search

zznop / drow

Injects code into ELF executables post-build
MIT License
222 stars 37 forks source link

Help: wondering some code snippets' implement. #8

Open Squirre17 opened 1 year ago

Squirre17 commented 1 year ago

https://github.com/zznop/drow/blob/30ed5096ae2df19e609fadfad4663e8f6a9178aa/src/elf_patch.c#L129 I plot a layout like the following:

        |------------------| <-- shtable[j].sh_addr
        |                  |                     ↑
        |                  |                     |
        |    content of    |              shtable[j].sh_size
        |     section      |                     |
        |                  |                     ↓
        |------------------| <-------------------|
        |      vacuum      |
        |    for  payload  |
        |      inject      |
        |------------------| <-- shtable[j+1].sh_addr

patch_size and stager_size together represent the total size of the payload. Therefore, I believe that the correct condition would be shtable[j+1].sh_addr - shtable[j].sh_addr - shtable[j].sh_size >= patch_size + stager_size. However, please let me know if I have misunderstood the implementation or if there are any errors in my statement."

Risminator commented 2 months ago

I think you are absolutely right! I've been testing it for a while now, and the initial condition is, indeed, incorrect: drow says that the injection is successful when, in fact, it is not, as there is not enough space. But using your corrected condition, drow makes accurate predictions whether the injection will be successful or not, the space needed is calculated as it should be.

Tested on edge cases when the target program goes from successful execution to segmenetation fault on start.