int pht18(void) { if(orcPHT->p_type != PT_GNU_EH_FRAME) return 0; if(rand() % 3 == 0) orcPHT->p_offset = getElf_Off(); orcPHT->p_vaddr = getElf_Addr(); #if defined(__i386__) orcPHT->p_filesz = getElf_Word(); #elif defined(__x86_64__) orcPHT->p_filesz = getElf_Xword(); #endif #if defined(__i386__) orcPHT->p_memsz = getElf_Word(); #elif defined(__x86_64__) orcPHT->p_memsz = getElf_Xword(); #endif orcPHT->p_flags = getElf_Word(); #if defined(__i386__) orcPHT->p_align = getElf_Word(); #elif defined(__x86_64__) orcPHT->p_align = getElf_Xword(); #endif fprintf(logfp, "(PHT[%d]->p_offset = 0x"HEX",", ph, orcPHT->p_offset); fprintf(logfp, " p_vaddr = 0x"HEX",", orcPHT->p_vaddr); fprintf(logfp, " p_filesz = 0x"HEX",", orcPHT->p_filesz); fprintf(logfp, " p_memsz = 0x"HEX",", orcPHT->p_memsz); fprintf(logfp, " p_flags = 0x%x,", orcPHT->p_flags); fprintf(logfp, " p_align = 0x"HEX")", orcPHT->p_align); return 1; }
int rel2(void) { if(rand() % 3 < 2) return 0; if(rand() % 4 < 3) { // 75% chance to only change its related Symbol Table index Elf_Section sym_ndx; if(rand() % 2) sym_ndx = rand() % orcHDR->e_shnum; // A random but valid Symbol Table index within the SHT else sym_ndx = getElf_Section(); if(orcSHT->sh_type == SHT_REL) orcREL->r_info = ELF_R_INFO(sym_ndx, ELF_R_TYPE(orcREL->r_info)); else orcRELA->r_info = ELF_R_INFO(sym_ndx, ELF_R_TYPE(orcRELA->r_info)); } else { if(orcSHT->sh_type == SHT_REL) #if defined(__i386__) orcREL->r_info = getElf_Word(); #elif defined(__x86_64__) orcREL->r_info = getElf_Xword(); #endif else #if defined(__i386__) orcRELA->r_info = getElf_Word(); #elif defined(__x86_64__) orcRELA->r_info = getElf_Xword(); #endif }
int pht4(void) { if(orcPHT->p_type == PT_INTERP) if(rand() % 5 < 4) // 80% chance return 0; if(orcPHT->p_type == PT_DYNAMIC) if(mode & DYN) return 0; if(orcPHT->p_type == PT_NOTE) if(mode & NOTE) return 0; #if defined(__i386__) Elf_Word p_memsz; #elif defined(__x86_64__) Elf_Xword p_memsz; #endif int r = rand(); if(r % 3 == 0) { orcPHT->p_filesz = 0; #if defined(__i386__) while((p_memsz = getElf_Word())) #elif defined(__x86_64__) while((p_memsz = getElf_Xword())) #endif if(p_memsz % PAGESIZE == 0) { orcPHT->p_memsz = p_memsz; break; } } else if(r % 3 == 1) { #if defined(__i386__) orcPHT->p_filesz = getElf_Word(); #elif defined(__x86_64__) orcPHT->p_filesz = getElf_Xword(); #endif orcPHT->p_memsz = 0; } else { if(rand() % 2) { orcPHT->p_filesz = 0; orcPHT->p_memsz = 0; } else orcPHT->p_memsz = getElf_Word(); } fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX",", ph, orcPHT->p_filesz); fprintf(logfp, " p_memsz = 0x"HEX")", orcPHT->p_memsz); return 1; }
int pht7(void) { if(orcPHT->p_type == PT_INTERP) if(rand() % 5 < 4) // 80% chance return 0; if(orcPHT->p_type == PT_DYNAMIC) if(mode & DYN) return 0; if(orcPHT->p_type == PT_NOTE) if(mode & NOTE) return 0; #if defined(__i386__) Elf_Word p_filesz; #elif defined(__x86_64__) Elf_Xword p_filesz; #endif if(rand() % 3 < 2) { #if defined(__i386__) while((p_filesz = getElf_Word())) #elif defined(__x86_64__) while((p_filesz = getElf_Xword())) #endif if(p_filesz >= orcPHT->p_memsz) { orcPHT->p_filesz = p_filesz; break; } } else #if defined(__i386__) orcPHT->p_filesz = getElf_Word(); #elif defined(__x86_64__) orcPHT->p_filesz = getElf_Xword(); #endif fprintf(logfp, "(PHT[%d]->p_filesz = 0x"HEX")", ph, orcPHT->p_filesz); return 1; }
