evil.so

740352d7 · Chu · e1c5e5e7 · 740352d7 · 740352d7 · 740352d7
Commit 740352d7 authored Dec 25, 2019 by Chu
Showing with 23 additions and 18 deletions

CMakeLists.txt CMakeLists.txt +1 -0

CMakeLists.txt evil/CMakeLists.txt +1 -0

evil.cpp evil/evil.cpp +8 -0

evil.h evil/evil.h +6 -0

main.cpp inject/main.cpp +7 -18

No files found.
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -5,3 +5,4 @@ set(CMAKE_CXX_STANDARD 17)

 add_subdirectory(host)
 add_subdirectory(inject)
+add_subdirectory(evil)
--- a/evil/CMakeLists.txt
+++ b/evil/CMakeLists.txt
+add_library(evil SHARED evil.cpp evil.h)
--- a/evil/evil.cpp
+++ b/evil/evil.cpp
+#include "evil.h"
+
+#include <cstdio>
+
+void __attribute__((constructor)) init()
+{
+    std::puts("hello, world");
+}
--- a/evil/evil.h
+++ b/evil/evil.h
+#ifndef LINUX_LIBRARY_INJECT_EVIL_H
+#define LINUX_LIBRARY_INJECT_EVIL_H
+
+void __attribute__((constructor)) init();
+
+#endif  // LINUX_LIBRARY_INJECT_EVIL_H
--- a/inject/main.cpp
+++ b/inject/main.cpp
@@ -5,7 +5,7 @@
 #include "elf.h"
 #include "process.h"

-void call_libc_dlopen_mode();
+void do_libc_dlopen_mode();

 int main(int argc, char *argv[])
 {
@@ -32,26 +32,15 @@ int main(int argc, char *argv[])

    // call __libc_dlopen_mode in target process
    std::cout << "[*] get shellcode in current process\n";
-    auto call_libc_dlopen_mode_addr = reinterpret_cast<unsigned char *>(&call_libc_dlopen_mode);
-    auto call_libc_dlopen_mode_size =
-        Elf(argv[0]).get_func_size(reinterpret_cast<std::size_t>(call_libc_dlopen_mode_addr));
-    std::cout << "[+] shellcode: 0x" << reinterpret_cast<std::size_t>(call_libc_dlopen_mode_addr) << " " << std::dec
-              << call_libc_dlopen_mode_size << std::endl;
+    auto do_libc_dlopen_mode_addr = reinterpret_cast<unsigned char *>(&do_libc_dlopen_mode);
+    auto do_libc_dlopen_mode_size = Elf(argv[0]).get_func_size(reinterpret_cast<std::size_t>(do_libc_dlopen_mode_addr));
+    std::cout << "[+] shellcode: 0x" << reinterpret_cast<std::size_t>(do_libc_dlopen_mode_addr) << " " << std::dec
+              << do_libc_dlopen_mode_size << std::endl;
    std::cout << "[*] execute shellcode in target process\n";
-    process.call_shellcode(
-        std::vector(call_libc_dlopen_mode_addr, call_libc_dlopen_mode_addr + call_libc_dlopen_mode_size));
+    process.call_shellcode(std::vector(do_libc_dlopen_mode_addr, do_libc_dlopen_mode_addr + do_libc_dlopen_mode_size));
    std::cout << "[+] injected\n";

    return 0;
 }

-void call_libc_dlopen_mode()
-{
-    asm volatile(R"(
-        mov $1, %rdi
-        mov $94903506460672, %rsi
-        mov $4, %rdx
-        mov $1, %rax
-        syscall
-    )");
-}
+void do_libc_dlopen_mode() {}