int ac, char **av) if (ret == EXIT_FAILURE) return ret; return prepare_injection(&woody); -} \ No newline at end of file +} + diff --git a/srcs/woody.c b/srcs/woody.c index 21176da..24b03dc 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -1,6 +1,5 @@ #include "../includes/woody.h" - int elf_magic_numbers(char *str) { return (!ft_strncmp(str, ELFMAG, SELFMAG)); @@ -111,14 +110,14 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi printf("the jump = %ld\n", payload->len - 16); int32_t jmp_index = ptr_jmp - payload->payload; - int32_t jump_value = (payload_position - woody->Ehdr->e_entry + jmp_index - 1) * -1; + int32_t jump_value = ((payload_position + jmp_index + 5) - woody->Ehdr->e_entry) * -1; // 5 = JUMP SIZE (OPCODE + 4 bytes operand) ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); int64_t text_index = ptr_text_section - payload->payload; int64_t text_value = (payload_position - woody->text_section->sh_offset + text_index - 1) * -1; text_value = 0; ft_memcpy(&payload->payload[text_index], &text_value, sizeof(text_value)); - + int64_t section_index = ptr_section_size - payload->payload; int64_t section_value = (payload_position - woody->text_section->sh_size + section_index - 1) * -1; ft_memcpy(&payload->payload[section_index], §ion_value, sizeof(section_value)); @@ -127,7 +126,7 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); - printf("Backwar d offset = %d (%x)(%x)\n", jump_value, jump_value, -jump_value); + printf("Backward offset = %d (%x)(%x)\n", jump_value, jump_value, -jump_value); return EXIT_SUCCESS; } return EXIT_FAILURE; @@ -136,9 +135,9 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi void inject(t_elf_content *woody) { t_payload *payload = get_payload(); - int i = get_load_segment(woody, 0, true); + int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); - + size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); size_t payload_position; printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset); @@ -205,6 +204,7 @@ int get_elf_sections(t_elf_content *woody) break; } } + return EXIT_SUCCESS; } @@ -224,3 +224,4 @@ int prepare_injection(t_elf_content *woody) free(woody_file); return EXIT_SUCCESS; } +