-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathelf_cryptor.py
executable file
·473 lines (418 loc) · 15.2 KB
/
elf_cryptor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
import sys
import logging
import stat
from enum import Enum
from os import path
from pwn import *
from struct import *
from optparse import OptionParser
parser = OptionParser()
parser.add_option(
"-f",
"--file",
dest="filename",
help="the ELF file to pack",
metavar="FILE")
parser.add_option(
"-b",
"--bits",
dest="bits",
help="the ELF arch to use (32/64)",
metavar="BITS")
parser.add_option(
"-d",
"--debug",
dest="debug",
help="print debug statements",
metavar="DEBUG")
(options, args) = parser.parse_args()
ETYPE_DIC = {
0: 'No file type',
1: 'Relocatable file',
2: 'Executable file',
3: 'Shared object file',
4: 'Core file'
}
# Enum of the section types
class SectionType(Enum):
SHT_NULL = 0
SHT_PROGBITS = 1
SHT_SYMTAB = 2
SHT_STRTAB = 3
SHT_RELA = 4
SHT_HASH = 5
SHT_DYNAMIC = 6
SHT_NOTE = 7
SHT_NOBITS = 8
SHT_REL = 9
SHT_SHLIB = 10
SHT_DYNSYM = 11
SHT_LOPROC = 0x70000000
SHT_HIPROC = 0x7fffffff
SHT_LOUSER = 0x80000000
SHT_HIUSER = 0xffffffff
class Section():
def __init__(self, sh_name, sh_type, sh_flags, sh_addr, sh_offset, sh_size,
sh_link, sh_info, sh_addralign, sh_entsize):
self.sh_name = sh_name
self.sh_type = sh_type
self.sh_flags = sh_flags
self.sh_addr = sh_addr
self.sh_offset = sh_offset
self.sh_size = sh_size
self.sh_link = sh_link
self.sh_info = sh_info
self.sh_addralign = sh_addralign
self.sh_entsize = sh_entsize
def __str__(self):
return f"""[Start Section '{self.name}']
sh_name = {hex(self.sh_name)}
sh_type = {hex(self.sh_type)}
sh_flags = {hex(self.sh_flags)}
sh_addr = {hex(self.sh_addr)}
sh_offset = {hex(self.sh_offset)}
sh_size = {hex(self.sh_size)}
sh_link = {hex(self.sh_link)}
sh_info = {hex(self.sh_info)}
sh_addralign = {hex(self.sh_addralign)}
sh_entsize = {hex(self.sh_entsize)}
"""
class Elf():
def __init__(self, name="", data=[], bits='', size=0):
self.name = name
self.data = data
self.bits = int(bits)
self.EI_NIDENT = 16
self.size = size
self.ELF_EHDR_SZ = 36 + self.EI_NIDENT if self.bits == 32 else 48 + self.EI_NIDENT
"""
Parse the ELF header of the binary
e_ident: marks the file as an object file
e_type: identifies the object file type
e_machine: specifies the required architecture of the file
e_version: identifies the object file version
e_entry: virtual address where the system first transfers control
e_phoff: program header table file offset in bytes
e_shoff: section header table offset in bytes
e_flags: holds processor specific flags associated with the file
e_ehsize: the elf header size in bytes
e_phentsize: size in bytes of one entry in program header table
e_phnum: number of entries in program header table
e_shentsize: size in bytes of one section header in section header table
e_shnum: number of entries in section header table
e_shstrndx: index of the section header table for string table
"""
def parse_header(self):
unpack_str = f"{self.EI_NIDENT}sHHIQQQIHHHHHH" if self.bits == 64 else f"{self.EI_NIDENT}sHHIIIIIHHHHHH"
(self.e_ident, self.e_type, self.e_machine, self.e_version,
self.e_entry, self.e_phoff, self.e_shoff, self.e_flags, self.e_ehsize,
self.e_phentsize, self.e_phnum, self.e_shentsize, self.e_shnum,
self.e_shstrndx) = unpack(unpack_str, self.data[:self.ELF_EHDR_SZ])
logging.debug(f"entry point found:\t{hex(self.e_entry)}")
logging.debug(f"object file type:\t{ETYPE_DIC[self.e_type]}")
"""
Parse sections of the Section Header Table
sh_name: index into the string table of the section name
sh_type: categorizes the sections contents and semantics
sh_flags: flags that describe miscellaneous attributes
sh_addr: virtual address of the first byte when in memory (if)
sh_offset: offset from start of file of first byte in the section
sh_size: the size of the section in bytes
sh_link: section header table index link
sh_info: holds extra information depending on section type
sh_addralign: dictates if the section has some form of size alignment
sh_entsize: size in bytes of each entry of section-fixed size table
"""
def parse_sections_header(self):
unpack_str = "IIQQQQIIQQ" if self.bits == 64 else "IIIIIIIIII"
# dictionary of arrays indexed by section type
self.sections = {}
section_header_sz = self.e_shnum * self.e_shentsize
section_table = self.data[self.e_shoff:
self.e_shoff + section_header_sz]
# skip the first section in the section header table
for sec_index in range(1, self.e_shnum):
# unpack the section data
(sh_name, sh_type, sh_flags, sh_addr, sh_offset, sh_size, sh_link,
sh_info, sh_addralign, sh_entsize) = unpack(
unpack_str,
section_table[sec_index * self.e_shentsize:sec_index * self.
