diff --git a/evilPatcher.py b/evilPatcher.py index 8224d9b..be12173 100644 --- a/evilPatcher.py +++ b/evilPatcher.py @@ -49,6 +49,7 @@ def main(): patch32_handler(filename, sandboxFile, debugFlag).run() elif arch == 'amd64': patch64_handler(filename, sandboxFile, debugFlag).run() + else: print(f'{arch} is not supported!!! Only i386 and amd64!!!') diff --git a/patch64.py b/patch64.py index ac3cb99..77b53a4 100644 --- a/patch64.py +++ b/patch64.py @@ -34,11 +34,11 @@ def run_partial(self): inject_code = asm('endbr64') inject_code += asm('push rbp') inject_code += self.inject_code_build() + 3 * asm('nop') - print('============================inject code into .eh_frame============================') + print('============================inject code into eh_frame_hdr============================') print(disasm(inject_code)) - print('.eh_frame.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame').header.sh_size))) + print('eh_frame_hdr.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame_hdr').header.sh_size))) print('inject_code.length===>' + str(hex(len(inject_code)))) - eh_frame_addr = self.elf.get_section_by_name('.eh_frame').header.sh_addr + eh_frame_addr = self.elf.get_section_by_name('.eh_frame_hdr').header.sh_addr self.elf.write(eh_frame_addr, inject_code) self.edit_program_table_header() sys.stdout = sys.__stdout__ @@ -73,7 +73,7 @@ def inject_code_build(self): inject_code += asm('mov r10,rcx') inject_code += asm(shellcraft.amd64.prctl(0x16, 2, 'rsp')) tmp = len(self.ct) * 8 + 0x10 - inject_code += asm('add rsp,' + str(hex(tmp))) + inject_code += asm('add rsp,' + str(hex(tmp + 0x10))) return inject_code def edit_program_table_header(self): @@ -88,14 +88,16 @@ def edit_program_table_header(self): for i in range(num_of_program_table_header): p_type = self.elf.get_segment(i).header.p_type p_flags = self.elf.get_segment(i).header.p_flags - if p_type == 'PT_LOAD' and p_flags == 4: + if p_type == 'PT_GNU_EH_FRAME' and p_flags == 4: self.elf.write(program_table_header_start + i * size_of_program_headers + 4, p32(5)) print('edit program_table_element[' + str(i) + '].p_flags===>r_x') - + self.elf.write(program_table_header_start + i * size_of_program_headers, p32(1)) + print('edit program_table_element[' + str(i) + '].p_type===>LOAD') + def patch_pie_elf(self): - eh_frame_addr = self.elf.get_section_by_name('.eh_frame').header.sh_addr + eh_frame_addr = self.elf.get_section_by_name('.eh_frame_hdr').header.sh_addr start_offset = self.elf.header.e_entry - offset = self.elf.read(start_offset, 0x40).find(b'\x48\x8d\x3d') # lea rdi,? + offset = self.elf.read(start_offset, 0x40).find(b'\x00\xff\x15') - 6 # lea rdi,? offset1 = u32(self.elf.read(start_offset + offset + 3, 4)) if offset1 > 0x80000000: offset1 -= 0x100000000 @@ -104,7 +106,8 @@ def patch_pie_elf(self): self.pr('start_offset', start_offset) self.pr('main_addr', main_addr) print('=================================edit _start==================================') - print('replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->.eh_frame') + print( + 'replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->eh_frame_hdr') print(disasm(self.elf.read(start_offset + offset, 7))) s = 'lea rdi,[rip+' + str(hex(eh_frame_addr - (start_offset + offset) - 7)) + '];' print(' || ') @@ -112,12 +115,16 @@ def patch_pie_elf(self): print(' \/ ') print(disasm(asm(s))) - inject_code = self.inject_code_build() - tail = 'lea r8,[rip' + str(hex(main_addr - (eh_frame_addr + len(inject_code)) - 7)) + '];jmp r8;' + inject_code = asm( + "push rax;push rbx;push rcx;push rdx;push rdi;push rsi;push r8;push