添加rust和go语言生成elf的patch

evilPatcher.py

@@ -49,6 +49,7 @@ def main():
         patch32_handler(filename, sandboxFile, debugFlag).run()
     elif arch == 'amd64':
         patch64_handler(filename, sandboxFile, debugFlag).run()
+
     else:
         print(f'{arch} is not supported!!! Only i386 and amd64!!!')
 

patch64.py

@@ -34,11 +34,11 @@ def run_partial(self):
         inject_code = asm('endbr64')
         inject_code += asm('push rbp')
         inject_code += self.inject_code_build() + 3 * asm('nop')
-        print('============================inject code into .eh_frame============================')
+        print('============================inject code into eh_frame_hdr============================')
         print(disasm(inject_code))
-        print('.eh_frame.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame').header.sh_size)))
+        print('eh_frame_hdr.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame_hdr').header.sh_size)))
         print('inject_code.length===>' + str(hex(len(inject_code))))
-        eh_frame_addr = self.elf.get_section_by_name('.eh_frame').header.sh_addr
+        eh_frame_addr = self.elf.get_section_by_name('.eh_frame_hdr').header.sh_addr
         self.elf.write(eh_frame_addr, inject_code)
         self.edit_program_table_header()
         sys.stdout = sys.__stdout__
@@ -73,7 +73,7 @@ def inject_code_build(self):
         inject_code += asm('mov r10,rcx')
         inject_code += asm(shellcraft.amd64.prctl(0x16, 2, 'rsp'))
         tmp = len(self.ct) * 8 + 0x10
-        inject_code += asm('add rsp,' + str(hex(tmp)))
+        inject_code += asm('add rsp,' + str(hex(tmp + 0x10)))
         return inject_code
 
     def edit_program_table_header(self):
@@ -88,14 +88,16 @@ def edit_program_table_header(self):
         for i in range(num_of_program_table_header):
             p_type = self.elf.get_segment(i).header.p_type
             p_flags = self.elf.get_segment(i).header.p_flags
-            if p_type == 'PT_LOAD' and p_flags == 4:
+            if p_type == 'PT_GNU_EH_FRAME' and p_flags == 4:
                 self.elf.write(program_table_header_start + i * size_of_program_headers + 4, p32(5))
                 print('edit program_table_element[' + str(i) + '].p_flags===>r_x')
-
+                self.elf.write(program_table_header_start + i * size_of_program_headers, p32(1))
+                print('edit program_table_element[' + str(i) + '].p_type===>LOAD')
+
     def patch_pie_elf(self):
-        eh_frame_addr = self.elf.get_section_by_name('.eh_frame').header.sh_addr
+        eh_frame_addr = self.elf.get_section_by_name('.eh_frame_hdr').header.sh_addr
         start_offset = self.elf.header.e_entry
-        offset = self.elf.read(start_offset, 0x40).find(b'\x48\x8d\x3d')  # lea rdi,?
+        offset = self.elf.read(start_offset, 0x40).find(b'\x00\xff\x15') - 6  # lea rdi,?
         offset1 = u32(self.elf.read(start_offset + offset + 3, 4))
         if offset1 > 0x80000000:
             offset1 -= 0x100000000
@@ -104,20 +106,25 @@ def patch_pie_elf(self):
         self.pr('start_offset', start_offset)
         self.pr('main_addr', main_addr)
         print('=================================edit _start==================================')
-        print('replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->.eh_frame')
+        print(
+            'replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->eh_frame_hdr')
         print(disasm(self.elf.read(start_offset + offset, 7)))
         s = 'lea rdi,[rip+' + str(hex(eh_frame_addr - (start_offset + offset) - 7)) + '];'
         print('                ||               ')
         print('                ||               ')
         print('                \/               ')
         print(disasm(asm(s)))
 
