catalog
1. INTRODUCTION 2. THE PROCESS IMAGE 3. THE CORE IMAGE 4. EXECUTABLE RECONSTRUCTION 5. FAILURES IN RECONSTRUCTION 6. USES OF RECONSTRUCTION 7. Helper Tools 8. Code For New Linux Kernel
1. INTRODUCTION
This article documents the results from experimenting with binary reconstruction of an ELF executable given a core dump or snapshot of the process image.
Rebuilding a binary file from a memory process allow us to recover a file modified in run time or deciphered, and also recover if it's being executed but never was saved in the system, preventing from data contraception and information missing in further analysis.
Relevant Link:
http://repo.hackerzvoice.net/depot_ouah/core-reconstruction.txt
2. THE PROCESS IMAGE
In summary, a core image is a dump of the process image at dump time. The process image contains a number of loadable program segments or virtual memory regions. In an ELF binary these are referred to by program headers and in the Linux kernel they are referred to as vm_area_struct's.
The actual core dump is a dump of the vm_area_struct's but these correspond to the program headers of the executable and shared libraries used to create the process image.
In Linux, a group of vm_area_struct's are referred to as a memory map or as a map in the proc file system. A typical map is given below for a program using libc.
[root@iZ23lobjjltZ ~]# cat /proc/1694/maps //correspond to the text segments,代码段只允许读/执行 00400000-00403000 r-xp 00000000 03:01 753688 /sbin/mingetty //correspond to the data segments,数据段只允许读/写 00602000-00603000 rw-p 00002000 03:01 753688 /sbin/mingetty 1d481000-1d4a2000 rw-p 1d481000 00:00 0 [heap] 2b28bd741000-2b28bd75d000 r-xp 00000000 03:01 426185 /lib64/ld-2.5.so 2b28bd75d000-2b28bd760000 rw-p 2b28bd75d000 00:00 0 2b28bd95d000-2b28bd95e000 r--p 0001c000 03:01 426185 /lib64/ld-2.5.so 2b28bd95e000-2b28bd95f000 rw-p 0001d000 03:01 426185 /lib64/ld-2.5.so 2b28bd95f000-2b28bdaae000 r-xp 00000000 03:01 425994 /lib64/libc-2.5.so 2b28bdaae000-2b28bdcae000 ---p 0014f000 03:01 425994 /lib64/libc-2.5.so 2b28bdcae000-2b28bdcb2000 r--p 0014f000 03:01 425994 /lib64/libc-2.5.so 2b28bdcb2000-2b28bdcb3000 rw-p 00153000 03:01 425994 /lib64/libc-2.5.so 2b28bdcb3000-2b28bdcb9000 rw-p 2b28bdcb3000 00:00 0 7fffaf534000-7fffaf549000 rw-p 7ffffffe9000 00:00 0 [stack] 7fffaf5f7000-7fffaf5fa000 r-xp 7fffaf5f7000 00:00 0 [vdso] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall]
Also notice that the memory regions only lie on page borders. All memory regions in a core dump or mapping lie on page borders. This means, that the smallest memory
region is one page long. It must also be noted that a program segment represented by a program header in an ELF binary does not have to lie on a page border, so program segments do not map one to one on virtual memory regions.
3. THE CORE IMAGE
The core image as stated above is a dump of the process image with some extra sections for registers and any useful information. In an ELF core image, the memory regions belonging to the process image as stated correspond to program segments, so a core file has a list of program headers each for each virtual memory region.
The register information and so forth is stored in a notes section in the ELF binary. To reconstruct an executable from a core dump or process image we can ignore the registers and concentrate only on the memory regions.
从本质上来说,之所以能够通过CORE IMAGE、CORE DUMP IMAGE进行ELF重建的原因在于
1. ELF文件的本次也是由很多的文件头和段(segment)组成的,只是ELF是按磁盘对齐格式存储在磁盘空间上的 2. CORE IMAGE、CORE DUMP IMAGE是进程在运行中的内存镜像的概念,和磁盘上的ELF内容是一样的,差别仅在于对齐方式不同,以及多出了一些额外的段 3. 重建ELF的过程就是从CORE IMAGE中抽取需要的区域数据,按照ELF的格式进行逐一拼接重建的过程
4. EXECUTABLE RECONSTRUCTION
To reconstruct an executable from a core dump we simply have to create the ELF execute Abel with the memory regions corresponding to the text and data segments of the core image. It must be remembered, that when loading the text segment, the ELF header and program headers are also loaded into memory (for efficiency) so we can use these for our executable image.
The executable ELF header contains such information as the true text and data segment start and size (remember the memory regions lie on page borders).
Now, if we only use the text and data segments in our reconstruction, the result executable may only work on the system it was reconstructed on. This is because the Procedure Linkage Table (PLT) may have resolved shared library functions to point to its loaded value. Moving the binary means that the library may be at a different position, or that the function may be at a different location. Thus for true, system independence, the entire image excluding the stack must be used in the reconstructed executable.
