int main(int argc, char *argv[])
{
HIJACK *hijack;
FUNC *func;
unsigned long addr;
PLT *plts, *plt;
if (argc != 2)
usage(argv[0]);
hijack = InitHijack();
ToggleFlag(hijack, F_DEBUG);
ToggleFlag(hijack, F_DEBUG_VERBOSE);
AssignPid(hijack, atoi(argv[1]));
if (Attach(hijack) != ERROR_NONE)
{
fprintf(stderr, "[-] Couldn't attach!\n");
exit(EXIT_FAILURE);
}
if (LocateAllFunctions(hijack) != ERROR_NONE)
{
fprintf(stderr, "[-] Couldn't locate all functions!\n");
exit(EXIT_FAILURE);
}
printf("[*] PLT/GOT @ 0x%016lx\n", hijack->pltgot);
printf("[*] Baseaddr @ 0x%016lx\n", hijack->baseaddr);
#if 0
for (func = hijack->funcs; func != NULL; func = func->next)
printf("[+] %s %s: 0x%016lx\n", func->libname, func->name, func->vaddr);
#endif
plts = GetAllPLTs(hijack);
for (plt = plts; plt != NULL; plt = plt->next)
{
printf("[+] Looking in %s\n", plt->libname);
for (func = hijack->funcs; func != NULL; func = func->next)
{
if (!(func->name))
continue;
addr = FindFunctionInGot(hijack, plt->p.ptr, func->vaddr);
printf("[+] %s\t%s @ 0x%016lx (%u)", func->libname, func->name, func->vaddr, func->sz);
if (addr > 0)
printf(" -> 0x%016lx", addr);
printf("\n");
}
}
Detach(hijack);
return 0;
}
int main(int argc, char *argv[])
{
HIJACK *hijack;
FUNC *func;
unsigned long addr;
PLT *plts, *plt;
if (argc != 2)
usage(argv[0]);
hijack = InitHijack();
ToggleFlag(hijack, F_DEBUG);
ToggleFlag(hijack, F_DEBUG_VERBOSE);
AssignPid(hijack, atoi(argv[1]));
if (Attach(hijack) != ERROR_NONE)
{
fprintf(stderr, "[-] Couldn't attach!\n");
exit(EXIT_FAILURE);
}
if (LocateAllFunctions(hijack) != ERROR_NONE)
{
fprintf(stderr, "[-] Couldn't locate all functions!\n");
exit(EXIT_FAILURE);
}
if (LocateSystemCall(hijack) != ERROR_NONE) {
fprintf(stderr, "[-] Couldn't locate system call!\n");
exit(EXIT_FAILURE);
}
addr = MapMemory(hijack, NULL, 8192, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_SHARED);
if (GetErrorCode(hijack) != ERROR_NONE) {
fprintf(stderr, "[-] %s\n", GetErrorString(hijack));
perror("ptrace");
}
printf("[*] PLT/GOT @ 0x%016lx\n", hijack->pltgot);
printf("[*] Baseaddr @ 0x%016lx\n", hijack->baseaddr);
printf("[*] Syscall @ 0x%016lx\n", hijack->syscalladdr);
printf("[*] addr @ 0x%016lx\n", addr);
Detach(hijack);
return 0;
}
main()
{
ToggleFlag();
}
int main(int argc, char *argv[])
{
HIJACK *hijack;
FUNC *funcs, *func;
unsigned long shellcode_addr, filename_addr, dlopen_addr, dlsym_addr, funcname_addr, pltgot_addr;
struct stat sb;
char *shellcode, *p1;
int fd;
struct user_regs_struct *regs, *backup;
if (argc != 5)
usage(argv[0]);
hijack = InitHijack();
ToggleFlag(hijack, F_DEBUG);
ToggleFlag(hijack, F_DEBUG_VERBOSE);
AssignPid(hijack, atoi(argv[1]));
if (Attach(hijack) != ERROR_NONE)
{
fprintf(stderr, "[-] Couldn't attach!\n");
exit(EXIT_FAILURE);
}
backup = GetRegs(hijack);
regs = malloc(sizeof(struct user_regs_struct));
stat(argv[2], &sb);
shellcode = malloc(sb.st_size);
fd = open(argv[2], O_RDONLY);
read(fd, shellcode, sb.st_size);
close(fd);
LocateAllFunctions(hijack);
funcs = FindFunctionInLibraryByName(hijack, "/lib/libdl.so.2", "dlopen");
if (!(funcs))
{
fprintf(stderr, "[-] Couldn't locate dlopen!\n");
exit(EXIT_FAILURE);
}
dlopen_addr = funcs->vaddr;
printf("dlopen_addr: 0x%08lx\n", dlopen_addr);
funcs = FindFunctionInLibraryByName(hijack, "/lib/libdl.so.2", "dlsym");
if (!(funcs))
{
fprintf(stderr, "[-] Couldn't locate dlsym!\n");
exit(EXIT_FAILURE);
}
dlsym_addr = funcs->vaddr;
printf("dlsym_addr: 0x%08lx\n", dlsym_addr);
memcpy(regs, backup, sizeof(struct user_regs_struct));
LocateSystemCall(hijack);
filename_addr = MapMemory(hijack, (unsigned long)NULL, 4096,PROT_READ | PROT_EXEC | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE);
