int main(int argc, char **argv)
{
elfshobj_t *host;
elfshobj_t *rel;
elfshsect_t *txtsect;
elfsh_Sym *puts_troj;
elfsh_Sym *hook_func;
int idx;
u_long addr;
/* Map host file and relocatable file */
rel = elfsh_map_obj(RELOC_FILE);
if (NULL == rel)
goto err;
host = elfsh_map_obj(TROJANED_FILE);
if (NULL == host)
goto err;
/* Inject etrel */
idx = elfsh_inject_etrel(host, rel);
if (idx < 0)
goto err;
/* Get injected's section info */
txtsect = elfsh_get_section_by_name(host, RELOC_FILE".text", NULL, NULL, NULL);
if (txtsect == NULL)
goto err;
puts_troj = elfsh_get_symbol_by_name(host, "puts_troj");
idx = elfsh_hijack_function_by_name(host, ELFSH_HIJACK_TYPE_PLT,
"puts", puts_troj->st_value,
NULL);
if (idx < 0)
goto err;
hook_func = elfsh_get_symbol_by_name(host, "hook_func");
idx = elfsh_hijack_function_by_name(host, ELFSH_HIJACK_TYPE_FLOW,
"legit_func", hook_func->st_value,
NULL);
if (idx < 0)
goto err;
/* Save it */
idx = elfsh_save_obj(host, OUTPUT_FILE);
if (idx < 0)
goto err;
puts("[*] ET_REL injected");
return (0);
err:
elfsh_error();
return (-1);
}
elfshobj_t *elfutils_read_elf_file(char *file)
{
elfshobj_t *eo = elfsh_map_obj(file);
if (!(eo)) {
elfsh_error();
fprintf(stderr,"ERROR");
exit(-1);
}
return eo;
}
int main(int argc, char **argv)
{
elfshobj_t *file;
int ret;
char *name;
elfsh_Sym *sym;
file = elfsh_map_obj(TROJANED_FILE);
if (!file)
{
elfsh_error();
exit(-1);
}
printf("Value for %s retreived from .hash: %8p \n", HASHED_SYMBOL,
elfsh_get_dynsymbol_by_hash(file, HASHED_SYMBOL));
return (0);
}
/**
* Inject a .o into an executable
*/
int cmd_relinject()
{
elfshobj_t *host;
elfshobj_t *rel;
int idx;
char logbuf[BUFSIZ];
PROFILER_IN(__FILE__, __FUNCTION__, __LINE__);
/* Check to avoid non-runtime (static) injection from e2bdg the debugger
that would desynchronize the memory perspective of the program.
The debugger is not supposed to do that, it is a job for elfsh */
if (world.state.revm_mode == REVM_STATE_EMBEDDED &&
elfsh_is_static_mode())
PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__,
"E2dbg must inject in memory, switch to dynamic mode.", -1);
/* Load host file */
idx = atoi(world.curjob->curcmd->param[0]);
host = (idx ? revm_getfile(idx) :
hash_get(&file_hash, world.curjob->curcmd->param[0]));
if (host == NULL)
{
host = elfsh_map_obj(world.curjob->curcmd->param[0]);
if (host == NULL)
PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__,
"Cannot map host file", -1);
}
/* Load relocatable file */
idx = atoi(world.curjob->curcmd->param[1]);
rel = (idx > 0 ? revm_getfile(idx) :
hash_get(&file_hash, world.curjob->curcmd->param[1]));
if (rel == NULL)
{
rel = elfsh_map_obj(world.curjob->curcmd->param[1]);
if (rel == NULL)
PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__,
"Cannot map relocatable file", -1);
}
/* Call libelfsh relocatable object injector */
idx = elfsh_inject_etrel_hash(host, rel,
&world.curjob->loaded,
&world.shared_hash);
if (idx < 0)
PROFILER_ERR(__FILE__, __FUNCTION__, __LINE__,
"Failed to inject ET_REL with workspace", (-1));
/* Success : put the modified object as current */
world.curjob->curfile = host;
if (!world.state.revm_quiet)
{
snprintf(logbuf, BUFSIZ - 1,
"\n [*] ET_REL %s injected succesfully in %s %s\n\n",
rel->name,
(host->hdr->e_type == ET_EXEC ? "ET_EXEC" :
host->hdr->e_type == ET_DYN ? "ET_DYN" :
"unknown host file"),
host->name);
revm_output(logbuf);
}
PROFILER_ROUT(__FILE__, __FUNCTION__, __LINE__, 0);
}
int main(int ac, char **av)
{
mjrsession_t sess;
char *infile,*outfile, *delsym, *rensym;
int opt_R, opt_A, nr;
opt_R = opt_A = 0;
infile = outfile = delsym = rensym = NULL;
while ((nr = getopt(ac, av, "i:o:ARd:r:")) != -1)
{
switch(nr)
{
case 'i':
infile = optarg;
break;
case 'A':
opt_A = 1;
break;
case 'R':
opt_R = 1;
opt_A = 1;
break;
case 'o':
outfile = optarg;
break;
case 'd':
delsym = optarg;
break;
case 'r':
rensym = optarg;
break;
default:
usage();
return 1;
break;
}
}
if (!infile)
{
usage();
return 1;
}
if (!mjr_init_session(&sess))
{
printf("mjrInitSession faild.\n");
exit(1);
}
mjr_create_context_as_current(&sess, elfsh_map_obj(infile));
/*
if (sess->cur->obj == NULL) {
printf("elfsh_map_obj faild.\n");
exit(1);
}
*/
mjr_setup_processor(&sess, NULL);
if (opt_A)
{
mjr_analyse(&sess,NULL, 0);
printf("seen: %d found %d\n",
sess.cur->calls_seen,
sess.cur->calls_found);
}
if (opt_R)
mjr_symtab_rebuild(&sess);
/* just for tests */
if (delsym && mjr_symbol_delete_by_name(&sess,delsym))
printf("deleted %s\n",delsym);
if (rensym)
{
char *o,*n,*brk;
o = strtok_r(rensym, ":", &brk);
n = strtok_r(NULL, ":", &brk);
printf("Rename %s -> %s\n", o, n);
mjr_symbol_rename(&sess,o,n);
}
if (outfile)
elfsh_save_obj(sess.cur->obj,outfile);
return 0;
}