5. FAILURES IN RECONSTRUCTION
The problem with reconstruction, is that the snapshot of the process image is at runtime, not at initiation time, so its possible that the data segment which is writable may have changed values. Consider the following code
static int i = 0; int main() { if (i++) exit(0); printf("Hi\n"); }
In this instance, reconstructing the image will result in an executable that immediately exits because it relies on the initial value of the global variable 'i'.
在不能准确获取"initial value初始值"的情况下进行ELF重建,会导致重建出ELF中变量值错误
6. USES OF RECONSTRUCTION
1. copy an executable that has only execute permission on DISK ACL. 2. Computer Forensics 3. reverse engineering 4. Manipulation of a running application using code injection, hiding using ciphers or binary packers are some of the current ways to hide the code being executed from inspectors, as executed code is different than stored in disk, many malware allows the execution of a binary sent by the network from another host without writing the file to disk, hiding any clue to forensics analysts. 5. 逆向脱壳: Until this year the most hiding method used for code(malicious or not)hiding was the packing/cyphering one. During execution time, the original code/file should be rebuilt in disk,in memory, or where the unpacker/uncypher should need. The disk file still remains ciphered hiding it's content. 6. 无磁盘文件木马/恶意程序: To avoid disk data written and Host IDS detection, several ways are being used until now. Injecting binary code right in a running process is one of them. In a forensics analysis some checks to the original file signature(or MD5,or whatever)my fail,warning about binary content manipulation. If this code only resides in memory, the disk scan will never show its presence. 7. Userland Remote Exec: as a way to execute files downloaded from a remote host without write them to disk.
Creating the core dump is easy by sending the process a SIGSEGV or alternately, the image may be copied from the process image in the proc filesystem.
1. ulimit -a /* core file size (blocks, -c) 0,如果core文件大小设置为0,则需要打开core dump设置 Linux下的C程序常常会因为内存访问错误等原因造成segment fault(段错误),此时如果系统core dump功能是打开的,那么将会有内存映像转储到硬盘上来,之后可以用gdb对core文件进行分析,还原系统发生段错误时刻的堆栈情况。这对于我们发现程序bug很有帮助 */ 2. ulimit -c unlimited: 不限制core文件大小 /* 很多系统默认的core文件大小都是0,我们可以通过在shell的启动脚本/etc/bashrc或者~/.bashrc等地方来加入 ulimit -c 命令来指定core文件大小,从而确保core文件能够生成 */ 3. kill -SIGSEGV 25953 4. ./core_reconstruct core.25953
an exhaustive analysis should be performed in them
1. Get information of a process 2. Get binary data of that process from memory 1) (per process) own process memory 2) /proc file system 3) raw access to /dev/kmem /dev/mem Raw memory access turns hard the process of information locating, as run time information may be paged or swapped, and some memory may be shared between processes 4) ptrace (from user space) /proc and PTRACE are the available options for the POC, By default ptrace will not attach any process if it's already being attached by another. Each process may be only attached by one parent 3. Order/clean and safe binary data in a file 4. Build an ELF header for the file to be correctly loaded 5. Adjust binary information
0x1: Get information of a process
Getting information about a process involves all data finding that could be useful when rebuilding the executable file, or finding memory location of the process, it's:
1. Dynamic linker auxiliary vector array 2. ELF signatures in memory 3. Program Headers in memory 4. task_struct and related information about the process(memory usage, memory permissions, ...) 5. In raw access and pre process: permission checks of memory maps (rwx) 6. Execution subsystems (as runtime linking, ABI register,pre-execution conditions, ..)
0x2: Get binary data of that process from memory
Once we have located that information, we need to get it from the memory.For this task we will use the interface selected earlier: /proc or ptrace. The main information we should not forget is:
1. Code and Data portions (maps) of the memory process. 2. If exists (has not been deleted) the elf and/or program headers. 3. Dynamic linking system (if it's being) used by the program. 4. Also, "state" of the process: stack and registers*
Stack and registers(state) are useful when you plan to launch the same process in another moment
0x3: Order/Clean and safe binary data in a file
Order/Clean and safe task is the simplest one. Get all the available information and remove the useless, sort the useful, and save in a secure storage.
0x4: Build an ELF header for that file to be loaded
0x5: Adjust binary information
At this point, all the information has been gathered, and the basic skeleton of the executable should be ready to use. But before finishing the reconstruction process some final steps could be performed.
