def test_arm(infile, outfile):
elf = ELF(infile)
# add imported function from external library
elf.add_imported_library('lib_arm_library.so')
elf.add_imported_symbol('export_function', '_export_function',
'lib_arm_library.so')
elf.add_tls_bss_data('tls_bss_long', 0x4, 'tls_bss_long_offset')
elf.add_tls_bss_data('tls_bss_char_array', 0x100,
'tls_bss_char_array_offset')
elf.add_data('constdata', 'C' * 5 + '\x00')
elf.add_pointer('constdata_pointer', 'constdata')
elf.add_code(
'pointer_verifier', """
stmfd sp!, {r0, r3, lr}
ldr r0, =constdata_pointer
ldr r0, [r0]
ldr r3, =_puts
ldr r3, [r3]
blx r3
ldmfd sp!, {r0, r3, pc}
""")
elf.add_init_function('pointer_verifier')
elf.add_imported_symbol('puts', '_puts')
elf.add_data('init_message', 'Hello From Init Array\x00')
elf.add_code(
"new_init_function", """
stmfd sp!, {r0, r3, lr}
ldr r0, =init_message
ldr r3, =_puts
ldr r3, [r3]
blx r3
ldmfd sp!, {r0, r3, pc}
""")
elf.add_init_function("new_init_function")
# hook function_2, call export_function
elf.insert_code(where=0x10610,
label="patch_10610",
code="""
stmfd sp!, {r3, lr}
ldr r3, =_export_function
ldr r3, [r3, #0x0]
blx r3
ldmfd sp!, {r3, lr}
""")
# test pc-related instruction wrap
elf.insert_code(where=0x10684, label="patch_10684", code="nop")
# add imported function from libc
elf.add_imported_symbol('getpid', '_getpid')
# data and code manipulate
elf.add_data('global_data', 'A' * 0x20)
elf.add_code(
'entry1', """
ldr r1, =global_data2222
ldr r1, =entry2
ldr r1, =_getpid
""")
elf.add_code(
'entry2', """
ldr r1, =global_data
ldr r1, =entry1
ldr r1, =_getpid
""")
elf.add_data('global_data2222', 'B' * 0x20)
elf.add_code(
'entry3', """
ldr r1, =global_data2222
ldr r1, =entry1
ldr r1, =entry2
ldr r1, =entry3
ldr r1, =_getppid
""")
elf.add_imported_symbol('getppid', '_getppid')
elf.add_code('entry4', """
ldr r1, =_getppid
""")
elf.save(outfile)
def test_386(infile, outfile):
elf = ELF(infile)
# add imported function from external library
elf.add_imported_library('lib_x86_library.so')
elf.add_imported_symbol('export_function', '_export_function',
'lib_x86_library.so')
elf.add_tls_bss_data('tls_bss_long', 0x4, 'tls_bss_long_offset')
elf.add_tls_bss_data('tls_bss_char_array', 0x100,
'tls_bss_char_array_offset')
elf.add_data('constdata', 'C' * 5 + '\x00')
elf.add_pointer('constdata_pointer', 'constdata')
elf.add_code(
'pointer_verifier', """
mov eax, dword ptr [constdata_pointer]
push eax
call dword ptr [_puts]
add esp, 4
ret
""")
elf.add_init_function('pointer_verifier')
elf.add_imported_symbol('puts', '_puts')
elf.add_data('init_message', 'Hello From Init Array\x00')
elf.add_code(
"new_init_function", """
push edi
lea edi, byte ptr [init_message]
push edi
call dword ptr [_puts]
add esp, 4
pop edi
ret
""")
elf.add_init_function("new_init_function")
# hook function_2, call export_function
elf.patch_code(fromwhere=0x0804857C,
towhere=0x08048583,
label='patch_804857C',
code="""
call dword ptr[_export_function]
push ebp
mov ebp, esp
push ebx
sub esp, 4
""")
# .text:0804860B lea eax, (aParent - 804A000h)[ebx] ; "parent"
# .text:08048611 push eax ; s
# .text:08048612 call _puts
# .text:08048617 add esp, 10h
elf.insert_code(where=0x08048611,
label="patch_08048611",
code="""
add eax, 1 # eax -> "arent"
""",
nbound=0x08048617)
# add imported function from libc
elf.add_imported_symbol('getpid', '_getpid')
# data and code manipulate
elf.add_data('global_data', 'A' * 0x20)
elf.add_code(
'entry1', """
mov eax, [global_data2222]
mov ebx, [entry2]
mov ecx, [_getpid]
""")
elf.add_code(
'entry2', """
mov eax, [global_data]
mov ebx, [entry1]
mov ecx, [_getpid]
""")
elf.add_data('global_data2222', 'B' * 0x20)
elf.add_code(
'entry3', """
mov eax, [global_data2222]
mov ebx, [entry1]
mov ebx, [entry2]
mov ebx, [entry3]
mov ecx, [_getppid]
""")
elf.add_imported_symbol('getppid', '_getppid')
elf.add_code(
'entry4', """
mov ecx, [_getppid]
""")
elf.save(outfile)