shellcode addr and size

f69ba366 · Chu · 7aef115e · f69ba366 · f69ba366 · f69ba366
Commit f69ba366 authored Dec 24, 2019 by Chu
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 5 deletions

CMakeLists.txt inject/CMakeLists.txt +1 -1

elf.cpp inject/elf.cpp +22 -0

elf.h inject/elf.h +1 -0

main.cpp inject/main.cpp +7 -4

No files found.
--- a/inject/CMakeLists.txt
+++ b/inject/CMakeLists.txt
 add_executable(inject main.cpp process.cpp process.h elf.cpp elf.h)
-set_target_properties(inject PROPERTIES LINK_FLAGS_RELEASE "-static")
+set_target_properties(inject PROPERTIES LINK_FLAGS "-static")
--- a/inject/elf.cpp
+++ b/inject/elf.cpp
@@ -75,3 +75,25 @@ std::size_t Elf::get_entry()

    return base_ + ehdr_->e_entry;
 }
+
+std::size_t Elf::get_func_size(std::size_t address)
+{
+    if (!memory_)
+        load_to_memory();
+
+    for (auto i = 0; i != ehdr_->e_shnum; ++i)
+    {
+        if (shdr_[i].sh_type == SHT_SYMTAB)
+        {
+            auto sym_tab = reinterpret_cast<Elf64_Sym *>(&memory_[shdr_[i].sh_offset]);
+            for (auto j = 0; j != shdr_[i].sh_size / sizeof(Elf64_Sym); ++j)
+            {
+                if (sym_tab->st_value == address)
+                    return sym_tab->st_size;
+                ++sym_tab;
+            }
+        }
+    }
+
+    throw std::runtime_error(std::to_string(address) + " not found in " + path_);
+}
--- a/inject/elf.h
+++ b/inject/elf.h
@@ -14,6 +14,7 @@ public:
    void set_base(std::size_t base);
    std::size_t find_symbol_address_by_name(std::string_view name);
    std::size_t get_entry();
+    std::size_t get_func_size(std::size_t address);

 private:
    std::string path_;

--- a/inject/main.cpp
+++ b/inject/main.cpp
@@ -7,7 +7,7 @@
 #include "elf.h"
 #include "process.h"

-extern "C" void func();
+void call_libc_dlopen_mode();

 int main(int argc, char *argv[])
 {
@@ -73,7 +73,10 @@ int main(int argc, char *argv[])
    std::cout << "[+] entry: 0x" << entry << std::endl;

    // copy shellcode to process' entry
-    std::cout << reinterpret_cast<void *>(&func) << std::endl;
+    auto call_libc_dlopen_mode_addr = reinterpret_cast<std::size_t>(&call_libc_dlopen_mode);
+    auto call_libc_dlopen_mode_size = Elf(argv[0]).get_func_size(call_libc_dlopen_mode_addr);
+    std::cout << "[+] shellcode: 0x" << call_libc_dlopen_mode_addr << " " << std::dec << call_libc_dlopen_mode_size
+              << std::endl;

    // call shellcode

@@ -82,7 +85,7 @@ int main(int argc, char *argv[])
    return 0;
 }

-void func()
+void call_libc_dlopen_mode()
 {
-    std::cout << "func\n";
+    std::cout << "call_libc_dlopen_mode\n";
 }