memcpy(regs, backup, sizeof(struct user_regs_struct));
p1 = memmem(shellcode, sb.st_size, "\x22\x22\x22\x22", 4);
memcpy(p1, &filename_addr, 4);
funcname_addr = filename_addr + strlen(argv[3]) + 1;
shellcode_addr = funcname_addr + strlen(argv[4]) + 1;
printf("filename_addr: 0x%08lx\n", filename_addr);
printf("shellcode_addr: 0x%08lx\n", shellcode_addr);
printf("esp: 0x%08lx\n", regs->esp);
printf("eip: 0x%08lx\n", regs->eip);
p1 = memmem(shellcode, sb.st_size, "\x33\x33\x33\x33", 4);
memcpy(p1, &dlopen_addr, 4);
p1 = memmem(shellcode, sb.st_size, "\x44\x44\x44\x44", 4);
memcpy(p1, &funcname_addr, 4);
p1 = memmem(shellcode, sb.st_size, "\x55\x55\x55\x55", 4);
memcpy(p1, &dlsym_addr, 4);
funcs = FindAllFunctionsByName(hijack, argv[4], false);
for (func = funcs; func != NULL; func = func->next)
{
if (!(func->name))
continue;
pltgot_addr = FindFunctionInGot(hijack, hijack->pltgot, func->vaddr);
if (pltgot_addr > 0)
break;
}
printf("pltgot_addr: 0x%08lx\n", pltgot_addr);
p1 = memmem(shellcode, sb.st_size, "\x66\x66\x66\x66", 4);
memcpy(p1, &pltgot_addr, 4);
WriteData(hijack, filename_addr, (unsigned char *)argv[3], strlen(argv[3]));
WriteData(hijack, funcname_addr, (unsigned char *)argv[4], strlen(argv[4]));
WriteData(hijack, shellcode_addr, (unsigned char *)shellcode, sb.st_size);
regs->esp -= 4;
SetRegs(hijack, regs);
WriteData(hijack, regs->esp, &(regs->eip), 4);
regs->eip = shellcode_addr;
if (regs->orig_eax >= 0)
{
switch (regs->eax)
{
case -514: /* -ERESTARTNOHAND */
case -512: /* -ERESTARTSYS */
case -513: /* -ERESTARTNOINTR */
case -516: /* -ERESTART_RESTARTBLOCK */
regs->eip += 2;
break;
}
}
SetRegs(hijack, regs);
Detach(hijack);
return 0;
}
DWORD
InterpretCommand(
int argc,
char *argv[],
PLOG_CONTEXT Context
)
{
int parmIndex;
CHAR *parm;
BOOL bResult;
DWORD result;
DWORD returnValue = SUCCESS;
CHAR buffer[BUFFER_SIZE];
DWORD bufferLength;
DWORD bytesReturned;
//
// Interpret the command line parameters
//
for (parmIndex = 0; parmIndex < argc; parmIndex++) {
parm = argv[parmIndex];
if (parm[0] == '/') {
//
// Have the beginning of a switch
//
switch (parm[1]) {
case 'a':
case 'A':
//
// Attach to the specified drive letter
//
parmIndex++;
if (parmIndex >= argc) {
//
// Not enough parameters
//
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
printf("\tAttaching to %s\n", parm);
bufferLength = MultiByteToWideChar(
CP_ACP,
MB_ERR_INVALID_CHARS,
parm,
-1,
(LPWSTR)buffer,
BUFFER_SIZE/sizeof(WCHAR));
bResult = DeviceIoControl(
Context->Device,
FILESPY_StartLoggingDevice,
buffer,
bufferLength * sizeof(WCHAR),
NULL,
0,
&bytesReturned,
NULL);
if (!bResult) {
result = GetLastError();
printf("ERROR attaching to device...\n");
DisplayError( result );
}
break;
case 'd':
case 'D':
//
// Detach to the specified drive letter
//
parmIndex++;
if (parmIndex >= argc) {
//
// Not enough parameters
//
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
printf("\tDetaching from %s\n", parm);
bufferLength = MultiByteToWideChar(
CP_ACP,
MB_ERR_INVALID_CHARS,
parm,
-1,
(LPWSTR)buffer,
BUFFER_SIZE/sizeof(WCHAR));
bResult = DeviceIoControl(
Context->Device,
FILESPY_StopLoggingDevice,
buffer,
bufferLength * sizeof(WCHAR),
NULL,
0,
&bytesReturned,
NULL);
if (!bResult) {
result = GetLastError();
printf("ERROR detaching to device...\n");
DisplayError( result );
}
break;
case 'h':
case 'H':
ListHashStats(Context);
break;
case 'l':
case 'L':
//
// List all devices that are currently being monitored
//
bResult = ListDevices(Context);
if (!bResult) {
result = GetLastError();
printf("ERROR listing devices...\n");
DisplayError( result );
}
break;
case 's':
case 'S':
//
// Output logging results to screen, save new value to
// instate when command interpreter is exited.
