Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated

2025-12-24 18:33:08 +08:00 · 2022-04-07 07:11:28 -04:00
parent 96cfda8c1f
commit 3438f5846f
24 changed files with 14973 additions and 14466 deletions
--- a/src/helpers/.gdb_history
+++ b/src/helpers/.gdb_history
@@ -1,195 +1,3 @@
-b *(test_time_values_injection+96)
-r
-si
-si
-q
-b *(test_time_values_injection+96)
-r
-si
-q
-b *(test_time_values_injection+96)
-r
-si
-x/32b 0x5555555556a9
-x/32x 0x5555555556a9
-x/2i 0x5555555556a9
-disass 0x5555555556a9
-disass /r 0x5555555556a9
-q
-b *(test_time_values_injection+96)
-r
-si
-disass /r 0x5555555556ae
-q
-b *(test_time_values_injection+96)
-r
-si
-disass /r 0x5555555556ae
-q
-r
-q
-r
-q
-b *(test_time_values_injection+96)
-r
-si
-q
-b *(test_time_values_injection+169)
-r
-si
-fin
-q
-b *(test_time_values_injection+169)
-r
-si
-q
-b *(test_time_values_injection+169)
-r
-si
-q
-r
-q
-r
-q
-r
-q
-r
-q
-r
-q
-r
-q
-r
-q
-disass test_time_values_injection 
-b *(test_time_values_injection+96)
-r
-si
-disass 0x7ffff7ede56c
-disass /r 0x7ffff7ede56c
-q
-b *(test_time_values_injection+96)
-r
-si
-q
-b *(test_time_values_injection+96)
-r
-si
-x/2i 0x5555555556a9
-x/2b 0x5555555556a9
-x/22b 0x5555555556a9
-q
-b *(test_time_values_injection+96)
-r
-si
-disass /r 0x5555555556ae
-q
-b *(test_time_values_injection+169)
-r
-si
-q
-b *(test_time_values_injection+169)
-r
-q
-b *(test_time_values_injection+96)
-r
-q
-b *(test_time_values_injection+96)
-r
-q
-b test_time_values_injection 
-r
-ni
-si
-fin
-q
-r
-q
-r
-q
-disass test_time_values_injection 
-b *(test_time_values_injection+96)
-r
-si
-q
-disass test_time_values_injection 
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-restart
-c
-r
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-x/10x 0x5555555556a9
-x/10i 0x5555555556a9
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-q
-b *(test_time_values_injection+94)
-r
-si
-x/10i 555555555510
-x/10i 0x555555555510
-x/10x 0x555555555510
-q
-b *(test_time_values_injection+94)
-r
-si
-x/10x 0x555555555510
-x/10i 0x555555555510
-q
-q
-q
-disass test_time_values_injection 
 b *(test_time_values_injection+167)
 r
 si
@@ -254,3 +62,195 @@ si
 x/2i 7ffff7f1d5b0
 x/2i 0x7ffff7f1d5b0
 q
+r
+q
+q
+r
+q
+r
+q
+q
+b *(test_time_values_injection+94)
+disass test_time_values_injection 
+b *(test_time_values_injection+167)
+r
+q
+b *(test_time_values_injection+167)
+r
+si
+q
+b *(test_time_values_injection+167)
+r
+x/10s 0x41350
+x/10s 0x405130
+x/10b 0x405130
+x/10i 0x405130
+q
+r
+q
+r
+q
+disass test_time_values_injection 
+b *(test_time_values_injection+94)
+r
+si
+fin
+fin
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+x/20b 0x555555559fb0
+si
+x/20b 0x555555559fb0
+q
+r
+q
+r
+q
+b *(test_time_values_injection+94)
+r
+si
+si
+x/20b 0x555555559fb0
+x/20i 0x555555559fb0
+q
+b *(test_time_values_injection+94)
+r
+si
+x/20i 0x555555559fb0
+x/20b 0x555555559fb0
+si
+x/20b 0x555555559fb0
+x/20i 0x555555559fb0
+q
+r
+q
+r
+q
+r
+q
+r
+q
+r
+q
+b *(test_time_values_injection+94)
+r
+si
+x/20b 0x555555559fb0
+x/20x 0x555555559fb0
+si
+x/20x 0x555555559fb0
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+q
+b *(test_time_values_injection+94)
+r
+si
+x/20x 0x555555559fb0
+q
+x/20x 0x555555559fb0
+b *(test_time_values_injection+94)
+r
+si
+x/20x 0x555555559fb0
+fin
+si
+ni
+ni
+c
+q
+b test_time_values_injection 
+r
+disass test_time_values_injection 
+b *(test_time_values_injection+94)
+b *(test_time_values_injection+177)
+c
+c
+r
+q
+b *(test_time_values_injection+94)
+r
+ni
+disass /r test_time_values_injection
+q
+b *(test_time_values_injection+94)
+r
+si
+ni
+q
+disass main 
+q
+disass main
+b *(main+186)
+b *(main+448)
+r
+checkpoint
+si
+restore 1
+restore
+restart
+restart 1
+si
+restart 1
+si
+restart 1
+restart 1
+context
+context all
+si
+restart 1
+q
+b *(main+186)
+b *(main+448)
+r
+si
+q
+disass main
+b *(main+184)
+b *(main+446)
+r
+si
+x/20b 0x555555557fd0
+c
+si
+x/20b 0x555555557fd0
+q
+b *(main+184)
+b *(main+446)
+r
+si
+c
+si
+find 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+find 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+q
+b *(main+184)
+b *(main+446)
+r
+si
+q
+b *(main+184)
+r
+si
+x/20b 0x555555557fd0
+q
+b *(main+184)
+r
+si
+q
+b *(main+184)
+r
+si
+q
--- a/src/helpers/Makefile
+++ b/src/helpers/Makefile
@@ -3,19 +3,27 @@ HEADERS = lib/RawTCP.h
 EXTRA_CFLAGS= -I$(PWD)/lib

 default:
-	make execve_hijack injection_lib
+	make execve_hijack injection_lib simple_timer

 injection_lib: injection_lib.o
 	gcc -Wall -shared -fPIC -o injection_lib.so injection_lib.c -ldl