r9;push r10; push r11;push r13;push r14;push r15") + inject_code += self.inject_code_build() + tail = 'lea r12,[rip' + str(hex(main_addr - (eh_frame_addr + len( + inject_code)) - 7)) + '];pop rax;pop rbx;pop rcx;pop rdx;pop rdi;pop rsi;pop r8;pop r9;pop r10; pop r11;pop r13;pop r14;pop r15;jmp r12;' + inject_code += asm(tail) - print('============================inject code into .eh_frame========================') + print('============================inject code into eh_frame_hdr========================') print(disasm(inject_code)) - print('.eh_frame.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame').header.sh_size))) + print('eh_frame_hdr.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame_hdr').header.sh_size))) print('inject_code.length===>' + str(hex(len(inject_code)))) self.elf.write(start_offset + offset, asm(s)) self.elf.write(eh_frame_addr, inject_code) @@ -128,32 +135,37 @@ def patch_nopie_elf(self): program_base = self.elf.address self.pr('program_base', program_base) - eh_frame_addr = self.elf.get_section_by_name('.eh_frame').header.sh_addr + eh_frame_addr = self.elf.get_section_by_name('.eh_frame_hdr').header.sh_addr start_offset = self.elf.header.e_entry - offset = self.elf.read(start_offset, 0x40).find(b'\x48\xc7\xc7') # mov rdi,? + offset = self.elf.read(start_offset, 0x40).find(b'\x00\xff\x15') - 6 # mov rdi,? main_addr = u32(self.elf.read(start_offset + offset + 3, 4)) self.pr('eh_frame_addr', eh_frame_addr) self.pr('start_offset', start_offset) self.pr('main_addr', main_addr) print('=================================edit _start==================================') - print('replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->.eh_frame') + print( + 'replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->eh_frame_hdr') print(disasm(self.elf.read(start_offset + offset, 7))) s = 'mov rdi,' + str(eh_frame_addr) + ';' print(' || ') print(' || ') print(' \/ ') print(disasm(asm(s))) - inject_code = self.inject_code_build() - tail = 'mov r8,' + str(main_addr) + ';jmp r8;' + inject_code = asm( + "push rax;push rbx;push rcx;push rdx;push rdi;push rsi;push r8;push r9;push r10; push r11;push r13;push r14;push r15") + inject_code += self.inject_code_build() + tail = 'mov r12,' + str( + main_addr) + '; pop rax;pop rbx;pop rcx;pop rdx;pop rdi;pop rsi;pop r8;pop r9;pop r10; pop r11;pop r13;pop r14;pop r15;jmp r12;' inject_code += asm(tail) - print('============================inject code into .eh_frame============================') + print('============================inject code into eh_frame_hdr============================') print(disasm(inject_code)) - print('.eh_frame.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame').header.sh_size))) + print('eh_frame_hdr.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame_hdr').header.sh_size))) print('inject_code.length===>' + str(hex(len(inject_code)))) self.elf.write(start_offset + offset, asm(s)) self.elf.write(eh_frame_addr, inject_code) self.edit_program_table_header() + def main(): filename = sys.argv[1] sandboxfile = sys.argv[2] @@ -163,8 +175,8 @@ def main(): debugFlag = 1 except IndexError: pass - patch64_handler(filename,sandboxfile,debugFlag).run_partial() + patch64_handler(filename, sandboxfile, debugFlag).run_partial() + if __name__ == '__main__': main() - \ No newline at end of file diff --git a/test/GoTest b/test/GoTest new file mode 100644 index 0000000..51c797f Binary files /dev/null and b/test/GoTest differ diff --git a/test/RustTest b/test/RustTest new file mode 100644 index 0000000..564fe32 Binary files /dev/null and b/test/RustTest differ