-        inject_code = self.inject_code_build()
-        tail = 'lea r8,[rip' + str(hex(main_addr - (eh_frame_addr + len(inject_code)) - 7)) + '];jmp r8;'
+        inject_code = asm(
+            "push rax;push rbx;push rcx;push rdx;push rdi;push rsi;push r8;push r9;push r10; push r11;push r13;push r14;push r15")
+        inject_code += self.inject_code_build()
+        tail = 'lea r12,[rip' + str(hex(main_addr - (eh_frame_addr + len(
+            inject_code)) - 7)) + '];pop rax;pop rbx;pop rcx;pop rdx;pop rdi;pop rsi;pop r8;pop r9;pop r10; pop r11;pop r13;pop r14;pop r15;jmp r12;'
+
         inject_code += asm(tail)
-        print('============================inject code into .eh_frame========================')
+        print('============================inject code into eh_frame_hdr========================')
         print(disasm(inject_code))
-        print('.eh_frame.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame').header.sh_size)))
+        print('eh_frame_hdr.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame_hdr').header.sh_size)))
         print('inject_code.length===>' + str(hex(len(inject_code))))
         self.elf.write(start_offset + offset, asm(s))
         self.elf.write(eh_frame_addr, inject_code)
@@ -128,32 +135,37 @@ def patch_nopie_elf(self):
         program_base = self.elf.address
         self.pr('program_base', program_base)
 
-        eh_frame_addr = self.elf.get_section_by_name('.eh_frame').header.sh_addr
+        eh_frame_addr = self.elf.get_section_by_name('.eh_frame_hdr').header.sh_addr
         start_offset = self.elf.header.e_entry
-        offset = self.elf.read(start_offset, 0x40).find(b'\x48\xc7\xc7')  # mov rdi,?
+        offset = self.elf.read(start_offset, 0x40).find(b'\x00\xff\x15') - 6  # mov rdi,?
         main_addr = u32(self.elf.read(start_offset + offset + 3, 4))
         self.pr('eh_frame_addr', eh_frame_addr)
         self.pr('start_offset', start_offset)
         self.pr('main_addr', main_addr)
         print('=================================edit _start==================================')
-        print('replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->.eh_frame')
+        print(
+            'replace _start+' + str(offset) + '------>change __libc_start_main\'s first parameter: main->eh_frame_hdr')
         print(disasm(self.elf.read(start_offset + offset, 7)))
         s = 'mov rdi,' + str(eh_frame_addr) + ';'
         print('                ||               ')
         print('                ||               ')
         print('                \/               ')
         print(disasm(asm(s)))
-        inject_code = self.inject_code_build()
-        tail = 'mov r8,' + str(main_addr) + ';jmp r8;'
+        inject_code = asm(
+            "push rax;push rbx;push rcx;push rdx;push rdi;push rsi;push r8;push r9;push r10; push r11;push r13;push r14;push r15")
+        inject_code += self.inject_code_build()
+        tail = 'mov r12,' + str(
+            main_addr) + '; pop rax;pop rbx;pop rcx;pop rdx;pop rdi;pop rsi;pop r8;pop r9;pop r10; pop r11;pop r13;pop r14;pop r15;jmp r12;'
         inject_code += asm(tail)
-        print('============================inject code into .eh_frame============================')
+        print('============================inject code into eh_frame_hdr============================')
         print(disasm(inject_code))
-        print('.eh_frame.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame').header.sh_size)))
+        print('eh_frame_hdr.sh_size===>' + str(hex(self.elf.get_section_by_name('.eh_frame_hdr').header.sh_size)))
         print('inject_code.length===>' + str(hex(len(inject_code))))
         self.elf.write(start_offset + offset, asm(s))
         self.elf.write(eh_frame_addr, inject_code)
         self.edit_program_table_header()
 
+
 def main():
     filename = sys.argv[1]
     sandboxfile = sys.argv[2]
@@ -163,8 +175,8 @@ def main():
         debugFlag = 1
     except IndexError:
         pass
-    patch64_handler(filename,sandboxfile,debugFlag).run_partial()
+    patch64_handler(filename, sandboxfile, debugFlag).run_partial()
+
 
 if __name__ == '__main__':
     main()
-