e_shentsize + self.e_shentsize])
# create the section
sec = Section(sh_name, sh_type, sh_flags, sh_addr, sh_offset,
sh_size, sh_link, sh_info, sh_addralign, sh_entsize)
if (not self.sections.get(sh_type)):
self.sections[sh_type] = []
self.sections[sh_type].append(sec)
if sec_index == self.e_shstrndx:
self.string_table_offset = sh_offset
# add the section name to each section object
for sec_type in self.sections.keys():
for sec in self.sections.get(sec_type):
sec.name = self.get_string(sec.sh_name)
logging.debug(sec)
def find_cave(self, required_size):
# ensure that we don't look at 'SHT_NOBITS' sections
for sec_type in self.sections.keys():
for sec in self.sections.get(sec_type):
if sec.sh_type == SectionType.SHT_NOBITS:
continue
index = 0
seen_nulls = 0
checkpoint = 0
while (index < sec.sh_size):
char = self.data[sec.sh_offset + index]
index += 1
if char == 0:
seen_nulls += 1
else:
checkpoint = index
seen_nulls = 0
if seen_nulls == required_size:
break
if seen_nulls < required_size:
continue
logging.debug(f"""found a code cave in section: {sec.name} with
required size of {required_size} bytes at address
{hex(sec.sh_offset + checkpoint)} in the file. The address in memory
would be {hex(sec.sh_addr + index)}""")
return (sec.sh_addr + checkpoint, sec.sh_offset + checkpoint)
logging.error("no code cave found")
def get_string(self, index):
elf_str = ''
char = self.data[self.string_table_offset + index]
while (char != 0):
index += 1
elf_str += chr(char)
char = self.data[self.string_table_offset + index]
return elf_str
def get_section(self, name):
for sec_type in self.sections.keys():
for sec in self.sections.get(sec_type):
if sec.name == name:
return sec
def pack_code(self, key):
text_sec = self.get_section('.text')
for i in range(text_sec.sh_size):
self.data[text_sec.sh_offset + i] ^= key
def change_ep(self, new_ep):
if self.bits == 32:
self.data[24:24 + 4] = p32(new_ep)
else:
self.data[24:24 + 8] = p64(new_ep)
def create_unpacker(self, xor_byte):
text_sec = self.get_section('.text')
if self.bits == 64:
text_addr = text_sec.sh_addr & 0xFFFFFFFFFFFFF000
else:
text_addr = text_sec.sh_addr & 0xFFFFF000
syscall_str = 'int 0x80' if self.bits == 32 else 'syscall'
register_prefix = 'r' if self.bits == 64 else 'e'
syscall_num = '0x7d' if self.bits == 32 else '10'
syscall_reg_1 = 'di' if self.bits == 64 else 'bx'
syscall_reg_2 = 'si' if self.bits == 64 else 'cx'
syscall_reg_2 = 'si' if self.bits == 64 else 'cx'
syscall_reg_2 = 'si' if self.bits == 64 else 'cx'
integer_size = 4 if self.bits == 32 else 8
file_offset = 1337
offset_to_xor_byte = 22
unpacker_asm = asm(f"""
/* blah */
call save_ip
save_ip:
/* open executable */
mov rax, 2
mov rdi, [{register_prefix}sp + {2 * integer_size}]
push rdi # store the name
mov rsi, O_RDONLY
{syscall_str}
mov r15, rax # store for closing
/* mmap the executable */
mov r8, rax
mov rax, 9
mov rdi, 0
mov rsi, {self.size}
mov rdx, PROT_READ
mov r10, MAP_PRIVATE
mov r9, 0
{syscall_str}
mov r14, rax
/* open new executable */
mov rax, 0x0062612f706d742f # /tmp/abc
push rax
/* remove old /tmp/ab */
mov rax, 87
mov rdi, rsp
{syscall_str}
/* continue open new executable */
mov rax, 2
mov rdi, rsp
mov rsi, O_RDWR | O_CREAT
mov rdx, 0x1FF
{syscall_str}
mov r12, rax
mov rax, 77
mov rdi, r12
mov rsi, {self.size}
{syscall_str}
/* mmap the new executable */
mov rax, 9
mov rdi, 0
mov rsi, {self.size}
mov rdx, PROT_READ | PROT_WRITE
mov r10, MAP_SHARED
mov r8, r12
mov r9, 0
{syscall_str}
mov r13, rax # store the mapping addr for encryption
/* memcpy between mappings */
mov rdi, rax # the new file
mov rsi, r14 # the executable file
mov {register_prefix}cx, {self.size} # the size of the file
xor rax, rax
copy:
mov al, [rsi]
