Hey everyone welcome back to my blog about PT_load injection. Today I want illustrate what I did code to change the entry point of the file. First of all, let me shortly introduce about what ELF is.
I am not going to cover in details, but kind of information would be superb.
ELF file
ELF is the abbreviation for executable and link-able format and defines the structure for binaries, libraries.
You might be familiar with PE executable of windows but this in the form of Linux OS.
without libraries, binaries the file will not be able to run properly because some of them shall be missing. The goal is that we can inject our evil code into such files, kind of malware which can be run without knowing that the file had been infected.
Linux has a great command called readelf which can help us to identify the anatomy of the file.
Structures are:
- ELF header
- File dataWe are interested in ELF header which should help to inject our shellcode into the file.
Let me use readelf command to understand the anatomy.
Its important what you are looking for. For instance, we will be concerning on header of this file.
You can use this command to view the header readelf -e [file]
Oke, I will be using the documentation from oracle
Object Files in Executable and Linking Format
Relocatable ELF files produced by the assembler consist of:
An ELF header
A section header table
Sections
The ELF header is always the first part of an ELF file. It is a structure of fixed size and format. The fields, or members, of the structure describe the nature, organization and contents of the rest of the file. The ELF header has a field that specifies the location within the file where the section header table begins.
The section header table is an array of section headers that are structures of fixed size and format. The section headers are the elements of the array, or the entries in the table. The section header table has one entry for each section in the ELF file. However, the table can also have entries (section headers) that do not correspond to any section in the file. Such entries and their array indices are reserved. The members of each section header constitute information useful to the linker about the contents of the corresponding section, if any.
We understand from this documentation that ELF files always starts by ELF header which should be important for us to create a shellcode to be injected.
Let me explain step by step what you should do before coding maliciously.
PT_load
This header is one of the most important header type. It defines how a portion of the file must be placed in the memory. This will be a good choice to infect the pt_load header type to inject the our malicious code.
You also need to understand the attributes of this header type. We are interested in:
p_filesz = the size of the segment in the file
p_memsz = this size of the segment in the memory
p_flags = the permission flags (x,r,e)
Let’s create our algorithm to create our shellcode to be injected.
Algorithm of pt_load injection
We will use two powerful libraries:
- lief
- pwntools
You can check these libraries in your free time.
-
We need to parse the file to get into the entry point.
-
When this step is done, we shall create a new load segment
-
After creating; u can create your shellcode into that new segment
-
after injecting; do not forget to patch the binary.
-
In order to trace the target, you can add the old entry point to the malicious to be hidden (your choice) but tracing anonymously will be useful.
-
when the fifth is done, save the binary as output.
Creating the devil code
1. I have not included reverse shell, but a normal string2. As I said, we need to parse the file with the help of lief library
3. I have used asm() from pwn to convert to byte
4. We are storing our payload to devilcode variable
5. I encoded my payload (optional)
6. we need to push the entry point as byterarray to our devilcode thus adding
7. print the size of devilcode
You can check: https://lief-project.github.io/doc/latest/api/python/elf.html
segments must be included (runtime)
Let me check the infected file:
Conclusion
You can build more advanced features into your code. I just wanted to enhance my skills to show that its not so hard to think how such malwares have been created in the cyber world
If you have some doubts to understand this technique you can always ask to me.
Stay tuned for more blogs.
Reference:
https://violentbinary.github.io/posts/1-elf-static-injection-to-load-malicious-dynamic-link-library/
You can check the source code: https://github.com/0xCD4/Malwation-Tasks/tree/main/ELF-injection
0 comments:
Post a Comment