Closed dipanjan closed 8 years ago
Probably it has to do with the registers. I don't save them before the parasite and restore them after its execution.
You can workaround this if you push the registers before jmp MESSAGE
and pop them in end:
.
I don't plan to fix it since this project is 5 years old.
If you want to infect an ELF you can use other projects, such as the-backdoor-factory.
Absolutely correct. A set of pusha
and popa
solved both the problems. In this connection, I'd like to know if there is any boilerplate/setup code gets executed before even control is transferred to EP (_start
).
No it doesn't, the injector creates a new EP that has your parasite and a jump to the original EP.
Yes, that's what Silvio's algorithm says. But, what I am surprised at is, when the control entered to OEP in the unmodified program, it didn't assume any specific register state. The same program, when got a shellcode injected, how come started relying on register states? Otherwise, it's weird that pusha
and popa
solved the problem.
From the System V ABI - i386:
Only the registers listed below have specified values at process entry:
%ebp
The content of this register is unspecified at process initialization time,
but the user code should mark the deepest stack frame by setting the frame
pointer to zero.
%esp
The stack pointer holds the address of the byte with lowest address which
is part of the stack. It is guaranteed to be 16-byte aligned at process entry.
%edx
a function pointer that the application should register with atexit (BA_OS).
The edx
is a function pointer that is used by atexit
and because it gets destroyed the exit crashes.
If edx
is 0 then the function pointer is not called. So you can set edx
to 0 or just restore its original value.
I can confirm that setting edx = 0
works! Many thanks for the accurate explanation. I am closing this issue.
No problem!
I am trying to inject a piece of shellcode inside a 32-bit LF executable. I am running Ubuntu 14.04 64 bit. Hence, all the commands I have run require explicit switches to produce 32 bit code.
C source of the host binary is given below
First I tried with a "Hello World" ASM payload
Compiled both the host and the parasite and injected the shellcode at the end.
But, I expect the program should gracefully exit. Because, the infector inserts a jump to the OEP at the end of the shellcode. I tried the same with a different payload. But, in this case, the program runs in an infinite loop a never exits.
This is what the infected file produces.
With GDB, I can see the shellcode is executed first and then the program jumps to OEP. The crash occurs thereafter.