From 88ff8d7aaa5a91143918aa2fd627de80e02bd8ce Mon Sep 17 00:00:00 2001 From: pbonilla Date: Wed, 17 Apr 2024 15:08:56 +0200 Subject: [PATCH 1/2] Search for jump value instead of E9 Decrypt rot1 ~OK --- Makefile | 2 +- includes/woody.h | 4 +++- print.s | 20 ++++++++++---------- srcs/woody.c | 15 +++++---------- 4 files changed, 19 insertions(+), 22 deletions(-) diff --git a/Makefile b/Makefile index c441a74..6ecb028 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,7 @@ RM = rm -f LIBFT_FLAGS = ft_printf/libftprintf.a -CFLAGS = -Wall -Wextra -Werror +CFLAGS = -Wall -Wextra -Werror -g3 all: ${NAME} diff --git a/includes/woody.h b/includes/woody.h index 6183a7b..d2d3b51 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -16,7 +16,9 @@ #define JUMP "\xe9" -#define WOODY "..WOODY.." +#define WOODY "....WOODY...." +#define JUMP_VALUE "\xda\xda\xda" + #define TEXT_OFFSET "\xba\xba\xba\xba\xba\xba\xba\xba" #define SECTION_SIZE "\xca\xca\xca\xca\xca\xca\xca\xca" diff --git a/print.s b/print.s index 5c2c123..0b5475f 100644 --- a/print.s +++ b/print.s @@ -14,15 +14,15 @@ _start: mov r8, qword [rel section_sisze] ;text_section size mov r9, 0 ;increment register xor r10, r10 - ; encrypt: - ; cmp r8, r9 - ; je end_encrypt - ; mov r10b, byte[rax + r9] - ; inc r10b ;rot + 1 - ; mov byte[rax + r9], r10b - ; inc r9 - ; jmp encrypt - ; end_encrypt: + encrypt: + cmp r8, r9 + je end_encrypt + movzx r10, byte[rax + r9] + inc r10b ;rot + 1 + mov byte[rax + r9], r10b + inc r9 + jmp encrypt + end_encrypt: mov rdx, 14 mov rax, 1 syscall @@ -31,7 +31,7 @@ _start: pop rdi pop rax - jmp 0x00000000 ;for now it needs to be the first jmp + jmp 0xdadadada msg db "....WOODY....",10 text_section dq 0xbabababababababa section_sisze dq 0xcacacacacacacaca diff --git a/srcs/woody.c b/srcs/woody.c index 3344599..e097122 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -99,15 +99,14 @@ t_payload *get_payload() int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position) { - char *ptr_jmp = ft_strnstr_nullterminated(payload->payload, JUMP, payload->len); + char *ptr_jmp_value = ft_strnstr_nullterminated(payload->payload, JUMP_VALUE, payload->len); char *ptr_woody = ft_strnstr_nullterminated(payload->payload, WOODY, payload->len); char *ptr_text_section = ft_strnstr_nullterminated(payload->payload, TEXT_OFFSET, payload->len); char *ptr_section_size = ft_strnstr_nullterminated(payload->payload, SECTION_SIZE, payload->len); - if (ptr_jmp && ptr_woody && ptr_text_section && ptr_section_size) + if (ptr_jmp_value && ptr_woody && ptr_text_section && ptr_section_size) { int32_t woody_index = ptr_woody - payload->payload; - - int32_t jmp_index = ptr_jmp - payload->payload; + int32_t jmp_index = ptr_jmp_value - sizeof(JUMP) - payload->payload; int32_t jump_value = ((payload_position + jmp_index + 5) - woody->Ehdr->e_entry) * -1; // 5 = JUMP SIZE (OPCODE + 4 bytes operand) ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); @@ -121,10 +120,6 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi ft_memcpy(woody->file + payload_position, payload->payload, payload->len); - printf("jmp_index : %d (%x)\n", jmp_index, jmp_index); - printf("woody index :%d (%x)\n", woody_index, woody_index); - printf("jmp_index++ : %ld (%lx)\n", jmp_index + sizeof(JUMP) + sizeof(jump_value), jmp_index + sizeof(JUMP) + sizeof(jump_value) - 1); - printf("text_value : %ld (%lx)\n", text_value, text_value); printf("Old entry : %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); printf("Code cave start = %ld (%lx)\n", payload_position, payload_position); printf("Payload size = %ld (%lx)\n", payload->len, payload->len); @@ -159,7 +154,7 @@ void inject(t_elf_content *woody) woody->Phdr[i].p_filesz += payload->len; woody->Phdr[i].p_memsz += payload->len; woody->Phdr[i].p_flags = PF_X | PF_W | PF_R; - woody->text_section->sh_size += payload->len; + // woody->text_section->sh_size += payload->len; printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } @@ -216,7 +211,7 @@ int prepare_injection(t_elf_content *woody) if (elf_statut) return elf_statut; inject(woody); - // encrypt(woody->file, woody->text_section->sh_offset, woody->text_section->sh_size); + encrypt(woody->file, woody->text_section->sh_offset, woody->text_section->sh_size); char *woody_file; if (!