gcc test.c -o test
gcc -shared -fPIC test2.c -o test2.so
LD_PRELOAD="./test2.so" ./test
test.c
· 302 B · C
原始文件
#include <stdio.h>
#include <sys/mman.h>
#define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC))
int y = 100;
char teste[] = "HUEBR\n";
char I_WANT_SPACE[100]; // Because I WANT SPACE
int main() {
printf("Y: %d\n", y);
printf(teste);
printf(teste);
}
| 1 | #include <stdio.h> |
| 2 | #include <sys/mman.h> |
| 3 | #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) |
| 4 | |
| 5 | int y = 100; |
| 6 | |
| 7 | char teste[] = "HUEBR\n"; |
| 8 | |
| 9 | char I_WANT_SPACE[100]; // Because I WANT SPACE |
| 10 | |
| 11 | int main() { |
| 12 | printf("Y: %d\n", y); |
| 13 | printf(teste); |
| 14 | printf(teste); |
| 15 | } |
| 16 |
test2.c
· 722 B · C
原始文件
#include <stdio.h>
#include <sys/mman.h>
#define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC))
void __attribute__((constructor)) initialize(void) {
char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE
x[0] = 'p';
x[1] = 'h';
x[2] = 'p';
x[3] = '\n';
x[4] = 0x00;
UNPROTECT(0x400530,4096); // 0x400530 is the address of the main() space
int *t = 0x400552; // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste
*t = x;
x = 0x40056F; // mov eax, 0 - Before last line
x[0] = 0x48;
x[1] = 0xc7;
x[2] = 0xc0;
t = x + 3;
*t = 0x40053A; // Address of start of the main() function excluding the stack pushes.
x[7] = 0xff;
x[8] = 0xe0;
}
| 1 | #include <stdio.h> |
| 2 | #include <sys/mman.h> |
| 3 | |
| 4 | #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) |
| 5 | |
| 6 | void __attribute__((constructor)) initialize(void) { |
| 7 | char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE |
| 8 | x[0] = 'p'; |
| 9 | x[1] = 'h'; |
| 10 | x[2] = 'p'; |
| 11 | x[3] = '\n'; |
| 12 | x[4] = 0x00; |
| 13 | |
| 14 | UNPROTECT(0x400530,4096); // 0x400530 is the address of the main() space |
| 15 | int *t = 0x400552; // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste |
| 16 | *t = x; |
| 17 | |
| 18 | x = 0x40056F; // mov eax, 0 - Before last line |
| 19 | x[0] = 0x48; |
| 20 | x[1] = 0xc7; |
| 21 | x[2] = 0xc0; |
| 22 | t = x + 3; |
| 23 | *t = 0x40053A; // Address of start of the main() function excluding the stack pushes. |
| 24 | x[7] = 0xff; |
| 25 | x[8] = 0xe0; |
| 26 | } |
| 27 |
test2_autolookup.c
· 1.9 KiB · C
原始文件
#include <stdio.h>
#include <sys/mman.h>
#define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC))
#ifdef __x86_64
#define PROGRAM_START_OFFSET 0x400440
#define DATA_START_OFFSET 0x601000
#else
#define PROGRAM_START_OFFSET 0x8048000
#define DATA_START_OFFSET 0x804A020
#endif
void * find_sig(unsigned char * array, int len, void * start, void * end, int offset, int align) {
void * pos;
for (pos = start; pos < end; pos += align) {
if (memcmp(pos, array, len) == 0)
return pos + offset;
}
return NULL;
}
char I_WANT_SPACE_SIGNATURE[] = "IWANTSPACE";
char HUEBR_SIGNATURE[] = "HUEBR\n";
char printfHUEoffset[] = { 0xBF, 0x00, 0x00, 0x00, 0x00 };
void __attribute__((constructor)) initialize(void) {
//char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE
char *x = find_sig(I_WANT_SPACE_SIGNATURE, 10, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1);
char *huebr = find_sig(HUEBR_SIGNATURE, 6, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1);
if (x == NULL || huebr == NULL) {
printf("OH FUCK IT! %p %p\n", x, huebr);
exit(1);
}
printfHUEoffset[1] = (((int)huebr) >> 0) & 0xFF;
printfHUEoffset[2] = (((int)huebr) >> 8) & 0xFF;
printfHUEoffset[3] = (((int)huebr) >> 16) & 0xFF;
printfHUEoffset[4] = (((int)huebr) >> 24) & 0xFF;
int *z = find_sig(printfHUEoffset, 5, (void *)PROGRAM_START_OFFSET, (void *)(PROGRAM_START_OFFSET+4096),0,1);
x[0] = 'p';
x[1] = 'h';
x[2] = 'p';
x[3] = '\n';
x[4] = 0x00;
UNPROTECT(PROGRAM_START_OFFSET,4096); // 0x400530 is the address of the main() space
int *t = (((int)z)+1); // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste
*t = x;
/*
x = 0x40056F; // mov eax, 0 - Before last line
x[0] = 0x48;
x[1] = 0xc7;
x[2] = 0xc0;
t = x + 3;
*t = 0x40053A; // Address of start of the main() function excluding the stack pushes.
