1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
/*
* Elf header screwer, based on an idea of svenka's crackme, named Thellurik (http://crackmes.de/users/svenka/thellurik/)
* Unfortunately for me, ioactive was quicker than me : http://blog.ioactive.com/2012/12/striking-back-gdb-and-ida-debuggers.html
* Kudos to them !
*
*/
#include <stdio.h>
#include <sys/mman.h>
#include <unistd.h>
#include <stdlib.h>
#include <elf.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/procfs.h>
#include <fcntl.h>
int main(int argc, char** argv){
int f;
static Elf32_Ehdr* header;
printf(".: Elf corrupt :.\n");
if(argc < 2){
printf("Usage: %s file", argv[0]);
return 1;
}
if((f = open(argv[1], O_RDWR)) < 0){
perror("open");
return 1;
}
//MAP_SHARED is required to actually update the file
if((header = (Elf32_Ehdr *) mmap(NULL, sizeof(header), PROT_READ | PROT_WRITE, MAP_SHARED, f, 0)) == MAP_FAILED){
perror("mmap");
close(f);
return 1;
}
printf("[*] Current header values:\n");
printf("\te_shoff:%d\n\te_shnum:%d\n\te_shstrndx:%d\n",
header->e_shoff, header->e_shnum, header->e_shstrndx);
header->e_shoff = 0xffff;
header->e_shnum = 0xffff;
header->e_shstrndx = 0xffff;
printf("[*] Patched header values:\n");
printf("\te_shoff:%d\n\te_shnum:%d\n\te_shstrndx:%d\n",
header->e_shoff, header->e_shnum, header->e_shstrndx);
if(msync(NULL, 0, MS_SYNC) == -1){
perror("msync");
close(f);
return 1;
}
close(f);
munmap(header, 0);
printf("You should no more be able to run \"%s\" inside GDB\n", argv[1]);
return 0;
}
|
