int pht18(void)
{
if(orcPHT->p_type != PT_GNU_EH_FRAME)
return 0;
if(rand() % 3 == 0)
orcPHT->p_offset = getElf_Off();
orcPHT->p_vaddr = getElf_Addr();
#if defined(__i386__)
orcPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_filesz = getElf_Xword();
#endif
#if defined(__i386__)
orcPHT->p_memsz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_memsz = getElf_Xword();
#endif
orcPHT->p_flags = getElf_Word();
#if defined(__i386__)
orcPHT->p_align = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_align = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_offset = 0x"HEX",", ph, orcPHT->p_offset);
fprintf(logfp, " p_vaddr = 0x"HEX",", orcPHT->p_vaddr);
fprintf(logfp, " p_filesz = 0x"HEX",", orcPHT->p_filesz);
fprintf(logfp, " p_memsz = 0x"HEX",", orcPHT->p_memsz);
fprintf(logfp, " p_flags = 0x%x,", orcPHT->p_flags);
fprintf(logfp, " p_align = 0x"HEX")", orcPHT->p_align);
return 1;
}
int rel2(void)
{
if(rand() % 3 < 2)
return 0;
if(rand() % 4 < 3) { // 75% chance to only change its related Symbol Table index
Elf_Section sym_ndx;
if(rand() % 2)
sym_ndx = rand() % orcHDR->e_shnum; // A random but valid Symbol Table index within the SHT
else
sym_ndx = getElf_Section();
if(orcSHT->sh_type == SHT_REL)
orcREL->r_info = ELF_R_INFO(sym_ndx, ELF_R_TYPE(orcREL->r_info));
else
orcRELA->r_info = ELF_R_INFO(sym_ndx, ELF_R_TYPE(orcRELA->r_info));
} else {
if(orcSHT->sh_type == SHT_REL)
#if defined(__i386__)
orcREL->r_info = getElf_Word();
#elif defined(__x86_64__)
orcREL->r_info = getElf_Xword();
#endif
else
#if defined(__i386__)
orcRELA->r_info = getElf_Word();
#elif defined(__x86_64__)
orcRELA->r_info = getElf_Xword();
#endif
}
int pht4(void)
{
if(orcPHT->p_type == PT_INTERP)
if(rand() % 5 < 4) // 80% chance
return 0;
if(orcPHT->p_type == PT_DYNAMIC)
if(mode & DYN)
return 0;
if(orcPHT->p_type == PT_NOTE)
if(mode & NOTE)
return 0;
#if defined(__i386__)
Elf_Word p_memsz;
#elif defined(__x86_64__)
Elf_Xword p_memsz;
#endif
int r = rand();
if(r % 3 == 0) {
orcPHT->p_filesz = 0;
#if defined(__i386__)
while((p_memsz = getElf_Word()))
#elif defined(__x86_64__)
while((p_memsz = getElf_Xword()))
#endif
if(p_memsz % PAGESIZE == 0) {
orcPHT->p_memsz = p_memsz;
break;
}
} else if(r % 3 == 1) {
#if defined(__i386__)
orcPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_filesz = getElf_Xword();
#endif
orcPHT->p_memsz = 0;
} else {
if(rand() % 2) {
orcPHT->p_filesz = 0;
orcPHT->p_memsz = 0;
} else
orcPHT->p_memsz = getElf_Word();
}
fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX",", ph, orcPHT->p_filesz);
fprintf(logfp, " p_memsz = 0x"HEX")", orcPHT->p_memsz);
return 1;
}
int pht7(void)
{
if(orcPHT->p_type == PT_INTERP)
if(rand() % 5 < 4) // 80% chance
return 0;
if(orcPHT->p_type == PT_DYNAMIC)
if(mode & DYN)
return 0;
if(orcPHT->p_type == PT_NOTE)
if(mode & NOTE)
return 0;
#if defined(__i386__)
Elf_Word p_filesz;
#elif defined(__x86_64__)
Elf_Xword p_filesz;
#endif
if(rand() % 3 < 2) {
#if defined(__i386__)
while((p_filesz = getElf_Word()))
#elif defined(__x86_64__)
while((p_filesz = getElf_Xword()))
#endif
if(p_filesz >= orcPHT->p_memsz) {
orcPHT->p_filesz = p_filesz;
break;
}
} else
#if defined(__i386__)
orcPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_filesz = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX")", ph, orcPHT->p_filesz);
return 1;
}
void fuzzSize()
{
