call shellcode in target process

e1c5e5e7 · Chu · 8538104c · e1c5e5e7 · e1c5e5e7
Commit e1c5e5e7 authored Dec 25, 2019 by Chu
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 21 deletions

main.cpp inject/main.cpp +2 -2

process.cpp inject/process.cpp +5 -19

No files found.
--- a/inject/main.cpp
+++ b/inject/main.cpp
@@ -37,7 +37,7 @@ int main(int argc, char *argv[])
        Elf(argv[0]).get_func_size(reinterpret_cast<std::size_t>(call_libc_dlopen_mode_addr));
    std::cout << "[+] shellcode: 0x" << reinterpret_cast<std::size_t>(call_libc_dlopen_mode_addr) << " " << std::dec
              << call_libc_dlopen_mode_size << std::endl;
-    std::cout << "[*] call __libc_dlopen_mode in target process\n";
+    std::cout << "[*] execute shellcode in target process\n";
    process.call_shellcode(
        std::vector(call_libc_dlopen_mode_addr, call_libc_dlopen_mode_addr + call_libc_dlopen_mode_size));
    std::cout << "[+] injected\n";
@@ -49,7 +49,7 @@ void call_libc_dlopen_mode()
 {
    asm volatile(R"(
        mov $1, %rdi
-        mov $94068852580352, %rsi
+        mov $94903506460672, %rsi
        mov $4, %rdx
        mov $1, %rax
        syscall

--- a/inject/process.cpp
+++ b/inject/process.cpp
@@ -61,47 +61,33 @@ std::size_t Process::get_entry_point()

 void Process::call_shellcode(std::vector<unsigned char> shellcode)
 {
-    attach();
-
    std::cout << "[*] get target process's entry point\n";
    auto entry_point = get_entry_point();
-    std::cout << "[+] entry point: 0x" << std::hex << entry_point << std::endl;
    // replace `ret` with `int3`
-    shellcode[shellcode.size() - 1] = 0xcc;
+    if (shellcode[shellcode.size() - 1] == 0xc3)
+        shellcode[shellcode.size() - 1] = 0xcc;
    // align
    while (shellcode.size() % sizeof(void *) != 0)
        shellcode.emplace_back(0x90);
-    // backup original code
+    std::cout << "[*] attach to target process\n";
+    attach();
    std::cout << "[*] backup original code\n";
    auto original_code = read_memory(entry_point, shellcode.size());
-    std::cout << "[+] done\n";
-    // backup original registers
    std::cout << "[*] backup original registers\n";
    auto original_registers = get_registers();
-    std::cout << "[+] done\n";
-    // write shellcode to entry point
    std::cout << "[*] write shellcode to target process's entry point\n";
    write_memory(entry_point, shellcode);
-    std::cout << "[+] done\n";
-    // set %rip to entry point
    auto registers = original_registers;
    registers.rip = entry_point;
    std::cout << "[*] set %rip to target process's entry point\n";
    set_registers(registers);
-    std::cout << "[+] done\n";
-    // wait for trap
    std::cout << "[*] continue and wait for trap\n";
    continue_and_wait_for_trap();
-    std::cout << "[+] done\n";
-    // restore original code
    std::cout << "[*] restore original code\n";
    write_memory(entry_point, original_code);
-    std::cout << "[+] done\n";
-    // restore original registers
    std::cout << "[*] restore original registers\n";
    set_registers(original_registers);
-    std::cout << "[+] done\n";
-
+    std::cout << "[*] detach target process\n";
    detach();
 }