get_entry

8bee9e03 · Chu · 2d967c2f · 8bee9e03 · 8bee9e03 · 8bee9e03
Commit 8bee9e03 authored Dec 24, 2019 by Chu
Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 7 deletions

elf.cpp inject/elf.cpp +9 -1

elf.h inject/elf.h +3 -2

main.cpp inject/main.cpp +14 -3

process.cpp inject/process.cpp +36 -0

process.h inject/process.h +4 -1

No files found.
--- a/inject/elf.cpp
+++ b/inject/elf.cpp
@@ -14,7 +14,7 @@ Elf::~Elf()
        munmap(memory_, memory_length_);
 }

-void Elf::set_base(unsigned long base)
+void Elf::set_base(std::size_t base)
 {
    base_ = base;
 }
@@ -67,3 +67,11 @@ void Elf::load_to_memory()
    ehdr_ = reinterpret_cast<Elf64_Ehdr *>(memory_);
    shdr_ = reinterpret_cast<Elf64_Shdr *>(memory_ + ehdr_->e_shoff);
 }
+
+std::size_t Elf::get_entry()
+{
+    if (!memory_)
+        load_to_memory();
+
+    return base_ + ehdr_->e_entry;
+}
--- a/inject/elf.h
+++ b/inject/elf.h
@@ -11,12 +11,13 @@ class Elf final
 public:
    explicit Elf(std::string path) : path_(std::move(path)) {}
    ~Elf();
-    void set_base(unsigned long base);
+    void set_base(std::size_t base);
    std::size_t find_symbol_address_by_name(std::string_view name);
+    std::size_t get_entry();

 private:
    std::string path_;
-    unsigned long base_ = 0;
+    std::size_t base_ = 0;
    std::size_t memory_length_ = 0;
    unsigned char *memory_ = nullptr;
    Elf64_Ehdr *ehdr_ = nullptr;

--- a/inject/main.cpp
+++ b/inject/main.cpp
@@ -45,19 +45,30 @@ int main(int argc, char *argv[])
    // find __libc_dlopen_mode in libc.so
    Elf libc(libc_path);
    libc.set_base(libc_base);
-    std::size_t libc_dlopen_mode_addr;
+    std::size_t libc_dlopen_mode;
    try
    {
-        libc_dlopen_mode_addr = libc.find_symbol_address_by_name("__libc_dlopen_mode");
+        libc_dlopen_mode = libc.find_symbol_address_by_name("__libc_dlopen_mode");
    }
    catch (const std::exception &e)
    {
        std::cerr << "[!] " << e.what() << std::endl;
        return 1;
    }
-    std::cout << "[+] __libc_dlopen_mode: 0x" << libc_dlopen_mode_addr << std::endl;
+    std::cout << "[+] __libc_dlopen_mode: 0x" << libc_dlopen_mode << std::endl;

    // get process' entry
+    std::size_t entry;
+    try
+    {
+        entry = process.get_entry();
+    }
+    catch (const std::exception &e)
+    {
+        std::cerr << "[!] " << e.what() << std::endl;
+        return 1;
+    }
+    std::cout << "[+] entry: 0x" << entry << std::endl;

    // copy shellcode to process' entry


--- a/inject/process.cpp
+++ b/inject/process.cpp
 #include "process.h"

+#include <unistd.h>
+
+#include <cstring>
 #include <fstream>
 #include <regex>

+#include "elf.h"
+
 std::pair<std::string, std::size_t> Process::find_libc()
 {
    std::string filename("/proc/");
@@ -21,3 +26,34 @@ std::pair<std::string, std::size_t> Process::find_libc()

    throw std::runtime_error("libc.so not found in " + filename);
 }
+
+std::size_t Process::get_base()
+{
+    std::string filename("/proc/");
+    filename += std::to_string(pid_);
+    filename += "/maps";
+    std::ifstream file(filename);
+    std::string line;
+    file >> line;
+    return std::stoul(line, nullptr, 16);
+}
+
+std::string Process::get_execute()
+{
+    std::string filename("/proc/");
+    filename += std::to_string(pid_);
+    filename += "/exe";
+
+    char execute[1024] = {0};
+    if (readlink(filename.c_str(), execute, 1023) != -1)
+        return execute;
+    throw std::runtime_error(std::strerror(errno));
+}
+
+std::size_t Process::get_entry()
+{
+    auto execute = get_execute();
+    Elf elf(execute);
+    elf.set_base(get_base());
+    return elf.get_entry();
+}
--- a/inject/process.h
+++ b/inject/process.h
@@ -10,11 +10,14 @@ class Process final
 {
 public:
    explicit Process(pid_t pid) : pid_(pid) {}
-
    std::pair<std::string, std::size_t> find_libc();
+    std::size_t get_entry();

 private:
    pid_t pid_;
+
+    std::size_t get_base();
+    std::string get_execute();
 };

 #endif  // LINUX_LIBRARY_INJECT_PROCESS_H