As some binary data is copied from memory and glued into a binary, some offset and header information (as number of memory maps and ELF related information) need to be adjusted. Also, if it's using some system feature (let's say, runtime linking) some of the gathered information may be referred to this host linking system,
and need to be rebuilt in order to work in another environments. As the result of reconstruction we have two great caveats to resolve:
1. Elf header: The elf header is only used in the load time, so we need to setup a compatible header to load correctly all the information we have got. 2. Dynamic linking system The dynamic system relies in host library scheme, so we need to regenerate a new layout or restore the previous one to a generic usable ynamic system, it's: 1) GOT recovering 2) PLT recovering
0x6: Resume of process in steps
test_harness.c
#include <stdlib.h> int main() { for (;;) printf("Hi\n"); } //gcc test_harness.c -o test_harness
core_reconstruct.c
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <elf.h> #include <stdarg.h> #include <string.h> void die(const char *fmt, ...) { va_list ap; va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); fputc('\n', stderr); exit(1); } #define PAGE_SIZE 4096 static char shstr[] = "\0" ".symtab\0" ".strtab\0" ".shstrtab\0" ".interp\0" ".hash\0" ".dynsym\0" ".dynstr\0" ".rel.got\0" ".rel.bss\0" ".rel.plt\0" ".init\0" ".plt\0" ".text\0" ".fini\0" ".rodata\0" ".data\0" ".ctors\0" ".dtors\0" ".got\0" ".dynamic\0" ".bss\0" ".comment\0" ".note" ; char *xget(int fd, int off, int sz) { char *buf; if (lseek(fd, off, SEEK_SET) < 0) die("Seek error"); buf = (char *)malloc(sz); if (buf == NULL) die("No memory"); if (read(fd, buf, sz) != sz) die("Read error"); return buf; } void do_elf_checks(Elf32_Ehdr *ehdr) { if (strncmp(ehdr->e_ident, ELFMAG, SELFMAG)) die("File not ELF"); if (ehdr->e_type != ET_CORE) die("ELF type not ET_CORE"); if (ehdr->e_machine != EM_386 && ehdr->e_machine != EM_860 && ehdr->e_machine != EM_X86_64) die("ELF machine type not EM_386 or EM_860 or EM_X86_64"); if (ehdr->e_version != EV_CURRENT) die("ELF version not current"); } int main(int argc, char *argv[]) { Elf32_Ehdr ehdr, *core_ehdr; Elf32_Phdr *phdr, *core_phdr, *tmpphdr; Elf32_Shdr shdr; char *core; char *data[2], *core_data[3]; int prog[2], core_prog[3]; int in, out; int i, p; int plen; if (argc > 2) die("usage: %s [core-file]"); if (argc == 2) core = argv[1]; else core = "core"; in = open(core, O_RDONLY); if (in < 0) die("Coudln't open file: %s", core); if (read(in, &ehdr, sizeof(ehdr)) != sizeof(ehdr)) die("Read error"); //检查CORE IMAGE的镜像头部 do_elf_checks(&ehdr); if (lseek(in, ehdr.e_phoff, SEEK_SET) < 0) die("Seek error"); phdr = (Elf32_Phdr *)malloc(plen = sizeof(Elf32_Phdr)*ehdr.e_phnum); if (read(in, phdr, plen) != plen) die("Read error"); for (i = 0; i < ehdr.e_phnum; i++) printf("0x%x - 0x%x (%i)\n", phdr[i].p_vaddr, phdr[i].p_vaddr + phdr[i].p_memsz, phdr[i].p_memsz); /* copy segments (in memory) prog/data[0] ... text prog/data[1] ... data prog/data[2] ... dynamic */ for (i = 0, p = 0; i < ehdr.e_phnum; i++) { if ( phdr[i].p_vaddr >= 0x8000000 && phdr[i].p_type == PT_LOAD ) { prog[p] = i; if (p == 1) break; ++p; } } if (i == ehdr.e_phnum) die("Couldnt find TEXT/DATA"); for (i = 0; i < 2; i++) data[i] = xget( in, phdr[prog[i]].p_offset, (phdr[prog[i]].p_memsz + 4095) & 4095 ); core_ehdr = (Elf32_Ehdr *)&data[0][0]; core_phdr = (Elf32_Phdr *)&data[0][core_ehdr->e_phoff]; for (i = 0, p = 0; i < core_ehdr->e_phnum; i++) { if (core_phdr[i].p_type == PT_LOAD) { core_prog[p] = i; if (p == 0) { core_data[0] = &data[0][0]; } else { core_data[1] = &data[1][(core_phdr[i].p_vaddr & 4095)]; break; } ++p; } } if (i == core_ehdr->e_phnum) die("No TEXT and DATA segment"); for (i = 0; i < core_ehdr->e_phnum; i++) { if (core_phdr[i].p_type == PT_DYNAMIC) { core_prog[2] = i; core_data[2] = &data[1][64]; break; } } if (i == core_ehdr->e_phnum) die("No DYNAMIC segment"); out = open("a.out", O_WRONLY | O_CREAT | O_TRUNC); if (out < 0) die("Coudln't open file: %s", "a.out"); core_ehdr->e_shoff = core_phdr[core_prog[2]].p_offset + core_phdr[core_prog[2]].p_filesz + sizeof(shstr); /* text data bss dynamic shstrtab */ core_ehdr->e_shnum = 6; core_ehdr->e_shstrndx = 5; for (i = 0; i < 2; i++) { Elf32_Phdr *p = &core_phdr[core_prog[i]]; int sz = p->p_filesz; if (lseek(out, p->p_offset, SEEK_SET) < 0) goto cleanup; if (write(out, core_data[i], sz) != sz) goto cleanup; } if (write(out, shstr, sizeof(shstr)) != sizeof(shstr)) goto cleanup; memset(&shdr, 0, sizeof(shdr)); if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) goto cleanup; /* text section */ tmpphdr = &core_phdr[core_prog[0]]; shdr.sh_name = 95; shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = tmpphdr->p_vaddr; shdr.sh_offset = 0; shdr.sh_size = tmpphdr->p_filesz; shdr.sh_flags = SHF_ALLOC | SHF_EXECINSTR; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 16; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) goto cleanup; /* data section */ tmpphdr = &core_phdr[core_prog[1]]; shdr.sh_name = 115; shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = tmpphdr->p_vaddr; shdr.sh_offset = tmpphdr->p_offset; shdr.sh_size = tmpphdr->p_filesz; shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) goto cleanup; /* dynamic section */ for (i = 0; i < core_ehdr->e_phnum; i++) { if (core_phdr[i].p_type == PT_DYNAMIC) { tmpphdr = &core_phdr[i]; break; } } shdr.sh_name = 140; shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = tmpphdr->p_vaddr; shdr.sh_offset = tmpphdr->p_offset; shdr.sh_size = tmpphdr->p_memsz; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 8; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) goto cleanup; /* bss section */ shdr.sh_name = 149; shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = tmpphdr->p_vaddr + tmpphdr->p_filesz; shdr.sh_offset = tmpphdr->p_offset + tmpphdr->p_filesz; shdr.sh_size = tmpphdr->p_memsz - tmpphdr->p_filesz; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 1; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) goto cleanup; /* shstrtab */ shdr.sh_name = 17; shdr.sh_type = SHT_STRTAB; shdr.sh_addr = 0; shdr.sh_offset = core_ehdr->e_shoff - sizeof(shstr); shdr.sh_size = sizeof(shstr); shdr.sh_flags = 0; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 1; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) goto cleanup; return 0; cleanup: unlink("a.out"); die("Error writing file: %s", "a.out"); return 1; /* not reached */ } //gcc core_reconstruct.c -o core_reconstruct
Relevant Link:
http://phrack.org/issues/63/12.html http://linux.programdevelop.com/3265456/ http://www.leviathansecurity.com/wp-content/uploads/2014_11_Ryan-ONeill_Extended-Core-Format-Snapshots.pdf http://v0ids3curity.blogspot.jp/2015/06/rebuilding-elf-from-coredump.html
7. Helper Tools
Under linux (*nix for x86 systems) several studies attempt to help analyzing the memory
1. gdb (gdb) generate-core-file 2. kill -SIGABRT //在打开ulimit开关的情况下,系统会自动生成core文件 3. There's also a kernel module for recover a burneyed binary from memory once it's deciphered
Relevant Link:
https://sourceware.org/gdb/onlinedocs/gdb/Core-File-Generation.html http://prefetch.net/blog/index.php/2006/12/21/generating-core-files-from-gdb/
8. Code For New Linux Kernel
随着Linux Kernel的修订,ELF文件格式也发生了一些变化,这直接导致了我们在进行ELF重建的时候需要遵循新版本的格式进行
0x1: core_recover.c
/* For original work, refer to ELF EXECUTABLE RECONSTRUCTION FROM A CORE IMAGE by Silvio Cesare http://repo.hackerzvoice.net/depot_ouah/core-reconstruction.txt */ #include <stdio.h> #include <stdarg.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <limits.h> #include <elf.h> static char shstr[] = "\0" ".symtab\0" ".strtab\0" ".shstrtab\0" ".interp\0" ".hash\0" ".dynsym\0" ".dynstr\0" ".rel.got\0" ".rel.bss\0" ".rel.plt\0" ".init\0" ".plt\0" ".text\0" ".fini\0" ".rodata\0" ".data\0" ".ctors\0" ".dtors\0" ".got\0" ".dynamic\0" ".bss\0" ".comment\0" ".note\0" ".eh_frame_hdr\0" ".eh_frame\0" ".init_array\0" ".fini_array\0" ".got.plt\0" ".rel.dyn\0" ".gnu.version\0" ".gnu.version_r\0" ".gnu.hash\0" ".tbss\0" ".jcr" ; int sec_index(char *sec_name) { int pos = 0; int len = 0; for (pos = 0; pos < sizeof(shstr);) { if(strcmp(sec_name, &shstr[pos]) == 0) { return pos; } else { len = strlen(&shstr[pos]); pos += len+1; } } return 0; } void die(const char *fmt, ...) { va_list ap; va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); fputc('\n', stderr); exit(1); } void do_elf_checks(Elf32_Ehdr *ehdr) { if (strncmp(ehdr->e_ident, ELFMAG, SELFMAG)) die("File not ELF"); if (ehdr->e_type != ET_CORE) die("ELF type not ET_CORE"); if (ehdr->e_machine != EM_386) die("ELF machine type not EM_386"); } char *xget(int fd, int off, size_t sz) { char *buf; if (lseek(fd, off, SEEK_SET) < 0) die("Seek error"); buf = (char *)malloc(sz); if(buf == NULL) die("malloc error"); if(read(fd, buf, sz) != sz) die("Read error"); return buf; } void cleanup() { unlink("rebuild.elf"); die("Error writing file: %s", "rebuild.elf"); } Elf32_Word find_init_size(Elf32_Addr init, Elf32_Addr pltgot, char *data) { /* search for signature PLT[0]: push GOT[1] jmp *GOT[2] nops */ typedef struct __attribute__((__packed__)) { Elf32_Half push; Elf32_Word got1; Elf32_Half jump; Elf32_Word got2; Elf32_Word mnop; } Elf32_Plt; int i = 0; Elf32_Word size = 0; Elf32_Plt *plt = (Elf32_Plt *)data; for (i = 0; i < 0xf; i++) { if (plt[i].got1 == pltgot+4 && plt[i].got2 == pltgot+8) { size = ((init & 0xfffffff0) + 16*i) - init; return size; } } return 0x23; } /* void add_section_hdr(Elf32_Word sh_name, Elf32_Word sh_type, Elf32_Word sh_flags, Elf32_Addr sh_addr, Elf32_Off sh_offset, Elf32_Word sh_size, Elf32_Word sh_link, Elf32_Word sh_info, Elf32_Word sh_addralign, Elf32_Word sh_entsize, int out) { Elf32_Shdr shdr; shdr.sh_name = sh_name; shdr.sh_type = sh_type; shdr.sh_addr = sh_addr; shdr.sh_offset = sh_offset; shdr.sh_size = sh_size; shdr.sh_flags = sh_flags; shdr.sh_link = sh_link; shdr.sh_info = sh_info; shdr.sh_addralign = sh_addralign; shdr.sh_entsize = sh_entsize; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); } */ int main(int argc, char **argv) { char *core_file; int in, out; unsigned int i, p; if (argc == 2) core_file = argv[1]; else core_file = "core"; /* for core and ELF data */ Elf32_Ehdr *ehdr, *rec_ehdr; Elf32_Phdr *phdr, *rec_phdr, *tmp_phdr; Elf32_Shdr shdr; Elf32_Dyn *dyn; int plen; int prog[3]; int rec_prog[3]; char *data[3]; char *rec_data[3]; /* for section headers */ Elf32_Addr init = 0; Elf32_Addr fini = 0; Elf32_Addr init_array = 0; Elf32_Word init_arraysz = 0; Elf32_Addr fini_array = 0; Elf32_Word fini_arraysz = 0; Elf32_Addr gnu_hash = 0; Elf32_Addr strtab = 0; Elf32_Addr symtab = 0; Elf32_Word strsz = 0; Elf32_Word syment = 0; Elf32_Addr pltgot = 0; Elf32_Word pltrelsz = 0; Elf32_Addr jmprel = 0; Elf32_Addr rel = 0; Elf32_Word relsz = 0; Elf32_Word relent = 0; Elf32_Addr verneed = 0; Elf32_Word verneednum = 0; Elf32_Addr versym = 0; /* for rebulding GOT */ Elf32_Addr pltaddress = 0; Elf32_Word gotoffset = 0; /* for section header links and info*/ Elf32_Word dynsym_index = 0; Elf32_Word dynstr_index = 0; Elf32_Word plt_index = 0; Elf32_Word interp_index = 0; Elf32_Word note_index = 0; in = open(core_file, O_RDONLY); if (in < 0) die("Coudln't open file: %s", core_file); /* details of core file */ /* read ELF header */ ehdr = (Elf32_Ehdr *)malloc(sizeof(Elf32_Ehdr)); if (ehdr == NULL) die("malloc error"); if (read(in, ehdr, sizeof(Elf32_Ehdr)) != sizeof(Elf32_Ehdr)) die("Read error"); do_elf_checks(ehdr); /* read program header */ if (lseek(in, ehdr->e_phoff, SEEK_SET) < 0) die("Seek error"); phdr = (Elf32_Phdr *)malloc(plen = sizeof(Elf32_Phdr)*ehdr->e_phnum); if (phdr == NULL) die("malloc error"); if (read(in, phdr, plen) < plen) die("Read error"); printf("[*] Program headers of CORE\n"); for(p = 0; p < ehdr->e_phnum; p++) { printf("\t0x%08x - 0x%08x\n", phdr[p].p_vaddr, phdr[p].p_vaddr+phdr[p].p_memsz); } /* details of ELF */ for (i = 0, p = 0; i < ehdr->e_phnum; i++) { if (phdr[i].p_vaddr > 0x08000000 && phdr[i].p_type == PT_LOAD) { prog[p] = i; if (p == 2) break; ++p; } } for (i = 0; i < 3; i++) { data[i] = xget(in, phdr[prog[i]].p_offset, phdr[prog[i]].p_memsz); } if (phdr[prog[2]].p_memsz > (UINT_MAX - phdr[prog[1]].p_memsz)) die("Integer error"); data[1] = realloc(data[1], phdr[prog[1]].p_memsz + phdr[prog[2]].p_memsz); if(data[1] == NULL) die("malloc error"); memcpy(data[1]+phdr[prog[1]].p_memsz, data[2], phdr[prog[2]].p_memsz); /* ELF header */ rec_ehdr = (Elf32_Ehdr *)&data[0][0]; /* program header */ rec_phdr = (Elf32_Phdr *)&data[0][rec_ehdr->e_phoff]; printf("\n[*] Program headers of ELF\n"); for (i = 0; i < rec_ehdr->e_phnum; i++) { printf("\t0x%08x - 0x%08x\n", rec_phdr[i].p_vaddr, rec_phdr[i].p_vaddr+rec_phdr[i].p_memsz); } /* fetch PT_LOAD & PT_DYNAMIC */ for (i = 0, p = 0; i < rec_ehdr->e_phnum; i++) { if (rec_phdr[i].p_type == PT_LOAD) { rec_prog[p] = i; if (p == 0) { rec_data[0] = &data[0][0]; } else { rec_data[1] = &data[1][rec_phdr[i].p_vaddr & 4095]; } ++p; } else if (rec_phdr[i].p_type == PT_DYNAMIC) { rec_prog[2] = i; rec_data[2] = &data[1][rec_phdr[i].p_vaddr & 4095]; } } /* section header info */ rec_ehdr->e_shoff = rec_phdr[rec_prog[1]].p_offset + rec_phdr[rec_prog[1]].p_filesz + sizeof(shstr); // fix shnum before closing file rec_ehdr->e_shnum = 0; rec_ehdr->e_shstrndx = 1; // open file for writing ELF out = open("rebuild.elf", O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR | S_IXUSR); if (out < 0) die("Failed to open output file"); for (i = 0; i < 2; i++) { Elf32_Phdr *p = &rec_phdr[rec_prog[i]]; int sz = p->p_filesz; if (lseek(out, p->p_offset, SEEK_SET) < 0) cleanup(); if (write(out, rec_data[i], sz) != sz) cleanup(); } /* write section header names */ if (write(out, shstr, sizeof(shstr)) != sizeof(shstr)) cleanup(); /* rebuild section headers */ // NULL memset(&shdr, 0, sizeof(shdr)); if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .shstrtab */ shdr.sh_name = sec_index(".shstrtab"); shdr.sh_type = SHT_STRTAB; shdr.sh_addr = 0; shdr.sh_offset = rec_ehdr->e_shoff - sizeof(shstr); shdr.sh_size = sizeof(shstr); shdr.sh_flags = 0; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 1; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; // rebuild section headers from program header printf("\n[*] Building section headers from program headers\n"); for (i = 0; i < rec_ehdr->e_phnum; i++) { switch(rec_phdr[i].p_type) { case PT_INTERP: shdr.sh_name = sec_index(".interp"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = rec_phdr[i].p_vaddr; shdr.sh_offset = rec_phdr[i].p_offset; shdr.sh_size = rec_phdr[i].p_filesz; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 1; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); interp_index = rec_ehdr->e_shnum; rec_ehdr->e_shnum++; break; case PT_DYNAMIC: shdr.sh_name = sec_index(".dynamic"); shdr.sh_type = SHT_DYNAMIC; shdr.sh_addr = rec_phdr[i].p_vaddr; shdr.sh_offset = rec_phdr[i].p_offset; shdr.sh_size = rec_phdr[i].p_filesz; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 8; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; break; case PT_GNU_EH_FRAME: shdr.sh_name = sec_index(".eh_frame_hdr"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = rec_phdr[i].p_vaddr; shdr.sh_offset = rec_phdr[i].p_offset; shdr.sh_size = rec_phdr[i].p_filesz; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; shdr.sh_name = sec_index(".eh_frame"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = rec_phdr[i].p_vaddr + rec_phdr[i].p_filesz; shdr.sh_offset = rec_phdr[i].p_offset + rec_phdr[i].p_filesz; shdr.sh_size = (rec_phdr[rec_prog[0]].p_vaddr + rec_phdr[rec_prog[0]].p_filesz) - (rec_phdr[i].p_vaddr + rec_phdr[i].p_filesz); shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; break; case PT_NOTE: shdr.sh_name = sec_index(".note"); shdr.sh_type = SHT_NOTE; shdr.sh_addr = rec_phdr[i].p_vaddr; shdr.sh_offset = rec_phdr[i].p_offset; shdr.sh_size = rec_phdr[i].p_filesz; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 1; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); note_index = rec_ehdr->e_shnum; rec_ehdr->e_shnum++; break; case PT_TLS: shdr.sh_name = sec_index(".tbss"); shdr.sh_type = SHT_NOBITS; shdr.sh_addr = rec_phdr[i].p_vaddr; shdr.sh_offset = rec_phdr[i].p_offset; shdr.sh_size = rec_phdr[i].p_memsz; shdr.sh_flags = SHF_ALLOC | SHF_WRITE | SHF_TLS; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; break; default: break; } } /* .bss section */ tmp_phdr = &rec_phdr[rec_prog[1]]; shdr.sh_name = sec_index(".bss"); shdr.sh_type = SHT_NOBITS; shdr.sh_addr = tmp_phdr->p_vaddr + tmp_phdr->p_filesz; shdr.sh_offset = tmp_phdr->p_offset + tmp_phdr->p_filesz; shdr.sh_size = tmp_phdr->p_memsz - tmp_phdr->p_filesz; shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; for (dyn = (Elf32_Dyn *)rec_data[2]; dyn->d_tag != DT_NULL; ++dyn) { switch(dyn->d_tag) { case DT_INIT: init = dyn->d_un.d_ptr; break; case DT_FINI: fini = dyn->d_un.d_ptr; break; case DT_INIT_ARRAY: init_array = dyn->d_un.d_ptr; break; case DT_INIT_ARRAYSZ: init_arraysz = dyn->d_un.d_val; break; case DT_FINI_ARRAY: fini_array = dyn->d_un.d_ptr; break; case DT_FINI_ARRAYSZ: fini_arraysz = dyn->d_un.d_val; break; case DT_GNU_HASH: gnu_hash = dyn->d_un.d_ptr; break; case DT_STRTAB: strtab = dyn->d_un.d_ptr; break; case DT_SYMTAB: symtab = dyn->d_un.d_ptr; break; case DT_STRSZ: strsz = dyn->d_un.d_val; break; case DT_SYMENT: syment = dyn->d_un.d_val; break; case DT_PLTGOT: pltgot = dyn->d_un.d_ptr; break; case DT_PLTRELSZ: pltrelsz = dyn->d_un.d_val; break; case DT_JMPREL: jmprel = dyn->d_un.d_ptr; break; case DT_REL: rel = dyn->d_un.d_ptr; break; case DT_RELSZ: relsz = dyn->d_un.d_val; break; case DT_RELENT: relent = dyn->d_un.d_val; break; case DT_VERNEED: verneed = dyn->d_un.d_ptr; break; case DT_VERNEEDNUM: verneednum = dyn->d_un.d_val; break; case DT_VERSYM: versym = dyn->d_un.d_ptr; break; default: break; } } printf("[*] Building section headers from DYNAMIC section\n"); /* .init_array */ shdr.sh_name = sec_index(".init_array"); shdr.sh_type = SHT_INIT_ARRAY; shdr.sh_addr = init_array; shdr.sh_offset = init_array - (rec_phdr[rec_prog[1]].p_vaddr - rec_phdr[rec_prog[1]].p_offset); shdr.sh_size = init_arraysz; shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .fini_array */ shdr.sh_name = sec_index(".fini_array"); shdr.sh_type = SHT_FINI_ARRAY; shdr.sh_addr = fini_array; shdr.sh_offset = fini_array - (rec_phdr[rec_prog[1]].p_vaddr - rec_phdr[rec_prog[1]].p_offset); shdr.sh_size = fini_arraysz; shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .jcr */ shdr.sh_name = sec_index(".jcr"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = fini_array + fini_arraysz; shdr.sh_offset = shdr.sh_addr - (rec_phdr[rec_prog[1]].p_vaddr - rec_phdr[rec_prog[1]].p_offset); shdr.sh_size = sizeof(Elf32_Addr); shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .got.plt */ shdr.sh_name = sec_index(".got.plt"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = pltgot; shdr.sh_offset = pltgot - (rec_phdr[rec_prog[1]].p_vaddr - rec_phdr[rec_prog[1]].p_offset); shdr.sh_size = ((pltrelsz/relent) + 3) * sizeof(Elf32_Addr); shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .data - resides after .got.plt */ shdr.sh_name = sec_index(".data"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = pltgot + ((pltrelsz/relent) + 3) * sizeof(Elf32_Addr); shdr.sh_offset = shdr.sh_addr - (rec_phdr[rec_prog[1]].p_vaddr - rec_phdr[rec_prog[1]].p_offset); shdr.sh_size = (rec_phdr[rec_prog[1]].p_vaddr + rec_phdr[rec_prog[1]].p_filesz) - (pltgot + ((pltrelsz/relent) + 3) * sizeof(Elf32_Addr)); shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .dynstr */ shdr.sh_name = sec_index(".dynstr"); shdr.sh_type = SHT_STRTAB; shdr.sh_addr = strtab; shdr.sh_offset = strtab - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = versym - strtab; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 1; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); dynstr_index = rec_ehdr->e_shnum; rec_ehdr->e_shnum++; /* .dynsym */ shdr.sh_name = sec_index(".dynsym"); shdr.sh_type = SHT_DYNSYM; shdr.sh_addr = symtab; shdr.sh_offset = symtab - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = strtab - symtab; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = dynstr_index; shdr.sh_info = interp_index; shdr.sh_addralign = 4; shdr.sh_entsize = 16; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); dynsym_index = rec_ehdr->e_shnum; rec_ehdr->e_shnum++; /* .init - resides before plt */ shdr.sh_name = sec_index(".init"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = init; shdr.sh_offset = init - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = find_init_size(init, pltgot, &data[0][shdr.sh_offset & 0xfffffff0]); shdr.sh_flags = SHF_ALLOC | SHF_EXECINSTR; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .plt */ shdr.sh_name = sec_index(".plt"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = init + find_init_size(init, pltgot, &data[0][shdr.sh_offset & 0xfffffff0]); shdr.sh_offset = shdr.sh_addr - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = ((pltrelsz/relent) + 1) * 16; shdr.sh_flags = SHF_ALLOC | SHF_EXECINSTR; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 16; shdr.sh_entsize = 4; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); plt_index = rec_ehdr->e_shnum; rec_ehdr->e_shnum++; pltaddress = shdr.sh_addr; /* .text section */ tmp_phdr = &rec_phdr[rec_prog[0]]; shdr.sh_name = sec_index(".text"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = pltaddress + ((pltrelsz/relent) + 1) * 16; shdr.sh_offset = shdr.sh_addr - tmp_phdr->p_vaddr; shdr.sh_size = fini - rec_ehdr->e_entry; shdr.sh_flags = SHF_ALLOC | SHF_EXECINSTR; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 16; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .fini */ shdr.sh_name = sec_index(".fini"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = fini; shdr.sh_offset = fini - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = 0; // fix this, search for ret ins? shdr.sh_flags = SHF_ALLOC | SHF_EXECINSTR; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .rel.dyn */ shdr.sh_name = sec_index(".rel.dyn"); shdr.sh_type = SHT_REL; shdr.sh_addr = rel; shdr.sh_offset = rel - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = jmprel - rel; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = dynsym_index; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 8; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .rel.plt */ shdr.sh_name = sec_index(".rel.plt"); shdr.sh_type = SHT_REL; shdr.sh_addr = jmprel; shdr.sh_offset = jmprel - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = init - jmprel; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = dynsym_index; shdr.sh_info = plt_index; shdr.sh_addralign = 4; shdr.sh_entsize = 8; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .gnu.version */ shdr.sh_name = sec_index(".gnu.version"); shdr.sh_type = SHT_GNU_versym; shdr.sh_addr = versym; shdr.sh_offset = versym - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = ((strtab - symtab)/ sizeof(Elf32_Sym)) * sizeof(Elf32_Half); shdr.sh_flags = SHF_ALLOC; shdr.sh_link = dynsym_index; shdr.sh_info = 0; shdr.sh_addralign = 2; shdr.sh_entsize = 2; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .gnu.version_r */ shdr.sh_name = sec_index(".gnu.version_r"); shdr.sh_type = SHT_GNU_verneed; shdr.sh_addr = verneed; shdr.sh_offset = verneed - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = rel - verneed; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = dynstr_index; shdr.sh_info = verneednum; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .gnu.hash */ shdr.sh_name = sec_index(".gnu.hash"); shdr.sh_type = SHT_GNU_HASH; shdr.sh_addr = gnu_hash; shdr.sh_offset = gnu_hash - rec_phdr[rec_prog[0]].p_vaddr; shdr.sh_size = symtab - gnu_hash; shdr.sh_flags = SHF_ALLOC; shdr.sh_link = dynsym_index; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 0; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* .got */ shdr.sh_name = sec_index(".got"); shdr.sh_type = SHT_PROGBITS; shdr.sh_addr = rec_phdr[rec_prog[2]].p_vaddr + rec_phdr[rec_prog[2]].p_filesz; shdr.sh_offset = shdr.sh_addr - (rec_phdr[rec_prog[1]].p_vaddr - rec_phdr[rec_prog[1]].p_offset); shdr.sh_size = pltgot - shdr.sh_addr; shdr.sh_flags = SHF_ALLOC | SHF_WRITE; shdr.sh_link = 0; shdr.sh_info = 0; shdr.sh_addralign = 4; shdr.sh_entsize = 4; if (write(out, &shdr, sizeof(shdr)) != sizeof(shdr)) cleanup(); rec_ehdr->e_shnum++; /* rebuild GOT entries */ printf("[*] %d GOT entries found\n", (pltrelsz/relent)+3); printf("[*] Patching GOT entries to PLT address\n"); gotoffset = rec_phdr[rec_prog[1]].p_offset + (pltgot - rec_phdr[rec_prog[1]].p_vaddr); Elf32_Addr plt_entry = NULL; /* clear GOT[1] and GOT[2], leaving GOT[0] untouched */ for (i = 1; i < 3; i++) { if (lseek(out, gotoffset + sizeof(Elf32_Addr) * i, SEEK_SET) < 0) die("Seek error"); if (write(out, &plt_entry, sizeof(Elf32_Addr)) != sizeof(Elf32_Addr)) cleanup(); } /* overwrite rest of GOT entries with their PLT address skip PLT[0] */ for (i = 3, p = 1; i < (pltrelsz/relent)+3; i++, p++) { if (lseek(out, gotoffset + sizeof(Elf32_Addr) * i, SEEK_SET) < 0) die("Seek error"); plt_entry = pltaddress + (16*p) + 6; // point to PLT[n]+6 if (write(out, &plt_entry, sizeof(Elf32_Addr)) != sizeof(Elf32_Addr)) cleanup(); } /* write shnum */ if (lseek(out, sizeof(Elf32_Ehdr) - sizeof(Elf32_Half)*2 , SEEK_SET) < 0) cleanup(); if (write(out, (char *)&rec_ehdr->e_shnum, sizeof(Elf32_Half)) != sizeof(Elf32_Half)) cleanup(); printf("[*] Done\n\n"); /* free resources */ close(in); close(out); for (i = 0; i < 3; i++) { free(data[i]); } free(ehdr); free(phdr); return 0; }
Copyright (c) 2015 LittleHann All rights reserved