(woody_file = malloc(woody->file_size))) return ft_put_error("Allocation error"); -- 2.20.1 From 2c14d6f0c52b3ec72e0359d6622dec0c50cab9cf Mon Sep 17 00:00:00 2001 From: pbonilla Date: Fri, 19 Apr 2024 11:41:15 +0200 Subject: [PATCH 2/2] infection of PT_LOAD reference to text section removed multiple infections OK --- includes/woody.h | 1 - resources/sample.c | 2 +- srcs/encrypt.c | 4 ++++ srcs/main.c | 6 +++--- srcs/woody.c | 50 +++++++++------------------------------------- 5 files changed, 17 insertions(+), 46 deletions(-) diff --git a/includes/woody.h b/includes/woody.h index d2d3b51..0833ae4 100644 --- a/includes/woody.h +++ b/includes/woody.h @@ -36,7 +36,6 @@ typedef struct elf_content Elf64_Ehdr *Ehdr; Elf64_Phdr *Phdr; Elf64_Shdr *Shdr; - Elf64_Shdr *text_section; char *extra_data; } t_elf_content; diff --git a/resources/sample.c b/resources/sample.c index 5fffccb..3b68c69 100644 --- a/resources/sample.c +++ b/resources/sample.c @@ -2,6 +2,6 @@ int main(void) { - printf("Hello, World!\n"); + ft_printf("Hello, World!\n"); return (0x0); } diff --git a/srcs/encrypt.c b/srcs/encrypt.c index f7866d7..c57c8f1 100644 --- a/srcs/encrypt.c +++ b/srcs/encrypt.c @@ -8,4 +8,8 @@ void encrypt(char *file, unsigned long int offset, unsigned long int size) file[offset + i] = file[offset + i] - 1; ++i; } + printf("\nENCRYPTION : \n"); + printf(" File encrypted from %ld (%lx) to %ld (%lx)\n", offset, offset, offset + size, offset + size); + printf(" Size of encryption = %ld (%lx)\n", size, size); + printf("\n"); } \ No newline at end of file diff --git a/srcs/main.c b/srcs/main.c index 807f492..173f3e1 100644 --- a/srcs/main.c +++ b/srcs/main.c @@ -8,14 +8,14 @@ int get_elf_file(t_elf_content *woody) fd = open(woody->file_path, O_RDONLY); if (fd < 0) { - ft_printf("Error: Failed to open \'%s\'\n", woody->file_path); + printf("Error: Failed to open \'%s\'\n", woody->file_path); return EXIT_FAILURE; } off = lseek(fd, 0, SEEK_END); if (off == -1) { close(fd); - ft_printf("Error: Failed to read file offset \'%s\'\n", woody->file_path); + printf("Error: Failed to read file offset \'%s\'\n", woody->file_path); return EXIT_FAILURE; } woody->file_size = off; @@ -23,7 +23,7 @@ int get_elf_file(t_elf_content *woody) if (woody->file == MAP_FAILED) { close(fd); - ft_printf("Error: Failed to map file \'%s\'\n", woody->file_path); + printf("Error: Failed to map file \'%s\'\n", woody->file_path); return EXIT_FAILURE; } close(fd); diff --git a/srcs/woody.c b/srcs/woody.c index e097122..580758c 100644 --- a/srcs/woody.c +++ b/srcs/woody.c @@ -9,18 +9,18 @@ int save_elf(char *path, char *file, unsigned long int size) { int fd = open(path, O_CREAT | O_WRONLY | O_TRUNC, 0755); if (fd == -1) { - ft_printf("Error: Failed to create new file \'%s\'\n", path); + printf("Error: Failed to create new file \'%s\'\n", path); return EXIT_FAILURE; } if (write(fd, file, size) == -1) { close(fd); - ft_printf("Error: Failed to write new file \'%s\'\n", path); + printf("Error: Failed to write new file \'%s\'\n", path); return EXIT_FAILURE; } if (close(fd) == -1) { - ft_printf("Error: Failed to close new file \'%s\'\n", path); + printf("Error: Failed to close new file \'%s\'\n", path); return EXIT_FAILURE; } return EXIT_SUCCESS; @@ -97,7 +97,7 @@ t_payload *get_payload() return payload; } -int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position) +int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_position, int load_segment_index) { char *ptr_jmp_value = ft_strnstr_nullterminated(payload->payload, JUMP_VALUE, payload->len); char *ptr_woody = ft_strnstr_nullterminated(payload->payload, WOODY, payload->len); @@ -111,11 +111,11 @@ int insert_payload(t_elf_content *woody, t_payload *payload, size_t payload_posi ft_memcpy(&payload->payload[jmp_index + 1], &jump_value, sizeof(jump_value)); int64_t text_index = ptr_text_section - payload->payload; - int64_t text_value = payload_position - woody->Ehdr->e_entry + woody_index; + int64_t text_value = payload_position - woody->Phdr[load_segment_index].p_offset + woody_index; ft_memcpy(&payload->payload[text_index], &text_value, sizeof(text_value)); int64_t section_index = ptr_section_size - payload->payload; - int64_t section_value = woody->text_section->sh_size; + int64_t section_value = woody->Phdr[load_segment_index].p_memsz; //woody->text_section->sh_size; ft_memcpy(&payload->payload[section_index], §ion_value, sizeof(section_value)); ft_memcpy(woody->file + payload_position, payload->payload, payload->len); @@ -148,30 +148,22 @@ void inject(t_elf_content *woody) { payload_position = create_codecave(woody, &woody->Phdr[i], payload); } - insert_payload(woody, payload, payload_position); + encrypt(woody->file, woody->Phdr[i].p_offset, woody->Phdr[i].p_memsz); + insert_payload(woody, payload, payload_position, i); woody->Ehdr->e_entry = payload_position; woody->Phdr[i].p_filesz += payload->len; woody->Phdr[i].p_memsz += payload->len; woody->Phdr[i].p_flags = PF_X | PF_W | PF_R; - // woody->text_section->sh_size += payload->len; printf("New entry = %ld (%lx)\n", woody->Ehdr->e_entry, woody->Ehdr->e_entry); } -int is_special_section_indice(uint16_t section_index) { - return (section_index == SHN_LOPROC || section_index == SHN_BEFORE || - section_index == SHN_AFTER || section_index == SHN_HIPROC || - section_index == SHN_LOOS || section_index == SHN_HIOS || - section_index == SHN_ABS || section_index == SHN_COMMON || - section_index == SHN_XINDEX || section_index == SHN_HIRESERVE); -} - int get_elf_sections(t_elf_content *woody) { woody->Ehdr = (Elf64_Ehdr *)fetch(woody->file, woody->file_size, 0, sizeof(Elf64_Ehdr)); if (!woody->Ehdr || !elf_magic_numbers(woody->file) || woody->Ehdr->e_ident[EI_CLASS] != ELFCLASS64) { - ft_printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); + printf("Error: \'%s\' is not a valid 64-bit ELF file\n", woody->file_path); return EXIT_FAILURE; } woody->Phdr = (Elf64_Phdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_phoff, sizeof(Elf64_Phdr)); @@ -179,29 +171,6 @@ int get_elf_sections(t_elf_content *woody) woody->Shdr = (Elf64_Shdr *)fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, sizeof(Elf64_Shdr)); if (!woody->Shdr|| !fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff, woody->Ehdr->e_shnum * sizeof(Elf64_Shdr))) return EXIT_FAILURE; - - if (!fetch(woody->file, woody->file_size, woody->Ehdr->e_shoff + (woody->Ehdr->e_shstrndx * sizeof(Elf64_Shdr)), sizeof(Elf64_Shdr))) - { - return EXIT_FAILURE; - } - char *Sshstrtab = (char *)fetch(woody->file, woody->file_size, woody->Shdr[woody->Ehdr->e_shstrndx].sh_offset, 0); - if (Sshstrtab == NULL) - { - return EXIT_FAILURE; - } - for (int j = 0; j < woody->Ehdr->e_shnum;j++) - { - if (woody->Shdr[j].sh_name > woody->Shdr[woody->Ehdr->e_shstrndx].sh_size) return EXIT_FAILURE; - if (woody->Shdr[j].sh_type == SHT_PROGBITS && woody->Shdr[j].sh_flags & SHF_EXECINSTR && - woody->Shdr[j].sh_flags & SHF_ALLOC && - Sshstrtab + woody->Shdr[j].sh_name < (char *)woody->file + woody->file_size && - !ft_strncmp(".text\0", Sshstrtab + woody->Shdr[j].sh_name, 6)) - { - woody->text_section = &woody->Shdr[j]; - break; - } - } - return EXIT_SUCCESS; } @@ -211,7 +180,6 @@ int prepare_injection(t_elf_content *woody) if (elf_statut) return elf_statut; inject(woody); - encrypt(woody->file, woody->text_section->sh_offset, woody->text_section->sh_size); char *woody_file; if (!(woody_file = malloc(woody->file_size))) return ft_put_error("Allocation error"); -- 2.20.1