Drow – Injects Code Into ELF Executables Post-Build

drow is a command-line utility that is utilized to inject code and hook the entrypoint of ELF executables (write-up-create). It takes unmodified ELF executables as input and exports a modified ELF contianing an embedded person-equipped payload that executes at runtime.

Somewhat a lot more depth …

Drow will take the next methods to develop the new patched ELF:

1. Map in the umodified target ELF executable and the consumer-provided payload, a place-independent blob
2. Track down the to start with executable segment by parsing plan headers
3. Identify the previous section in the executable segment by parsing segment headers
4. Grow the past area (in the phase) area header’s sh_dimensions and program header’s p_memsz/p_filesz by the size of the consumer-supplied payload
5. Fixup section headers’ sh_offset‘s and plan headers’ p_offset‘s (shift down sections and segments to make place for the payload and a smaller “stager stub”)
6. Correct offsets in the ELF header (e_shoff, e_phoff, and so forth..)
7. Modify the ELF header e_entry (ELF entrypoint offset) to level to the injected code
8. Create a new ELF that contains the injected code and modified ELF headers

In addition to injecting the user-equipped payload, drow injects a little code stub that is prepended to the starting of the payload. This stub is built to contact into the payload. If the payload is composed to return to the caller, immediately after the payload returns the stager then tailcalls into _begin, restoring execution so the software can operate as supposed.

Making

Put in gcc and scons. Then run scons from the root of the directory.

Other Details

In addition to building drow, this undertaking also builds a Linux x86-64 payload named rappers_delight.bin that simply prints to stdout. This can be employed for screening. Presently, drow only performs with ELF64 files targetting x86-64.

Other Function

There has been a good deal of open supply operate completed in this domain. I really encourage you to also examine out the subsequent initiatives and involved publications:

• The Cerberus ELF Interface: http://phrack.org/troubles/61/8.html
• The Backdoor Manufacturing unit: https://github.com/secretsquirrel/the-backdoor-manufacturing unit
• ELFSH: http://www.eresi-challenge.org/

Impression and Short article Source website link

Go through Extra on Pentesting Applications