Skip to content
/ evilELF Public

Malicious use of ELF such as .so inject, func hook and so on.

License

Notifications You must be signed in to change notification settings

jmpews/evilELF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 

Repository files navigation

evilELF

Malicious use of ELF such as .so inject, func hook and so on.

具体参考 linux进程动态so注入 实现恶意 so 注入, 采用直接解析 ELF 文件的方式, 更加具有通用性, 并以 .gnu.hash 进行符号查找, 适用于目前的 ELF 结构.

代码规范, 参考 glibc-2.19, 用 ElfW 宏进行 3264 字长兼容.

Demo & Usage

➜  InjectRuntimeELF git:(master) ✗ sudo ./inject 3631 /evilELF/InjectRuntimeELF/example/evil.so
--------------------------------------------------------------
InjectRuntimeELF - (1.0.0) - by jmpews@gmail.com
--------------------------------------------------------------
[*] attached to pid 3631.
[*] dump runtime infomation
[*] dumping header...
[*] start symbol search '__libc_dlopen_mode'...
[*] start search libaray: /lib/i386-linux-gnu/libc.so.6
[*] start bucket search...
[*] found '__libc_dlopen_mode' at 0xb7693ae0
[+] entry point: 0x8048380
[+] stopped 3631 at eip:0xb7729428, esp:0xbf93cffc
[+] inject code done 3631 at eip:0x8048396
[*] start symbol search 'evilfunc'...
[*] start search libaray: /lib/i386-linux-gnu/libc.so.6
[*] start search libaray: /lib/ld-linux.so.2
[*] search in ld, no link_map.
[*] start search libaray: /evilELF/InjectRuntimeELF/example/evil.so
[*] start bucket search...
[*] found 'evilfunc' at 0xb772353b
[*] lib injection done!

About

Malicious use of ELF such as .so inject, func hook and so on.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published