diff --git a/includes/woody.h b/includes/woody.h index f136809..7aa98d7 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -14,9 +14,14 @@ #include #include -#define PAYLOAD "\x50\x57\x56\x52\x53\xbf\x01\x00\x00\x00\x48\x8d\x35\x16\x00\x00\x00\xba\x0a\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05\x5b\x5a\x5e\x5f\x58\xe9\xd9\xff\xff\xff\x2e\x2e\x57\x4f\x4f\x44\x59\x2e\x2e\x0a" #define JUMP "\xe9" +typedef struct payload +{ + char *payload; + size_t len; +} t_payload; + typedef struct efl_content { long unsigned int file_size; diff --git a/print.s b/print.s index db11230..3a557c8 100644 --- a/print.s +++ b/print.s @@ -1,52 +1,27 @@ -; bits 64 -; default rel -; global _start - -; _start: -; push rax -; push rdi -; push rsi -; push rdx -; push rbx - -; xor eax, eax -; cdq -; mov dl, 10 -; inc eax -; mov edi, eax -; lea rsi, [rel msg] -; syscall -; pop rbx -; pop rdx -; pop rsi -; pop rdi -; pop rax -; jmp 0x00000000 - -; msg db "..WOODY..",10 - bits 64 -default rel global _start _start: - push rax - push rdi - push rsi - push rdx - push rbx - - mov rdi, 1 + push rax + push rdi + push rsi + push rdx + + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 + mov rdi, 1 lea rsi, [rel msg] mov rdx, 10 mov rax, 1 syscall - pop rbx - pop rdx + pop rdx pop rsi pop rdi pop rax jmp 0x00000000 - -msg db "..WOODY..",10 + + msg db "..WOODY..",10 diff --git a/srcs/main.c b/srcs/main.c index d2228a7..143a099 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -19,7 +19,7 @@ int get_elf_file(t_efl_content *woody) return EXIT_FAILURE; } woody->file_size = off; - woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + woody->file = mmap(NULL, woody->file_size, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, fd, 0); if (woody->file == MAP_FAILED) { close(fd); diff --git a/srcs/woody.c b/srcs/woody.c index c7d5778..154d178 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -59,10 +59,10 @@ void offset_sections(t_efl_content *woody, unsigned int from, unsigned int offse } } -size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) +size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment, t_payload *payload) { - const unsigned int page_size = 4096;// getpagesize(); not authorized - unsigned int padding_size = ((sizeof(PAYLOAD) / page_size) + 1) * page_size; + const unsigned int page_size = 4096; // getpagesize(); not authorized + unsigned int padding_size = ((payload->len / page_size) + 1) * page_size; unsigned int codecave_start = load_segment->p_offset + load_segment->p_filesz; offset_sections(woody, codecave_start, padding_size); char *new_woody = malloc(woody->file_size + padding_size); @@ -80,24 +80,34 @@ size_t create_codecave(t_efl_content *woody, Elf64_Phdr *load_segment) return codecave_start; } - -int insert_payload(t_efl_content *woody, size_t payload_position) +t_payload *get_payload() { - char payload[] = PAYLOAD; - size_t len_payload = sizeof(PAYLOAD) - 1; - char *ptr = ft_strnstr_nullterminated(payload, JUMP, len_payload); + t_payload *payload = malloc(sizeof(t_payload)); + if (!payload) + return NULL; + char buffer[1024]; + int fd = open("payload", O_RDONLY); + payload->len = read(fd, buffer, 1024); + payload->payload = malloc(sizeof(char) * payload->len); + ft_memcpy(payload->payload, buffer, payload->len); + return payload; +} +int insert_payload(t_efl_content *woody, t_payload *payload, size_t payload_position) +{ + char *ptr = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); if (ptr) { - int32_t jmp_index = ptr - payload; - int32_t jump_value = ((payload_position + len_payload) - woody->Ehdr->e_entry) * -1; - ft_memcpy(&payload[jmp_index + 1], &jump_value, sizeof(jump_value)); - ft_memcpy(woody->file + payload_position, payload, len_payload); + int32_t jmp_index = ptr - payload->payload; + int32_t jump_value = ((payload_position + payload->len) - woody->Ehdr->e_entry) * -1; + + ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); + ft_memcpy(woody->file + payload_position, payload->payload, payload->len); printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); - printf("Code_cave_start = %ld (%lx)\n", payload_position, payload_position); - printf("Payload size = %ld (%lx)\n", len_payload, len_payload); - printf("Backward offset = %d (%x)\n", jump_value, jump_value); + printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); + printf("Payload size = %ld (%lx)\n", payload->len, payload->len); + printf("Backwar d offset = %d (%x)\n", jump_value, jump_value); return EXIT_SUCCESS; } @@ -106,29 +116,30 @@ int insert_payload(t_efl_content *woody, size_t payload_position) void inject(t_efl_content *woody) { - size_t len_payload = sizeof(PAYLOAD) - 1; + t_payload *payload = get_payload(); int i = get_load_segment(woody, 0, true); int j = get_load_segment(woody, i + 1, false); - size_t code_cave_size = woody->Phdr[j].p_offset - (woody->Phdr[i].p_offset + woody->Phdr[i].p_filesz); size_t payload_position; + printf("load position = : %ld (%lx)\n", woody->Phdr[i].p_offset, woody->Phdr[i].p_offset); + printf("load size = : %ld (%lx)\n", woody->Phdr[i].p_filesz, woody->Phdr[i].p_filesz); - if (code_cave_size > len_payload) + if (code_cave_size > payload->len) // inverse here to test the other technique { payload_position = woody->Phdr[i].p_offset + woody->Phdr[i].p_memsz; printf("Code_cave_size = %ld (%lx)\n", code_cave_size, code_cave_size); } else { - payload_position = create_codecave(woody, &woody->Phdr[i]); + payload_position = create_codecave(woody, &woody->Phdr[i], payload); } - insert_payload(woody, payload_position); + insert_payload(woody, payload, payload_position); woody->Ehdr->e_entry = payload_position; - woody->Phdr[i].p_filesz += len_payload; - woody->Phdr[i].p_memsz += len_payload; + woody->Phdr[i].p_filesz += payload->len; + woody->Phdr[i].p_memsz += payload->len; printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); }