PolymorphicEngine
Barry Read ELF format for binary modification 85e847c (2 years, 4 months ago)diff --git a/.gitignore b/.gitignore index 75b1567..b8ebcdc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *.swp *.o +poly_* diff --git a/Makefile b/Makefile index 0a208ee..3c61d47 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ PRODUCT = poly_original CC=gcc CFLAGS= -LFLAGS=-T script.ld +LFLAGS=-T script.ld -static -s C_SOURCES := $(shell find src -name '*.c') OBJS = $(sort $(subst src/,build/,$(subst .c,.o,$(C_SOURCES)))) @@ -10,10 +10,11 @@ OBJS = $(sort $(subst src/,build/,$(subst .c,.o,$(C_SOURCES)))) $(PRODUCT): $(OBJS) @echo "LINKING $(PRODUCT)..." @$(CC) -o $@ $^ $(LFLAGS) + @strip --strip-all $(PRODUCT) clean: @echo "REMOVING OBJECT FILES..." - @touch build/main.o + @touch $(OBJS) @rm $(OBJS) build/%.o: src/%.c diff --git a/script.ld b/script.ld index 2b41fdb..841f4f3 100644 --- a/script.ld +++ b/script.ld @@ -1,7 +1,18 @@ SECTIONS { - binaryStart = 0x00000000; - polymorphicStart = .; .polymorphic : { *(.polymorphic); } - polymorphicEnd = .; + + /DISCARD/ : + { + *(.comment) + *(.debug_aranges) + *(.debug_info) + *(.debug_abbrev) + *(.debug_line) + *(.debug_str) + *(.debug_line_str) + *(.debug_rnglists) + *(.debug_loclists) + *(.note.*) + } } INSERT AFTER .text; diff --git a/src/main.c b/src/main.c index e0e84fb..4163afc 100644 --- a/src/main.c +++ b/src/main.c @@ -1,10 +1,13 @@ #include <stdlib.h> #include <stdint.h> #include <stdio.h> +#include <string.h> #include <sys/mman.h> #include <sys/stat.h> #include <time.h> #include <unistd.h> +#include <elf.h> +#include <limits.h> /* Config */ #define NAME_PREFIX "poly_" /* Copies' names start with */ @@ -12,12 +15,20 @@ #define NAME_AFFIX_LENGTH 6 /* Number of random chars after prefix */ #define KEY_SIZE 8 /* Size of encryption key */ -#define POLYMORPHIC __attribute__((noinline, section(".polymorphic"))) +#define POLYMORPHIC __attribute__((noinline, section(".polymorphic"), used)) + +#if ( __WORDSIZE == 64 ) +# define EHDR Elf64_Ehdr +# define SHDR Elf64_Shdr +#else +# define EHDR Elf32_Ehdr +# define SHDR Elf32_Shdr +#endif /* Keys */ const uint8_t act[KEY_SIZE] = {}, /* Operators */ key[KEY_SIZE] = {}; /* Operands */ -extern uint8_t binaryStart[], polymorphicStart[], polymorphicEnd[]; +uintptr_t polymorphicStart, polymorphicEnd; /* Copy a file */ POLYMORPHIC @@ -62,6 +73,7 @@ polymorphic_main(int argc, char **argv) *code = (uint8_t *) polymorphicStart; FILE *child; size_t i; + uint32_t rodata, polymorphic, vrodata; /* Seed the random function */ srand(time(NULL)); @@ -70,26 +82,47 @@ polymorphic_main(int argc, char **argv) for (i = NAME_PREFIX_LENGTH; i < sizeof(filename) - 1; i++) filename[i] = alpha[rand() % (sizeof(alpha) - 1)]; copy_file(argv[0], filename); - chmod(filename, 0777); + chmod(filename, 0755); /* Open child file */ child = fopen(filename, "r+"); if (child == NULL) exit(EXIT_FAILURE); + /* Parse ELF to find sections */ + EHDR hdr; + SHDR shdr, nhdr; + char sectionName[16]; + fread(&hdr, 1, sizeof(EHDR), child); + i = hdr.e_shstrndx; + fseek(child, hdr.e_shoff + (i * hdr.e_shentsize), SEEK_SET); + fread(&nhdr, 1, sizeof(SHDR), child); + for (i = 0; i < hdr.e_shnum; i++) { + fseek(child, hdr.e_shoff + (i * hdr.e_shentsize), SEEK_SET); + fread(&shdr, 1, sizeof(SHDR), child); + fseek(child, nhdr.sh_offset + shdr.sh_name, SEEK_SET); + fread(sectionName, 16, 1, child); + if (!strcmp(sectionName, ".rodata")) { + rodata = shdr.sh_offset; + vrodata = shdr.sh_addr; + } + if (!strcmp(sectionName, ".polymorphic")) + polymorphic = shdr.sh_offset; + } + /* Generate a new key */ for (i = 0; i < KEY_SIZE; i++) { dAct[i] = rand() % 3; dKey[i] = rand() % 256; } /* Write keys */ - fseek(child, (unsigned long int) (act - binaryStart), SEEK_SET); + fseek(child, rodata + ((uintptr_t) act - vrodata), SEEK_SET); fwrite(dAct, 1, KEY_SIZE, child); - fseek(child, (unsigned long int) (key - binaryStart), SEEK_SET); + fseek(child, rodata + ((uintptr_t) key - vrodata), SEEK_SET); fwrite(dKey, 1, KEY_SIZE, child); /* Encrypt our code */ - fseek(child, (uint64_t) (polymorphicStart - binaryStart), SEEK_SET); + fseek(child, polymorphic, SEEK_SET); for (i = 0; i < (polymorphicEnd - polymorphicStart); i++) { data = code[i]; switch (dAct[i % KEY_SIZE]) { @@ -118,8 +151,31 @@ main(int argc, char **argv) { size_t i, mask; void *aligned; - uint8_t *code = (uint8_t *) polymorphicStart; + uint8_t *code; long pageSize = sysconf(_SC_PAGESIZE); + FILE *parent = fopen(argv[0], "rb"); + + /* Parse ELF to find sections */ + EHDR hdr; + SHDR shdr, nhdr; + char sectionName[16]; + fread(&hdr, 1, sizeof(EHDR), parent); + i = hdr.e_shstrndx; + fseek(parent, hdr.e_shoff + (i * hdr.e_shentsize), SEEK_SET); + fread(&nhdr, 1, sizeof(SHDR), parent); + for (i = 0; i < hdr.e_shnum; i++) { + fseek(parent, hdr.e_shoff + (i * hdr.e_shentsize), SEEK_SET); + fread(&shdr, 1, sizeof(SHDR), parent); + fseek(parent, nhdr.sh_offset + shdr.sh_name, SEEK_SET); + fread(sectionName, 16, 1, parent); + if (!strcmp(sectionName, ".polymorphic")) { + polymorphicStart = shdr.sh_addr; + polymorphicEnd = shdr.sh_addr + shdr.sh_size; + } + } + fclose(parent); + + code = (void *) polymorphicStart; /* Make memory writable */ if (pageSize <= 0)