mov [rdi], al
inc rdi
inc rsi
dec rcx
cmp rcx, 0
jnz copy
/* munmap the executable file */
mov rax, 11
mov rdi, r14
mov rsi, {self.size}
{syscall_str}
/* close the executable */
mov rax, 3
mov rdi, r15
{syscall_str}
/* unlink the original executable file */
mov rax, 87
mov rdi, [rsp + 8]
{syscall_str}
/* move the new exec to where the old one was */
mov rax, 82
mov rdi, rsp
mov rsi, [rsp + 8]
{syscall_str}
/* decrypt the new executable */
mov rdi, r13 # the new file mapping addr
add rdi, {text_sec.sh_offset} # increment to the text offset
mov rsi, rdi # the executable file
mov {register_prefix}cx, {text_sec.sh_size} # the size of the file
xor rbx, rbx # blank the register for the bytes
mov bl, [rip + 0x9f] # the xor byte for this current process
cld
recrypt_file1:
lodsb
xor rax, rbx
stosb
loop recrypt_file1
/* replace the decrypt byte */
mov rdi, r13
mov rax, [rsp + 16]
sub rax, 0x3ffe1f # minus 4, minus 0x400000 then plus 0x1ea for offset
add rdi, rax
/* get new random byte */
mov rax, 318
mov rsi, 1
xor rdx, rdx
/* end new random byte */
syscall
xor rbx, rbx
mov rbx, [rdi]
/* recrypt the new executable */
mov rdi, r13 # the new file mapping addr
add rdi, {text_sec.sh_offset} # increment to the text offset
mov rsi, rdi # the executable file
mov {register_prefix}cx, {text_sec.sh_size} # the size of the file
cld
recrypt_file2:
lodsb
xor rax, rbx
stosb
loop recrypt_file2
/* munmap new exectuable */
mov rax, 11
mov rdi, r13
mov rsi, {self.size}
{syscall_str}
/* close new executable */
mov rax, 3
mov rdi, r12
{syscall_str}
/* ~~~~ end polypacking ~~~~ */
/* mprotect the current proc's text section */
mov {register_prefix}ax, {syscall_num}
mov {register_prefix}{syscall_reg_1}, {text_addr}
mov {register_prefix}{syscall_reg_2}, {text_sec.sh_size}
mov {register_prefix}dx, 0x7
{syscall_str}
mov {register_prefix}di, {text_sec.sh_addr}
mov {register_prefix}si, {register_prefix}di
mov {register_prefix}cx, {text_sec.sh_size}
cld
decrypt:
lodsb
xor al, {xor_byte}
stosb
loop decrypt
mov {register_prefix}ax, {syscall_num}
mov {register_prefix}{syscall_reg_1}, {text_addr}
mov {register_prefix}{syscall_reg_2}, {text_sec.sh_size}
mov {register_prefix}dx, 0x5
{syscall_str}
add rsp, 24
xor rsi, rsi
xor rdi, rdi
xor rdx, rdx
xor rcx, rcx
xor rbx, rbx
xor rax, rax
push {self.e_entry}
ret
""")
return unpacker_asm
def write_unpacker(self, asm, off):
self.data[unpacker_off:unpacker_off + len(asm)] = asm
if __name__ == '__main__':
# check what arch we are packing for
if options.bits == '32':
context.arch = 'i386'
else:
context.arch = 'amd64'
logging.basicConfig(
format='%(levelname)s:\t%(message)s', level=logging.DEBUG)
# load data into memory
try:
with open(options.filename, 'rb') as f:
elf_data = bytearray(f.read())
except:
print(f"ERROR: Failed opening file: {options.filename}")
sys.exit(1)
# check header
if elf_data[:4] != b'\x7fELF':
print(f"ERROR: File: {options.filename} is not an ELF file")
sys.exit(1)
# perform the crypting
binary = Elf(
name=options.filename,
data=elf_data,
bits=options.bits,
size=path.getsize(options.filename))
binary.parse_header()
binary.parse_sections_header()
xor_byte = ord(os.urandom(1))
binary.pack_code(xor_byte)
unpacker_asm = binary.create_unpacker(xor_byte)
logging.debug(f"Need {len(unpacker_asm)} bytes in a cave for unpacker")
(unpacker_addr, unpacker_off) = binary.find_cave(len(unpacker_asm))
binary.change_ep(unpacker_addr)
binary.write_unpacker(unpacker_asm, unpacker_off)
# save packed binary to new file
with open(f"{options.filename}.packed", 'wb') as f:
f.write(binary.data)
# make new file executable
st = os.stat(f"{options.filename}.packed")
os.chmod(f"{options.filename}.packed", st.st_mode | stat.S_IEXEC)