#!/usr/bin/python
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
from ctypes import c_uint
from ZwoELF import ElfParser
x86File = "simple"
elfFile = ElfParser(x86File)
jmpRelEntry = elfFile.getJmpRelEntryByName("printf")
jmpRelEntry.symbol.ElfN_Sym.st_value = 0x41414141
elfFile.writeElf("modified_simple")
import sys
import os
from ctypes import c_uint
from ZwoELF import ElfParser, SH_type, SH_flags
# remove original ".got.plt" and ".plt" section and move them
# to the ".text" section
# analysis tools like IDA 6.1.x and gdb try to read information
# from this sections
# and show irritating informations, for example gdb shows plt
# information when analyzing code in the .text section
# or calls to external functions are not resolved (even when IDA 6.1.x
# uses segments instead of sections the
# external functions are not resolved)
testFile = ElfParser("x86_test_binaries/ls")
# remove ".got.plt" and ".plt" section
testFile.deleteSectionByName(".got.plt")
testFile.deleteSectionByName(".plt")
# copy section list to iterate on copied sections
tempList = list(testFile.sections)
# iterate over sections
for section in tempList:
# when ".text" section was found, create two new sections
# (".got.plt" and ".plt") with the same boundaries
# this means that ".text", ".got.plt" and ".plt" overlap which
# confuses analysis tools like IDA 6.1.x and gdb
try:
inputFile = sys.argv[1]
outputFile = sys.argv[2]
except:
print('usage: {} <input file> <output file>'.format(sys.argv[0]))
print('')
sys.exit(1)
# CHANGE HERE WHAT YOU WANT TO EXCHANGE
# list of symbols to replace [(oldsymbol, newsymbol)]
#symbolsToReplace = [("__libc_start_main", "__libc_foo"), ("malloc", "flux")]
symbolsToReplace = [("printf", "fputs"), ("system", "printf"),
("strncmp", "strcmp")]
parsedFile = ElfParser(inputFile)
# we want to add the forged dynamic string table behind the executable
# loaded segment => get this segment
segmentToExtend = None
for segment in parsedFile.segments:
if (segment.elfN_Phdr.p_type == P_type.PT_LOAD
and (segment.elfN_Phdr.p_flags & P_flags.PF_X) == 0x1):
segmentToExtend = segment
if segmentToExtend is None:
print "No loadable segment was found."
sys.exit(0)
# get dynamic string section
dynStrSection = None
for section in parsedFile.sections:
#
# Licensed under the GNU Public License, version 2.
import sys
from ctypes import c_uint
from ZwoELF import ElfParser
try:
inputFile = sys.argv[1]
outputFile = sys.argv[2]
except:
print('usage: {} <input file> <output file>'.format(sys.argv[0]))
sys.exit(1)
print "Manipulating: %s" % inputFile
test = ElfParser(inputFile)
freeSpace = test.getFreeSpaceAfterSegment(test.segments[2])
print "Free space: %d Bytes " % freeSpace
# get original entry point
originalEntry = test.header.e_entry
dummyData = list()
for i in range(freeSpace - 1):
#dummyData.append("\x00")
dummyData.append("\x41")
#manipulatedSegment, newDataOffset, newDataMemoryAddr
# = test.appendDataToExecutableSegment(dummyData,
# addNewSection=True, newSectionName=".blahblub")
#!/usr/bin/python
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
from ctypes import c_uint
from ZwoELF import ElfParser
x86File = "simple"
elfFile = ElfParser(x86File)
jmpRelEntry = elfFile.getJmpRelEntryByName("printf")
jmpRelEntry.symbol.ElfN_Sym.st_value = 0x41414141
elfFile.writeElf("modified_simple")
outputFile = sys.argv[2]
except:
print('usage: {} [--seed <int>] <input file> <output file>'.format(
sys.argv[0]))
print('')
print(
' --seed <integer>: seed rng with constant (for deterministic results)'
)
sys.exit(1)
# the added sections can be used to confuse analysis tools
# for example IDA 6.1.x tries to analyze all sections and it takes a
# lot of time until the file is loaded
# (to circumvent this, just ignore sections and use segments)
testFile = ElfParser(inputFile)
tempList = list(testFile.sections)
allowedSections = list()
for section in tempList:
# IDA 6.1.x throws error when section uses ".dynsym" area:
# "Bad file structure or read error (line xxxx). Continue?"
# and "Redeclared 'Dynamic symbol string table' section"
# and "Relocation to non-code/data/bss section. Skip?"
# and "Relocation to illegal symbol table. Skip?"
# IDA 6.1.x throws error when section uses ".dynstr" area:
# "Bad file structure or read error (line xxxx). Continue?"
# and "Redeclared 'Dynamic symbol string table' section"
#!/usr/bin/python
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
import sys
from ctypes import c_uint
from ZwoELF import ElfParser
try:
inputFile = sys.argv[1]
outputFile = sys.argv[2]
except:
print('usage: {} <input file> <output file>'.format(sys.argv[0]))
sys.exit(1)
elfFile = ElfParser(inputFile)
jmpRelEntry = elfFile.getJmpRelEntryByName("strlen")
jmpRelEntry.symbol.ElfN_Sym.st_value = 0x41414141
elfFile.writeElf(outputFile)
#!/usr/bin/python
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
import sys
from ctypes import c_uint
from ZwoELF import ElfParser
try:
inputFile = sys.argv[1]
outputFile = sys.argv[2]
except:
print('usage: {} <input file> <output file>'.format(sys.argv[0]))
sys.exit(1)
elfFile = ElfParser(inputFile)
jmpRelEntry = elfFile.getJmpRelEntryByName("strlen")
jmpRelEntry.symbol.ElfN_Sym.st_value = 0x41414141
elfFile.writeElf(outputFile)
import sys
from ctypes import c_uint
from ZwoELF import ElfParser
try:
inputFile = sys.argv[1]
outputFile = sys.argv[2]
except:
print('usage: {} <input file> <output file>'.format(sys.argv[0]))
sys.exit(1)
print "Manipulating: %s" % inputFile
test = ElfParser(inputFile)
freeSpace = test.getFreeSpaceAfterSegment(test.segments[2])
print "Free space: %d Bytes " % freeSpace
# get original entry point
originalEntry = test.header.e_entry
dummyData = ["\x41"] * (freeSpace-1)
manipulatedSegment, newDataOffset, newDataMemoryAddr \
= test.appendDataToExecutableSegment(dummyData)
print "Offset of new data: 0x%x" % newDataOffset
print "Virtual memory addr of new data: 0x%x" % newDataMemoryAddr
#
# Licensed under the GNU Public License, version 2.
import sys
from ctypes import c_uint
from ZwoELF import ElfParser
try:
inputFile = sys.argv[1]
outputFile = sys.argv[2]
except:
print('usage: {} <input file> <output file>'.format(sys.argv[0]))
sys.exit(1)
print "Manipulating: %s" % inputFile
test = ElfParser(inputFile)
freeSpace = test.getFreeSpaceAfterSegment(test.segments[2])
print "Free space: %d Bytes " % freeSpace
# get original entry point
originalEntry = test.header.e_entry
dummyData = ["\x41"] * (freeSpace - 1)
manipulatedSegment, newDataOffset, newDataMemoryAddr \
= test.appendDataToExecutableSegment(dummyData)
print "Offset of new data: 0x%x" % newDataOffset
print "Virtual memory addr of new data: 0x%x" % newDataMemoryAddr
'''
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
from ctypes import c_uint
from ZwoELF import ElfParser
x86File = "ls"
print "Manipulating: %s" % x86File
test = ElfParser(x86File)
freeSpace = test.getFreeSpaceAfterSegment(test.segments[2])
print "Free space: %d Bytes " % freeSpace
# get original entry point
originalEntry = test.header.e_entry
dummyData = list()
for i in range(freeSpace-1):
#dummyData.append("\x00")
dummyData.append("\x41")
#manipulatedSegment, newDataOffset, newDataMemoryAddr
# = test.appendDataToExecutableSegment(dummyData,
from ctypes import c_uint
from ZwoELF import ElfParser, SH_type, SH_flags
# remove original ".got.plt" and ".plt" section and move them
# to the ".text" section
# analysis tools like IDA 6.1.x and gdb try to read information
# from this sections
# and show irritating informations, for example gdb shows plt
# information when analyzing code in the .text section
# or calls to external functions are not resolved (even when IDA 6.1.x
# uses segments instead of sections the
# external functions are not resolved)
testFile = ElfParser("x86_test_binaries/ls")