if((rand() % 4) < 3){ // 75% chance
if(rand() % 2)
#if defined(__i386__) || defined(__ANDROID_API__)
orcSHT->sh_size = getElf_Word();
#elif defined(__x86_64__)
orcSHT->sh_size = getElf_Xword();
#endif
else
orcSHT->sh_size = getElf_Half();
} else
int sym4(void)
{
#if defined(__i386__)
orcSYM->st_size = getElf_Word();
#elif defined(__x86_64__)
if(rand() % 3 < 2)
orcSYM->st_size = getElf_Xword();
else
orcSYM->st_size = getElf_Word();
#endif
fprintf(logfp, "(SYM[%d]->st_size = 0x"HEX")", entry, orcSYM->st_size);
return 1;
}
int pht5(void)
{
if(rand() % 2) {
if(rand() % 2)
orcPHT->p_align = PAGESIZE - 1;
else
orcPHT->p_align = PAGESIZE + 1;
} else
#if defined(__i386__)
orcPHT->p_align = getElf_Word();
#elif defined(__x86_64__)
orcPHT->p_align = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_align = 0x"HEX")", ph, orcPHT->p_align);
return 1;
}
int sym1(void)
{
if(entry != STN_UNDEF)
return 0;
if(rand() % 2)
return 0;
#if defined(__i386__)
orcSYM->st_size = getElf_Word();
#elif defined(__x86_64__)
if(rand() % 3 < 2)
orcSYM->st_size = getElf_Xword();
else
orcSYM->st_size = getElf_Word();
#endif
orcSYM->st_value = getElf_Addr();
orcSYM->st_info = rand() & 0xff;
orcSYM->st_other = rand() & 0xff;
if(rand() % 4 == 0)
orcSYM->st_shndx = getElf_Section();
else
orcSYM->st_shndx = rand() % orcHDR->e_shnum;
if(rand() % 4 == 0)
orcSYM->st_name = getElf_Word();
else
orcSYM->st_name = rand() & 0xff;
fprintf(logfp, "(SYM[%d]->st_value = 0x"HEX",", entry, orcSYM->st_value);
fprintf(logfp, " st_size = 0x"HEX",", orcSYM->st_size);
fprintf(logfp, " st_info = 0x%x,", orcSYM->st_info);
fprintf(logfp, " st_other = 0x%x,", orcSYM->st_other);
fprintf(logfp, " st_shndx = 0x%x,", orcSYM->st_shndx);
fprintf(logfp, " st_name = 0x%x)", orcSYM->st_name);
return 1;
}
int pht22(void)
{
int p, found = 0;
Elf_Phdr *tmpPHT = orcOrigPHT;
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_DYNAMIC) {
found++;
break;
}
if(found) {
if(mode & DYN)
return 0;
if(rand() % 2) // PT_DYNAMIC is important
return 0;
if(rand() % 3 == 0)
tmpPHT->p_offset = getElf_Off();
tmpPHT->p_vaddr = getElf_Addr();
#if defined(__i386__)
tmpPHT->p_filesz = getElf_Word();
#elif defined(__x86_64__)
tmpPHT->p_filesz = getElf_Xword();
#endif
#if defined(__i386__)
tmpPHT->p_memsz = getElf_Word();
#elif defined(__x86_64__)
tmpPHT->p_memsz = getElf_Xword();
#endif
tmpPHT->p_flags = getElf_Word();
#if defined(__i386__)
tmpPHT->p_align = getElf_Word();
#elif defined(__x86_64__)
tmpPHT->p_align = getElf_Xword();
#endif
fprintf(logfp, "(PHT[%d]->p_offset = 0x"HEX",", p, tmpPHT->p_offset);
fprintf(logfp, " p_vaddr = 0x"HEX",", tmpPHT->p_vaddr);
fprintf(logfp, " p_filesz = 0x"HEX",", tmpPHT->p_filesz);
fprintf(logfp, " p_memsz = 0x"HEX",", tmpPHT->p_memsz);
fprintf(logfp, " p_flags = 0x%x,", tmpPHT->p_flags);
fprintf(logfp, " p_align = 0x"HEX")", tmpPHT->p_align);
return 1;
} else {
tmpPHT = orcOrigPHT;
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_NULL) {
if(mode & DYN)
return 0;
tmpPHT->p_type = PT_DYNAMIC;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type);
return 1;
}
tmpPHT = orcOrigPHT;
// Less priority than overwriting a PT_NULL
for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++)
if(tmpPHT->p_type == PT_GNU_STACK) {
if(mode & DYN)
return 0;
tmpPHT->p_type = PT_DYNAMIC;
fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type);
return 1;
}
return 0;
}
}
