diff --git a/.vscode/settings.json b/.vscode/settings.json index 2386c0c..258e317 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,7 @@ { "files.associations": { "stdio.h": "c", - "mman.h": "c" + "mman.h": "c", + "stdint.h": "c" } } \ No newline at end of file diff --git a/a.out b/a.out deleted file mode 100755 index 9c336ff..0000000 Binary files a/a.out and /dev/null differ diff --git a/ft_printf/libft/Makefile b/ft_printf/libft/Makefile index 0ff9c4e..9bfb217 100644 --- a/ft_printf/libft/Makefile +++ b/ft_printf/libft/Makefile @@ -41,6 +41,7 @@ SRCS = $(SRCS_PATH)ft_atoi.c \ $(SRCS_PATH)ft_bzero.c \ $(SRCS_PATH)ft_strdup.c \ $(SRCS_PATH)ft_strnstr.c \ + $(SRCS_PATH)ft_strnstr_nullterminated.c \ $(SRCS_PATH)ft_calloc.c \ $(SRCS_PATH)ft_substr.c \ $(SRCS_PATH)ft_strjoin.c \ diff --git a/ft_printf/libft/ft_strnstr_nullterminated.c b/ft_printf/libft/ft_strnstr_nullterminated.c new file mode 100644 index 0000000..3f13db2 --- /dev/null +++ b/ft_printf/libft/ft_strnstr_nullterminated.c @@ -0,0 +1,17 @@ +#include "libft.h" + +char *ft_strnstr_nullterminated(const char *big, const char *little, size_t len) +{ + size_t len_l; + + if (*little == 0) + return ((char *)big); + len_l = ft_strlen(little); + while (len-- >= len_l) + { + if (*big == *little && ft_strncmp(big, little, len_l) == 0) + return ((char *)big); + big++; + } + return (NULL); +} \ No newline at end of file diff --git a/ft_printf/libft/libft.h b/ft_printf/libft/libft.h index 93441d3..fd6ed1d 100644 --- a/ft_printf/libft/libft.h +++ b/ft_printf/libft/libft.h @@ -37,6 +37,7 @@ int ft_strncmp(const char *s1, const char *s2, size_t n); size_t ft_strlcpy(char *dst, const char *src, size_t size); size_t ft_strlcat(char *dst, const char *src, size_t size); char *ft_strnstr(const char *big, const char *little, size_t len); +char *ft_strnstr_nullterminated(const char *big, const char *little, size_t len); int ft_atoi(const char *nptr); char *ft_substr(char const *s, unsigned int start, size_t len); char *ft_strjoin(char const *s1, char const *s2); @@ -55,6 +56,7 @@ void *ft_calloc(size_t nmemb, size_t size); char *ft_convert_base(char *nbr, char *base_from, char *base_to); char *ft_u_convert(char *nbr, char *base_from, char *base_to); void ft_rev_int_tab(char *tab, int size); + typedef struct s_list { void *content; diff --git a/includes/woody.h b/includes/woody.h index 7fc6f23..c5f23e3 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -12,6 +12,10 @@ #include #include #include +#include + +#define PAYLOAD "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x0c\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xdf\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" +#define JUMP "\xe9\xdf\xff\xff\xff"; typedef struct efl_content { diff --git a/payload b/payload index fe0bf4e..37d7f45 100644 Binary files a/payload and b/payload differ diff --git a/print b/print index c4d460b..f16118f 100755 Binary files a/print and b/print differ diff --git a/print.s b/print.s index 1fb08fe..6b75ec4 100644 --- a/print.s +++ b/print.s @@ -8,6 +8,7 @@ _start: push rsi push rdx push rbx + xor eax, eax cdq mov dl, 10 @@ -15,14 +16,12 @@ _start: mov edi, eax lea rsi, [rel msg] syscall - pop rdx - pop rbx pop rdx pop rsi pop rdi pop rax - ret + jmp 0x00000000 msg db "..WOODY..",10 diff --git a/srcs/woody.c b/srcs/woody.c index 17cabd9..8a44c50 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -1,7 +1,5 @@ #include "../includes/woody.h" -#define CODE_MACRO "\x50\x57\x56\x52\x53\x31\xc0\x99\xb2\x0a\xff\xc0\x89\xc7\x48\x8d\x35\x09\x00\x00\x00\x0f\x05\x5a\x5b\x5a\x5e\x5f\x58\xc3\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" -char jmp[] = "\xe9\x00\x00\x00\x00"; int elf_magic_numbers(char *str) { @@ -57,6 +55,18 @@ int get_load_segment(t_efl_content *woody, int start, bool executable) return -1; } + +int32_t find_jmp(char *code, size_t len) +{ + char *jump = JUMP; + char *ptr = ft_strnstr_nullterminated(code, jump, len); + if (ptr) + { + return ptr - code; + } + return 0; +} + void find_cave(t_efl_content *woody) { woody->Phdr = (Elf64_Phdr *)secure_jump(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); @@ -69,21 +79,32 @@ void find_cave(t_efl_content *woody) printf("code_cave_start = %lx, virtual adress = %lx\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_vaddr); printf("code_cave_size = %lx\n", woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz)); + Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; - Elf64_Off payload_off = woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz; + size_t len = sizeof(PAYLOAD) - 1; + char payload[] = PAYLOAD; + int32_t jmp = find_jmp(payload, len); + printf("%ld\n", (long int)payload[jmp + 1]); + int32_t test = ((payload_off + len) - woody->Ehdr->e_entry) * -1; - size_t len = sizeof(CODE_MACRO) - 1; - ft_memcpy(woody->file + payload_off, CODE_MACRO, len); + ft_memcpy(&payload[jmp + 1], &test, sizeof(test)); + + ft_memcpy(woody->file + payload_off, payload, len); printf("old entry : %lx\n", woody->Ehdr->e_entry); - woody->Ehdr->e_entry = woody->Phdr[i].p_vaddr + woody->Phdr[i].p_filesz; + printf("backward offset = %ld\n", (payload_off + len) - woody->Ehdr->e_entry); + woody->Ehdr->e_entry = payload_off; woody->Phdr[i].p_filesz += len; woody->Phdr[i].p_memsz += len; + + + printf("new entry = %lx\n", woody->Ehdr->e_entry); - printf("e_entry = %lx\n", woody->Ehdr->e_entry); printf("p_filesz = %lx\n", woody->Phdr[i].p_filesz); printf("p_memsz = %lx\n", woody->Phdr[i].p_memsz); + woody->file_size += len; + } @@ -148,6 +169,6 @@ int inject(t_efl_content *woody) ft_memcpy(woody_file, woody->file, woody->file_size); // encrypt_zone(woody_file, strtab_header->sh_offset , strtab_header->sh_size); - + munmap(woody_file, woody->file_size); return save_elf("woody", woody_file, woody->file_size); } \ No newline at end of file