void fuzzSize() { if((rand() % 4) < 3){ // 75% chance if(rand() % 2) #if defined(__i386__) || defined(__ANDROID_API__) orcSHT->sh_size = getElf_Word(); #elif defined(__x86_64__) orcSHT->sh_size = getElf_Xword(); #endif else orcSHT->sh_size = getElf_Half(); } else
int sym4(void) { #if defined(__i386__) orcSYM->st_size = getElf_Word(); #elif defined(__x86_64__) if(rand() % 3 < 2) orcSYM->st_size = getElf_Xword(); else orcSYM->st_size = getElf_Word(); #endif fprintf(logfp, "(SYM[%d]->st_size = 0x"HEX")", entry, orcSYM->st_size); return 1; }
int pht5(void) { if(rand() % 2) { if(rand() % 2) orcPHT->p_align = PAGESIZE - 1; else orcPHT->p_align = PAGESIZE + 1; } else #if defined(__i386__) orcPHT->p_align = getElf_Word(); #elif defined(__x86_64__) orcPHT->p_align = getElf_Xword(); #endif fprintf(logfp, "(PHT[%d]->p_align = 0x"HEX")", ph, orcPHT->p_align); return 1; }
int sym1(void) { if(entry != STN_UNDEF) return 0; if(rand() % 2) return 0; #if defined(__i386__) orcSYM->st_size = getElf_Word(); #elif defined(__x86_64__) if(rand() % 3 < 2) orcSYM->st_size = getElf_Xword(); else orcSYM->st_size = getElf_Word(); #endif orcSYM->st_value = getElf_Addr(); orcSYM->st_info = rand() & 0xff; orcSYM->st_other = rand() & 0xff; if(rand() % 4 == 0) orcSYM->st_shndx = getElf_Section(); else orcSYM->st_shndx = rand() % orcHDR->e_shnum; if(rand() % 4 == 0) orcSYM->st_name = getElf_Word(); else orcSYM->st_name = rand() & 0xff; fprintf(logfp, "(SYM[%d]->st_value = 0x"HEX",", entry, orcSYM->st_value); fprintf(logfp, " st_size = 0x"HEX",", orcSYM->st_size); fprintf(logfp, " st_info = 0x%x,", orcSYM->st_info); fprintf(logfp, " st_other = 0x%x,", orcSYM->st_other); fprintf(logfp, " st_shndx = 0x%x,", orcSYM->st_shndx); fprintf(logfp, " st_name = 0x%x)", orcSYM->st_name); return 1; }
int pht22(void) { int p, found = 0; Elf_Phdr *tmpPHT = orcOrigPHT; for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++) if(tmpPHT->p_type == PT_DYNAMIC) { found++; break; } if(found) { if(mode & DYN) return 0; if(rand() % 2) // PT_DYNAMIC is important return 0; if(rand() % 3 == 0) tmpPHT->p_offset = getElf_Off(); tmpPHT->p_vaddr = getElf_Addr(); #if defined(__i386__) tmpPHT->p_filesz = getElf_Word(); #elif defined(__x86_64__) tmpPHT->p_filesz = getElf_Xword(); #endif #if defined(__i386__) tmpPHT->p_memsz = getElf_Word(); #elif defined(__x86_64__) tmpPHT->p_memsz = getElf_Xword(); #endif tmpPHT->p_flags = getElf_Word(); #if defined(__i386__) tmpPHT->p_align = getElf_Word(); #elif defined(__x86_64__) tmpPHT->p_align = getElf_Xword(); #endif fprintf(logfp, "(PHT[%d]->p_offset = 0x"HEX",", p, tmpPHT->p_offset); fprintf(logfp, " p_vaddr = 0x"HEX",", tmpPHT->p_vaddr); fprintf(logfp, " p_filesz = 0x"HEX",", tmpPHT->p_filesz); fprintf(logfp, " p_memsz = 0x"HEX",", tmpPHT->p_memsz); fprintf(logfp, " p_flags = 0x%x,", tmpPHT->p_flags); fprintf(logfp, " p_align = 0x"HEX")", tmpPHT->p_align); return 1; } else { tmpPHT = orcOrigPHT; for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++) if(tmpPHT->p_type == PT_NULL) { if(mode & DYN) return 0; tmpPHT->p_type = PT_DYNAMIC; fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type); return 1; } tmpPHT = orcOrigPHT; // Less priority than overwriting a PT_NULL for(p = 0; p < orcHDR->e_phnum; p++, tmpPHT++) if(tmpPHT->p_type == PT_GNU_STACK) { if(mode & DYN) return 0; tmpPHT->p_type = PT_DYNAMIC; fprintf(logfp, "(PHT[%d]->p_type = 0x%x)", p, tmpPHT->p_type); return 1; } return 0; } }