def test_x64(infile, outfile):
elf = ELF(infile)
# add imported function from external library
elf.add_imported_library('lib_x64_library.so')
elf.add_imported_symbol('export_function', '_export_function',
'lib_x64_library.so')
elf.add_data('constdata', 'C' * 5 + '\x00')
elf.add_pointer('constdata_pointer', 'constdata')
elf.add_code(
'pointer_verifier', """
push rdi
mov rdi, qword ptr [constdata_pointer]
call qword ptr [_puts]
pop rdi
ret
""")
elf.add_init_function('pointer_verifier')
elf.add_tls_bss_data('tls_bss_long', 0x4, 'tls_bss_long_offset')
elf.add_tls_bss_data('tls_bss_char_array', 0x100,
'tls_bss_char_array_offset')
elf.add_imported_symbol('puts', '_puts')
elf.add_data('init_message', 'Hello From Init Array\x00')
elf.add_code(
"new_init_function", """
push rdi
lea rdi, byte ptr [init_message]
call qword ptr [_puts]
pop rdi
ret
""")
elf.add_init_function("new_init_function")
# hook function_2, call export_function
elf.patch_code(fromwhere=0x40068C,
towhere=0x400697,
label='patch_40068C',
code="""
call qword ptr [_export_function]
push rbp
mov rbp, rsp
lea rdi, [_commandline]
""")
elf.add_data('_commandline', '/bin/sh')
# .text:00000000004006E2 lea rdi, aParent ; "parent"
# .text:00000000004006E9 call _puts
# .text:00000000004006EE lea rax, function_3
elf.insert_code(where=0x4006e9,
label="patch_4006e9",
code="""
add rdi, 1 # rdi -> "arent"
""",
nbound=0x4006ee)
# .text:0000000000400678 lea rdi, a255s ; "%255s"
# .text:000000000040067F mov eax, 0
elf.insert_code(where=0x400678,
label="patch_400678",
code="""
lea rdi, [_commandline]
call 0x400540
xor rax, rax
leave
ret
""",
nbound=0x40067f)
# add imported function from libc
elf.add_imported_symbol('getpid', '_getpid')
# data and code manipulate
elf.add_data('global_data', 'A' * 0x20)
# x64 has problems with direct addressing
elf.add_code(
'entry1', """
mov rax, [global_data2222]
mov rbx, [entry2]
mov rax, [_getpid]
""")
elf.add_code(
'entry2', """
mov rax, [global_data]
mov rbx, [entry1]
mov rcx, [_getpid]
""")
elf.add_data('global_data2222', 'B' * 0x20)
elf.add_code(
'entry3', """
lea rcx, [global_data2222]
mov rax, [global_data2222]
mov rbx, [entry1]
mov rcx, [entry2]
mov rcx, [entry3]
mov rcx, [_getppid]
""")
elf.add_imported_symbol('getppid', '_getppid')
elf.add_code(
'entry4', """
mov rcx, [_getppid]
""")
elf.save(outfile)
def test_386(infile, outfile):
elf = ELF(infile)
# add imported function from external library
elf.add_imported_library('lib_x86_library.so')
elf.add_imported_symbol('export_function', '_export_function',
'lib_x86_library.so')
elf.add_tls_bss_data('tls_bss_long', 0x4, 'tls_bss_long_offset')
elf.add_tls_bss_data('tls_bss_char_array', 0x100,
'tls_bss_char_array_offset')
elf.add_data('constdata', 'C' * 5 + '\x00')
elf.add_pointer('constdata_pointer', 'constdata')
elf.add_code(
'pointer_verifier', """
mov eax, dword ptr [constdata_pointer]
push eax
call dword ptr [_puts]
add esp, 4
ret
""")
elf.add_init_function('pointer_verifier')
elf.add_imported_symbol('puts', '_puts')
elf.add_data('init_message', 'Hello From Init Array\x00')
elf.add_code(
"new_init_function", """
push edi
lea edi, byte ptr [init_message]
push edi
call dword ptr [_puts]
add esp, 4
pop edi
ret
""")
elf.add_init_function("new_init_function")
# hook function_2, call export_function
elf.patch_code(fromwhere=0x0804857C,
towhere=0x08048583,
label='patch_804857C',
code="""
call dword ptr[_export_function]
push ebp
mov ebp, esp
push ebx
sub esp, 4
""")
# .text:0804860B lea eax, (aParent - 804A000h)[ebx] ; "parent"
# .text:08048611 push eax ; s
# .text:08048612 call _puts
# .text:08048617 add esp, 10h
elf.insert_code(where=0x08048611,
label="patch_08048611",
code="""
add eax, 1 # eax -> "arent"
""",
nbound=0x08048617)
# add imported function from libc
elf.add_imported_symbol('getpid', '_getpid')
# data and code manipulate
elf.add_data('global_data', 'A' * 0x20)
elf.add_code(
'entry1', """
mov eax, [global_data2222]
mov ebx, [entry2]
mov ecx, [_getpid]
""")
elf.add_code(
'entry2', """
mov eax, [global_data]
mov ebx, [entry1]
mov ecx, [_getpid]
""")
elf.add_data('global_data2222', 'B' * 0x20)
elf.add_code(
'entry3', """
mov eax, [global_data2222]
mov ebx, [entry1]
mov ebx, [entry2]
mov ebx, [entry3]
mov ecx, [_getppid]
""")
elf.add_imported_symbol('getppid', '_getppid')
elf.add_code(
'entry4', """
mov ecx, [_getppid]
""")
elf.save(outfile)