# remove ".got.plt" and ".plt" section
testFile.deleteSectionByName(".got.plt")
testFile.deleteSectionByName(".plt")
# copy section list to iterate on copied sections
tempList = list(testFile.sections)
# iterate over sections
for section in tempList:
# when ".text" section was found, create two new sections
# (".got.plt" and ".plt") with the same boundaries
# this means that ".text", ".got.plt" and ".plt" overlap which
# confuses analysis tools like IDA 6.1.x and gdb
#!/usr/bin/python
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
from ctypes import c_uint
from ZwoELF import ElfParser
import sys
try:
inputFile = sys.argv[1]
except:
print('usage: {} <input file>'.format(sys.argv[0]))
sys.exit(1)
test = ElfParser(inputFile)
test.printElf()
# list of symbols to replace [(oldsymbol, newsymbol)]
#symbolsToReplace = [("__libc_start_main", "__libc_foo"), ("malloc", "flux")]
symbolsToReplace = [("printf", "fputs"), ("system", "printf"),
("strncmp", "strcmp")]
parsedFile = ElfParser(inputFile)
# we want to add the forged dynamic string table behind the executable
# loaded segment => get this segment
segmentToExtend = None
for segment in parsedFile.segments:
if (segment.elfN_Phdr.p_type == P_type.PT_LOAD and
(segment.elfN_Phdr.p_flags & P_flags.PF_X) == 0x1):
segmentToExtend = segment
if segmentToExtend is None:
print "No loadable segment was found."
sys.exit(0)
# get dynamic string section
dynStrSection = None
for section in parsedFile.sections:
#!/usr/bin/python # written by sqall # twitter: https://twitter.com/sqall01 # blog: http://blog.h4des.org # github: https://github.com/sqall01 # # Licensed under the GNU Public License, version 2. from ctypes import c_uint from ZwoELF import ElfParser import sys x86File = sys.argv[1] test = ElfParser(x86File) test.printElf()
# Licensed under the GNU Public License, version 2.
import sys
import os
from ctypes import c_uint
from ZwoELF import ElfParser, SH_type, SH_flags
import random
# the added sections can be used to confuse analysis tools
# for example IDA 6.1.x tries to analyze all sections and it takes a
# lot of time until the file is loaded
# (to circumvent this, just ignore sections and use segments)
testFile = ElfParser("x86_test_binaries/ls")
tempList = list(testFile.sections)
allowedSections = list()
for section in tempList:
# IDA 6.1.x throws error when section uses ".dynsym" area:
# "Bad file structure or read error (line xxxx). Continue?"
# and "Redeclared 'Dynamic symbol string table' section"
# and "Relocation to non-code/data/bss section. Skip?"
# and "Relocation to illegal symbol table. Skip?"
# IDA 6.1.x throws error when section uses ".dynstr" area:
# "Bad file structure or read error (line xxxx). Continue?"
#!/usr/bin/python
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: http://blog.h4des.org
# github: https://github.com/sqall01
#
# Licensed under the GNU Public License, version 2.
from ZwoELF import ElfParser
from idautils import *
currentFile = GetInputFilePath()
elfFile = ElfParser(currentFile)
# rename all symbols from the jump entries in ida
for jmpRelEntry in elfFile.jumpRelocationEntries:
name = jmpRelEntry.symbol.symbolName
print "Add references for symbol: %s (0x%x)" % (name, jmpRelEntry.r_offset)
MakeRptCmt(jmpRelEntry.r_offset, "%s (restored by script)" % name)
dataRefs = DataRefsTo(jmpRelEntry.r_offset)
# get address of the data reference (usually there is only one reference)
address = list(dataRefs)[0]
# rename address
MakeName(address, name + "__restored")