+simple_timer.o: simple_timer.c $(HEADERS)
+	gcc -g -c simple_timer.c
+
+simple_timer: simple_timer.o
+	gcc -g -o simple_timer simple_timer.o
+
 execve_hijack.o: execve_hijack.c $(HEADERS)
-	clang -g -c execve_hijack.c
+	gcc -g -c execve_hijack.c

 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	clang -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
+	gcc -g -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a

 clean:
 	-rm -f execve_hijack.o
 	-rm -f execve_hijack
 	-rm -f injection_lib.o
-	-rm -f injection_lib.so
+	-rm -f injection_lib.so
+	-rm -f simple_timer.o
+	-rm -f simple_timer
--- a/src/helpers/execve_hijack
+++ b/src/helpers/execve_hijack
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/helpers/peda-session-execve_hijack.txt
+++ b/src/helpers/peda-session-execve_hijack.txt
@@ -1,3 +1,2 @@
 break *(test_time_values_injection+94)

-
--- a/src/helpers/peda-session-simple_timer.txt
+++ b/src/helpers/peda-session-simple_timer.txt
@@ -0,0 +1,2 @@
+break *(main+184)
+
--- a/src/helpers/peda-session-sudo.txt
+++ b/src/helpers/peda-session-sudo.txt
@@ -1,3 +1,7 @@
+break test_time_values_injection
+disable $bpnum
 break *(test_time_values_injection+94)
 disable $bpnum
+break *(test_time_values_injection+177)
+disable $bpnum

--- a/src/helpers/simple_timer
+++ b/src/helpers/simple_timer
--- a/src/helpers/simple_timer.c
+++ b/src/helpers/simple_timer.c
@@ -0,0 +1,110 @@
+/**
+ * Modified version of Linux man page timer using timerfd.
+ * Counts to 3, 1 second at a time, then sets another time up to 3, one second at a time.
+ */
+
+#include <sys/timerfd.h>
+#include <time.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdint.h>
+
+void print_elapsed_time() {
+    static struct timespec start;
+    struct timespec curr;
+    static int first_call = 1;
+    int secs, nsecs;
+
+    if (first_call) {
+        first_call = 0;
+        if (clock_gettime(CLOCK_MONOTONIC, &start) == -1){
+            perror("clock_gettime");
+            return;   
+        }
+    }
+
+    if (clock_gettime(CLOCK_MONOTONIC, &curr) == -1){
+        perror("clock_gettime");
+        return;
+    }
+        
+    secs = curr.tv_sec - start.tv_sec;
+    nsecs = curr.tv_nsec - start.tv_nsec;
+    if (nsecs < 0) {
+        secs--;
+        nsecs += 1000000000;
+    }
+    printf("Timer called at: %d.%03d: ", secs, (nsecs + 500000) / 1000000);
+}
+
+int main(int argc, char *argv[]) {
+    struct itimerspec new_value;
+    int max_exp, fd;
+    struct timespec now;
+    uint64_t exp;
+    ssize_t s;
+
+    if (clock_gettime(CLOCK_REALTIME, &now) == -1){
+        perror("clock_gettime");
+        return -1;
+    }
+       
+    new_value.it_value.tv_sec = now.tv_sec +1;
+    new_value.it_value.tv_nsec = now.tv_nsec;
+    new_value.it_interval.tv_sec = 1;
+    new_value.it_interval.tv_nsec = 0;
+    max_exp = 3;
+
+    fd = timerfd_create(CLOCK_REALTIME, 0);
+    if (fd == -1){
+        perror("timerfd_create");
+        return -1;
+    }
+
+    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1){
+        perror("timerfd_settime");
+        return -1;
+    }
+
+    printf("Timer started\n");
+
+    for (uint64_t tot_exp = 0; tot_exp < max_exp;) {
+        s = read(fd, &exp, sizeof(uint64_t));
+        if (s != sizeof(uint64_t))
+            perror("Error reading from timer");
+
+        tot_exp += exp;
+        print_elapsed_time();
+        printf("time between: %llu; total elapsed time=%llu\n", (unsigned long long) exp, (unsigned long long) tot_exp);
+    }
+
+    if (clock_gettime(CLOCK_REALTIME, &now) == -1){
+        perror("clock_gettime");
+        return -1;
+    }
+
+    new_value.it_value.tv_sec = now.tv_sec +1;
+    new_value.it_value.tv_nsec = now.tv_nsec;
+    new_value.it_interval.tv_sec = 1;
+    new_value.it_interval.tv_nsec = 0;
+    max_exp = 3;
+
+    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1){
+        perror("timerfd_settime");
+        return -1;
+    }
+
+    for (uint64_t tot_exp = 0; tot_exp < max_exp;) {
+        s = read(fd, &exp, sizeof(uint64_t));
+        if (s != sizeof(uint64_t))
+            perror("Error reading from timer");
+
+        tot_exp += exp;
+        print_elapsed_time();
+        printf("time between: %llu; total elapsed time=%llu\n", (unsigned long long) exp, (unsigned long long) tot_exp);
+    }
+
+
+   return 0;
+}
--- a/src/helpers/simple_timer.o
+++ b/src/helpers/simple_timer.o