//
if (Context->NextLogToScreen) {
printf("\tTurning off logging to screen\n");
} else {
printf("\tTurning on logging to screen\n");
}
Context->NextLogToScreen = !Context->NextLogToScreen;
break;
case 'f':
case 'F':
//
// Output logging results to file
//
if (Context->LogToFile) {
printf("\tStop logging to file \n");
Context->LogToFile = FALSE;
_ASSERT(Context->OutputFile);
fclose(Context->OutputFile);
Context->OutputFile = NULL;
} else {
parmIndex++;
if (parmIndex >= argc) {
// Not enough parameters
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
Context->OutputFile = fopen(parm, "w");
if (Context->OutputFile == NULL) {
result = GetLastError();
printf("\nERROR opening \"%s\"...\n",parm);
DisplayError( result );
returnValue = USAGE_ERROR;
goto InterpretCommand_Exit;
}
Context->LogToFile = TRUE;
printf("\tLog to file %s\n", parm);
}
break;
case 'v':
case 'V':
//
// Toggle the specified verbosity flag.
//
parmIndex++;
if (parmIndex >= argc) {
//
// Not enough parameters
//
goto InterpretCommand_Usage;
}
parm = argv[parmIndex];
switch(parm[0]) {
case 'p':
case 'P':
ToggleFlag( Context->VerbosityFlags, FS_VF_DUMP_PARAMETERS );
break;
default:
//
// Invalid switch, goto usage
//
goto InterpretCommand_Usage;
}
break;
default:
//
// Invalid switch, goto usage
//
goto InterpretCommand_Usage;
}
} else {
//
// Look for "go" or "g" to see if we should exit interpreter
//
if (!_strnicmp(
parm,
INTERPRETER_EXIT_COMMAND1,
sizeof(INTERPRETER_EXIT_COMMAND1))) {
returnValue = EXIT_INTERPRETER;
goto InterpretCommand_Exit;
}
if (!_strnicmp(
parm,
INTERPRETER_EXIT_COMMAND2,
sizeof(INTERPRETER_EXIT_COMMAND2))) {
returnValue = EXIT_INTERPRETER;
goto InterpretCommand_Exit;
}
//
// Look for "exit" to see if we should exit program
//
if (!_strnicmp(
parm,
PROGRAM_EXIT_COMMAND,
sizeof(PROGRAM_EXIT_COMMAND))) {
returnValue = EXIT_PROGRAM;
goto InterpretCommand_Exit;
}
//
// Invalid parameter
//
goto InterpretCommand_Usage;
}
}
InterpretCommand_Exit:
return returnValue;
InterpretCommand_Usage:
printf("Valid switches: [/a <drive>] [/d <drive>] [/h] [/l] [/s] [/f [<file name>] [/v <flag>]]\n"
"\t[/a <drive>] attaches monitor to <drive>\n"
"\t[/d <drive>] detaches monitor from <drive>\n"
"\t[/h] print filename hash statistics\n"
"\t[/l] lists all the drives the monitor is currently attached to\n"
"\t[/s] turns on and off showing logging output on the screen\n"
"\t[/f [<file name>]] turns on and off logging to the specified file\n"
"\t[/v <flag>] toggles a verbosity flag. Valid verbosity flags are:\n"
"\t\tp (dump irp parameters)\n"
"If you are in command mode,\n"
"\t[go|g] will exit command mode\n"
"\t[exit] will terminate this program\n"
);
returnValue = USAGE_ERROR;
goto InterpretCommand_Exit;
}
void wxSettableHeaderColumn::ChangeFlag(int flag, bool set)
{
if ( HasFlag(flag) != set )
ToggleFlag(flag);
}
void OnToggle3DSash(wxCommandEvent& event)
{ ToggleFlag(wxSP_3DSASH, event.IsChecked()); }
void OnToggleBorder(wxCommandEvent& event)
{ ToggleFlag(wxSP_BORDER, event.IsChecked()); }
void OnToggleLive(wxCommandEvent& event)
{ ToggleFlag(wxSP_LIVE_UPDATE, event.IsChecked()); }