x[7] = 0xff;
x[8] = 0xe0;
*/
}
| 1 | #include <stdio.h> |
| 2 | #include <sys/mman.h> |
| 3 | |
| 4 | #define UNPROTECT(addr,len) (mprotect((void*)(addr-(addr%len)),len,PROT_READ|PROT_WRITE|PROT_EXEC)) |
| 5 | |
| 6 | #ifdef __x86_64 |
| 7 | #define PROGRAM_START_OFFSET 0x400440 |
| 8 | #define DATA_START_OFFSET 0x601000 |
| 9 | #else |
| 10 | #define PROGRAM_START_OFFSET 0x8048000 |
| 11 | #define DATA_START_OFFSET 0x804A020 |
| 12 | #endif |
| 13 | |
| 14 | void * find_sig(unsigned char * array, int len, void * start, void * end, int offset, int align) { |
| 15 | void * pos; |
| 16 | for (pos = start; pos < end; pos += align) { |
| 17 | if (memcmp(pos, array, len) == 0) |
| 18 | return pos + offset; |
| 19 | } |
| 20 | return NULL; |
| 21 | } |
| 22 | |
| 23 | char I_WANT_SPACE_SIGNATURE[] = "IWANTSPACE"; |
| 24 | char HUEBR_SIGNATURE[] = "HUEBR\n"; |
| 25 | char printfHUEoffset[] = { 0xBF, 0x00, 0x00, 0x00, 0x00 }; |
| 26 | |
| 27 | void __attribute__((constructor)) initialize(void) { |
| 28 | //char *x = 0x6010A8; // Address in empty space of I_WANT_SPACE |
| 29 | char *x = find_sig(I_WANT_SPACE_SIGNATURE, 10, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1); |
| 30 | char *huebr = find_sig(HUEBR_SIGNATURE, 6, (void *)DATA_START_OFFSET, (void *)(DATA_START_OFFSET+4096), 0, 1); |
| 31 | |
| 32 | if (x == NULL || huebr == NULL) { |
| 33 | printf("OH FUCK IT! %p %p\n", x, huebr); |
| 34 | exit(1); |
| 35 | } |
| 36 | |
| 37 | |
| 38 | printfHUEoffset[1] = (((int)huebr) >> 0) & 0xFF; |
| 39 | printfHUEoffset[2] = (((int)huebr) >> 8) & 0xFF; |
| 40 | printfHUEoffset[3] = (((int)huebr) >> 16) & 0xFF; |
| 41 | printfHUEoffset[4] = (((int)huebr) >> 24) & 0xFF; |
| 42 | |
| 43 | int *z = find_sig(printfHUEoffset, 5, (void *)PROGRAM_START_OFFSET, (void *)(PROGRAM_START_OFFSET+4096),0,1); |
| 44 | |
| 45 | x[0] = 'p'; |
| 46 | x[1] = 'h'; |
| 47 | x[2] = 'p'; |
| 48 | x[3] = '\n'; |
| 49 | x[4] = 0x00; |
| 50 | |
| 51 | UNPROTECT(PROGRAM_START_OFFSET,4096); // 0x400530 is the address of the main() space |
| 52 | int *t = (((int)z)+1); // mov edi, offset teste ; "HUEBR\n" - Adress to offset teste |
| 53 | *t = x; |
| 54 | /* |
| 55 | x = 0x40056F; // mov eax, 0 - Before last line |
| 56 | x[0] = 0x48; |
| 57 | x[1] = 0xc7; |
| 58 | x[2] = 0xc0; |
| 59 | t = x + 3; |
| 60 | *t = 0x40053A; // Address of start of the main() function excluding the stack pushes. |
| 61 | x[7] = 0xff; |
| 62 | x[8] = 0xe0; |
| 63 | */ |
| 64 | } |