shim_with_unprotect.c
· 1.3 KiB · C
Bruto
// For RTLD_NEXT
#define _GNU_SOURCE
#include <stdio.h>
#include <dlfcn.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <stdint.h>
static FILE *(*real_fopen)(const char *, const char *) = NULL;
#define SEARCH_TOKEN_SIZE 6
char mySearchToken[SEARCH_TOKEN_SIZE] = "That's";
void *searchData(char *data, int len, void *start, void *end) {
void *i;
for(i = start; i < end; i += 1) {
if (memcmp(i, data, len) == 0 && i != (void *)data) {
return i;
}
}
return NULL;
}
FILE * fopen ( const char * filename, const char * mode ) {
printf("HUEBR, GIBE DATA PLOS, OR I REPORT U HUEHUE\n");
printf("MI NO LIK U FIL, MI UPEN HUE.TXT\n");
return real_fopen("hue.txt", "w");
}
void unprotectPage(uint64_t addr) {
mprotect((void*)(addr-(addr%4096)),4096,PROT_READ|PROT_WRITE|PROT_EXEC);
}
void __attribute__((constructor)) initialize(void) {
real_fopen = dlsym(RTLD_NEXT, "fopen");
if (real_fopen == NULL) {
printf("What? We couldn't find our fopen!!!!\n");
exit(255); // This will crash the program since it isn't expecting to exit in the constructor
}
void *addr = searchData(mySearchToken, SEARCH_TOKEN_SIZE, (void *)0x400040, (void*)0x400800 ); // Thats for 64 bit.
printf("Token Addr: %p\n", addr);
unprotectPage((uint64_t)(addr));
printf("Unprotected!\n");
((char *)addr)[0] = 'Z';
}
| 1 | // For RTLD_NEXT |
| 2 | #define _GNU_SOURCE |
| 3 | |
| 4 | #include <stdio.h> |
| 5 | #include <dlfcn.h> |
| 6 | #include <stdlib.h> |
| 7 | #include <string.h> |
| 8 | #include <sys/mman.h> |
| 9 | #include <stdint.h> |
| 10 | |
| 11 | static FILE *(*real_fopen)(const char *, const char *) = NULL; |
| 12 | |
| 13 | #define SEARCH_TOKEN_SIZE 6 |
| 14 | char mySearchToken[SEARCH_TOKEN_SIZE] = "That's"; |
| 15 | |
| 16 | void *searchData(char *data, int len, void *start, void *end) { |
| 17 | void *i; |
| 18 | |
| 19 | for(i = start; i < end; i += 1) { |
| 20 | if (memcmp(i, data, len) == 0 && i != (void *)data) { |
| 21 | return i; |
| 22 | } |
| 23 | } |
| 24 | |
| 25 | return NULL; |
| 26 | } |
| 27 | |
| 28 | |
| 29 | FILE * fopen ( const char * filename, const char * mode ) { |
| 30 | printf("HUEBR, GIBE DATA PLOS, OR I REPORT U HUEHUE\n"); |
| 31 | printf("MI NO LIK U FIL, MI UPEN HUE.TXT\n"); |
| 32 | |
| 33 | return real_fopen("hue.txt", "w"); |
| 34 | } |
| 35 | |
| 36 | void unprotectPage(uint64_t addr) { |
| 37 | mprotect((void*)(addr-(addr%4096)),4096,PROT_READ|PROT_WRITE|PROT_EXEC); |
| 38 | } |
| 39 | |
| 40 | void __attribute__((constructor)) initialize(void) { |
| 41 | real_fopen = dlsym(RTLD_NEXT, "fopen"); |
| 42 | |
| 43 | if (real_fopen == NULL) { |
| 44 | printf("What? We couldn't find our fopen!!!!\n"); |
| 45 | exit(255); // This will crash the program since it isn't expecting to exit in the constructor |
| 46 | } |
| 47 | |
| 48 | void *addr = searchData(mySearchToken, SEARCH_TOKEN_SIZE, (void *)0x400040, (void*)0x400800 ); // Thats for 64 bit. |
| 49 | |
| 50 | printf("Token Addr: %p\n", addr); |
| 51 | unprotectPage((uint64_t)(addr)); |
| 52 | printf("Unprotected!\n"); |
| 53 | ((char *)addr)[0] = 'Z'; |
| 54 | } |