完整流程

85db8819 · Chu · 2e55bdf8 · 85db8819 · 85db8819 · 85db8819
Commit 85db8819 authored Dec 24, 2019 by Chu
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 12 deletions

main.cpp inject/main.cpp +17 -10

process.cpp inject/process.cpp +5 -1

process.h inject/process.h +4 -1

No files found.
--- a/inject/main.cpp
+++ b/inject/main.cpp
@@ -18,32 +18,39 @@ int main(int argc, char *argv[])
    // process
    Process process(std::stoi(argv[1]));

-    // find libc.so in process
+    // find libc.so in target process
+    std::cout << "[*] find libc.so in target process\n";
    auto [libc_path, libc_base] = process.find_libc();
    std::cout << "[+] libc: " << libc_path << " 0x" << std::hex << libc_base << std::endl;

    // find __libc_dlopen_mode in libc.so
+    std::cout << "[*] find __libc_dlopen_mode in " << libc_path << std::endl;
    Elf libc(libc_path);
    libc.set_base(libc_base);
    auto libc_dlopen_mode = libc.find_symbol_address_by_name("__libc_dlopen_mode");
    std::cout << "[+] __libc_dlopen_mode: 0x" << libc_dlopen_mode << std::endl;

-    // get process' entry
-    auto entry = process.get_entry();
-    std::cout << "[+] entry: 0x" << entry << std::endl;
+    // get target process' entry point
+    std::cout << "[*] get target process' entry point\n";
+    auto entry_point = process.get_entry_point();
+    std::cout << "[+] entry point: 0x" << entry_point << std::endl;

-    // copy shellcode to process' entry
+    // call shellcode in target process
+    std::cout << "[*] get shellcode in current process\n";
    auto call_libc_dlopen_mode_addr = reinterpret_cast<unsigned char *>(&call_libc_dlopen_mode);
    auto call_libc_dlopen_mode_size =
        Elf(argv[0]).get_func_size(reinterpret_cast<std::size_t>(call_libc_dlopen_mode_addr));
-    std::vector<unsigned char> shellcode(call_libc_dlopen_mode_addr,
-                                         call_libc_dlopen_mode_addr + call_libc_dlopen_mode_size);
    std::cout << "[+] shellcode: 0x" << reinterpret_cast<std::size_t>(call_libc_dlopen_mode_addr) << " " << std::dec
-              << shellcode.size() << std::endl;
-
-    // call shellcode in process
+              << call_libc_dlopen_mode_size << std::endl;
+    std::cout << "[*] call shellcode in target process\n";
+    process.call_shellcode(
+        std::vector(call_libc_dlopen_mode_addr, call_libc_dlopen_mode_addr + call_libc_dlopen_mode_size));
+    std::cout << "[+] done\n";

    // resume process
+    std::cout << "[*] resume target process\n";
+    process.detach();
+    std::cout << "[+] done\n";

    return 0;
 }

--- a/inject/process.cpp
+++ b/inject/process.cpp
@@ -50,9 +50,13 @@ std::string Process::get_execute()
    throw std::runtime_error(std::strerror(errno));
 }

-std::size_t Process::get_entry()
+std::size_t Process::get_entry_point()
 {
    Elf elf(get_execute());
    elf.set_base(get_base());
    return elf.get_entry();
 }
+
+void Process::call_shellcode(std::vector<unsigned char> shellcode) {}
+
+void Process::detach() {}
--- a/inject/process.h
+++ b/inject/process.h
@@ -5,13 +5,16 @@

 #include <string>
 #include <utility>
+#include <vector>

 class Process final
 {
 public:
    explicit Process(pid_t pid) : pid_(pid) {}
    std::pair<std::string, std::size_t> find_libc();
-    std::size_t get_entry();
+    std::size_t get_entry_point();
+    void call_shellcode(std::vector<unsigned char> shellcode);
+    void detach();

 private:
    pid_t pid_;