int main(int argc, char **argv) { elfshobj_t *host; elfshobj_t *rel; elfshsect_t *txtsect; elfsh_Sym *puts_troj; elfsh_Sym *hook_func; int idx; u_long addr; /* Map host file and relocatable file */ rel = elfsh_map_obj(RELOC_FILE); if (NULL == rel) goto err; host = elfsh_map_obj(TROJANED_FILE); if (NULL == host) goto err; /* Inject etrel */ idx = elfsh_inject_etrel(host, rel); if (idx < 0) goto err; /* Get injected's section info */ txtsect = elfsh_get_section_by_name(host, RELOC_FILE".text", NULL, NULL, NULL); if (txtsect == NULL) goto err; puts_troj = elfsh_get_symbol_by_name(host, "puts_troj"); idx = elfsh_hijack_function_by_name(host, ELFSH_HIJACK_TYPE_PLT, "puts", puts_troj->st_value, NULL); if (idx < 0) goto err; hook_func = elfsh_get_symbol_by_name(host, "hook_func"); idx = elfsh_hijack_function_by_name(host, ELFSH_HIJACK_TYPE_FLOW, "legit_func", hook_func->st_value, NULL); if (idx < 0) goto err; /* Save it */ idx = elfsh_save_obj(host, OUTPUT_FILE); if (idx < 0) goto err; puts("[*] ET_REL injected"); return (0); err: elfsh_error(); return (-1); }
elfshobj_t *elfutils_read_elf_file(char *file) { elfshobj_t *eo = elfsh_map_obj(file); if (!(eo)) { elfsh_error(); fprintf(stderr,"ERROR"); exit(-1); } return eo; }
int main(int argc, char **argv) { elfshobj_t *file; int ret; char *name; elfsh_Sym *sym; file = elfsh_map_obj(TROJANED_FILE); if (!file) { elfsh_error(); exit(-1); } printf("Value for %s retreived from .hash: %8p \n", HASHED_SYMBOL, elfsh_get_dynsymbol_by_hash(file, HASHED_SYMBOL)); return (0); }
/** * Inject a .o into an executable */ int cmd_relinject() { elfshobj_t *host; elfshobj_t *rel; int idx; char logbuf[BUFSIZ]; PROFILER_IN(__FILE__, __FUNCTION__, __LINE__); /* Check to avoid non-runtime (static) injection from e2bdg the debugger that would desynchronize the memory perspective of the program. The debugger is not supposed to do that, it is a job for elfsh */ if (world.state.revm_mode == REVM_STATE_EMBEDDED && elfsh_is_static_mode()) PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__, "E2dbg must inject in memory, switch to dynamic mode.", -1); /* Load host file */ idx = atoi(world.curjob->curcmd->param[0]); host = (idx ? revm_getfile(idx) : hash_get(&file_hash, world.curjob->curcmd->param[0])); if (host == NULL) { host = elfsh_map_obj(world.curjob->curcmd->param[0]); if (host == NULL) PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__, "Cannot map host file", -1); } /* Load relocatable file */ idx = atoi(world.curjob->curcmd->param[1]); rel = (idx > 0 ? revm_getfile(idx) : hash_get(&file_hash, world.curjob->curcmd->param[1])); if (rel == NULL) { rel = elfsh_map_obj(world.curjob->curcmd->param[1]); if (rel == NULL) PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__, "Cannot map relocatable file", -1); } /* Call libelfsh relocatable object injector */ idx = elfsh_inject_etrel_hash(host, rel, &world.curjob->loaded, &world.shared_hash); if (idx < 0) PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__, "Failed to inject ET_REL with workspace", (-1)); /* Success : put the modified object as current */ world.curjob->curfile = host; if (!world.state.revm_quiet) { snprintf(logbuf, BUFSIZ - 1, "\n [*] ET_REL %s injected succesfully in %s %s\n\n", rel->name, (host->hdr->e_type == ET_EXEC ? "ET_EXEC" : host->hdr->e_type == ET_DYN ? "ET_DYN" : "unknown host file"), host->name); revm_output(logbuf); } PROFILER_ROUT(__FILE__, __FUNCTION__, __LINE__, 0); }
int main(int ac, char **av) { mjrsession_t sess; char *infile,*outfile, *delsym, *rensym; int opt_R, opt_A, nr; opt_R = opt_A = 0; infile = outfile = delsym = rensym = NULL; while ((nr = getopt(ac, av, "i:o:ARd:r:")) != -1) { switch(nr) { case 'i': infile = optarg; break; case 'A': opt_A = 1; break; case 'R': opt_R = 1; opt_A = 1; break; case 'o': outfile = optarg; break; case 'd': delsym = optarg; break; case 'r': rensym = optarg; break; default: usage(); return 1; break; } } if (!infile) { usage(); return 1; } if (!mjr_init_session(&sess)) { printf("mjrInitSession faild.\n"); exit(1); } mjr_create_context_as_current(&sess, elfsh_map_obj(infile)); /* if (sess->cur->obj == NULL) { printf("elfsh_map_obj faild.\n"); exit(1); } */ mjr_setup_processor(&sess, NULL); if (opt_A) { mjr_analyse(&sess,NULL, 0); printf("seen: %d found %d\n", sess.cur->calls_seen, sess.cur->calls_found); } if (opt_R) mjr_symtab_rebuild(&sess); /* just for tests */ if (delsym && mjr_symbol_delete_by_name(&sess,delsym)) printf("deleted %s\n",delsym); if (rensym) { char *o,*n,*brk; o = strtok_r(rensym, ":", &brk); n = strtok_r(NULL, ":", &brk); printf("Rename %s -> %s\n", o, n); mjr_symbol_rename(&sess,o,n); } if (outfile) elfsh_save_obj(sess.cur->obj,outfile); return 0; }