модификация elf, добавление сегмента+секции
От: Molchalnik  
Дата: 20.02.25 09:11
Оценка:
Коллеги, помогите пожалуйста.

изучаю структуру elf файла. сегмент с кодом запретил для чтения, записи и исполнения. добавил в конец сегмент с выравниванием 4096, в нём короткий код , который через mprotect возвращает сегменту права и переходит по первоначальной точке входа.

Всё идёт хорошо, пока оригинальный код не делает mov rax,fs:28h
получается segfault. значение fs — 0

  тут код, где падает 
endbr64
.text:00000000004ED074 push    rbp
.text:00000000004ED075 mov     rbp, rsp
.text:00000000004ED078 push    r15
.text:00000000004ED07A push    r14
.text:00000000004ED07C push    r13
.text:00000000004ED07E push    r12
.text:00000000004ED080 push    rbx
.text:00000000004ED081 sub     rsp, 0E8h
.text:00000000004ED088 mov     [rbp+var_58], rsi
.text:00000000004ED08C mov     [rbp+var_50], rdx
.text:00000000004ED090 mov     [rbp+var_48], rcx
.text:00000000004ED094 mov     [rbp+var_40], r8
.text:00000000004ED098 mov     [rbp+var_38], r9
.text:00000000004ED09C movzx   r12d, byte ptr [rdi]
.text:00000000004ED0A0 mov     rax, fs:28h                ; вот тут segfault
.text:00000000004ED0A9 mov     [rbp+var_68], rax
.text:00000000004ED0AD xor     eax, eax
.text:00000000004ED0AF lea     rax, [rbp+arg_0]
.text:00000000004ED0B3 mov     [rbp+var_F8], 8
.text:00000000004ED0BD mov     [rbp+var_F0], rax
.text:00000000004ED0C4 lea     rax, [rbp+var_60]
.text:00000000004ED0C8 mov     [rbp+var_E8], rax
.text:00000000004ED0CF test    r12b, r12b
.text:00000000004ED0D2 jz      __libc_message_impl_cold


  Тут структура сегментов до и после
ДО
readelf -lW u

Elf file type is EXEC (Executable file)
Entry point 0x405e30
There are 10 program headers, starting at offset 64

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  LOAD           0x000000 0x0000000000400000 0x0000000000400000 0x0005e8 0x0005e8 R   0x1000
  LOAD           0x001000 0x0000000000401000 0x0000000000401000 0x176231 0x176231 R E 0x1000
  LOAD           0x178000 0x0000000000578000 0x0000000000578000 0x04f8c7 0x04f8c7 R   0x1000
  LOAD           0x1c85a0 0x00000000005c85a0 0x00000000005c85a0 0x00c6a4 0x014d38 RW  0x1000
  NOTE           0x000270 0x0000000000400270 0x0000000000400270 0x000030 0x000030 R   0x8
  NOTE           0x0002a0 0x00000000004002a0 0x00000000004002a0 0x000044 0x000044 R   0x4
  TLS            0x1c85a0 0x00000000005c85a0 0x00000000005c85a0 0x000068 0x0000b8 R   0x8
  GNU_PROPERTY   0x000270 0x0000000000400270 0x0000000000400270 0x000030 0x000030 R   0x8
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
  GNU_RELRO      0x1c85a0 0x00000000005c85a0 0x00000000005c85a0 0x00aa60 0x00aa60 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.property .note.gnu.build-id .note.ABI-tag .rela.plt 
   01     .init .plt .text .fini 
   02     .rodata .stapsdt.base rodata.cst32 .eh_frame .gcc_except_table 
   03     .tdata .init_array .fini_array .data.rel.ro .got .got.plt .data .bss 
   04     .note.gnu.property 
   05     .note.gnu.build-id .note.ABI-tag 
   06     .tdata .tbss 
   07     .note.gnu.property 
   08     
   09     .tdata .init_array .fini_array .data.rel.ro .got

ПОСЛЕ
данные патченного файла readelf -lW m

Elf file type is EXEC (Executable file)
Entry point 0x5de000
There are 12 program headers, starting at offset 624

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  LOAD           0x000000 0x0000000000400000 0x0000000000400000 0x0005e8 0x0005e8 R   0x1000
  LOAD           0x001000 0x0000000000401000 0x0000000000401000 0x176231 0x176231     0x1000
  LOAD           0x178000 0x0000000000578000 0x0000000000578000 0x04f8c7 0x04f8c7 R   0x1000
  LOAD           0x1c85a0 0x00000000005c85a0 0x00000000005c85a0 0x00c6a4 0x014d38 RW  0x1000
  NOTE           0x000270 0x0000000000400270 0x0000000000400270 0x000030 0x000030 R   0x8
  NOTE           0x0002a0 0x00000000004002a0 0x00000000004002a0 0x000044 0x000044 R   0x4
  TLS            0x1c85a0 0x00000000005c85a0 0x00000000005c85a0 0x000068 0x0000b8 R   0x8
  GNU_PROPERTY   0x000270 0x0000000000400270 0x0000000000400270 0x000030 0x000030 R   0x8
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
  GNU_RELRO      0x1c85a0 0x00000000005c85a0 0x00000000005c85a0 0x00aa60 0x00aa60 R   0x1
  LOAD           0x24a000 0x00000000005de000 0x00000000005de000 0x000033 0x000033 R E 0x1000
  LOAD           0x24a000 0x00000000005de000 0x00000000005de000 0x000033 0x000033 R E 0x1000

 Section to Segment mapping:
  Segment Sections...
   00     .note.gnu.property .note.gnu.build-id .note.ABI-tag .rela.plt 
   01     
   02     .rodata .stapsdt.base rodata.cst32 .eh_frame .gcc_except_table 
   03     .tdata .init_array .fini_array .data.rel.ro .got .got.plt .data .bss 
   04     .note.gnu.property 
   05     .note.gnu.build-id .note.ABI-tag 
   06     .tdata .tbss 
   07     .note.gnu.property 
   08     
   09     .tdata .init_array .fini_array .data.rel.ro .got 
   10     .coDDde 
   11     .coDDde


информация gdb о сегментах после segfault
(gdb) maintenance info sections
Exec file: m, file type elf64-x86-64.
 [0]      0x00400270->0x004002a0 at 0x00000270: .note.gnu.property ALLOC LOAD READONLY DATA HAS_CONTENTS
 [1]      0x004002a0->0x004002c4 at 0x000002a0: .note.gnu.build-id ALLOC LOAD READONLY DATA HAS_CONTENTS
 [2]      0x004002c4->0x004002e4 at 0x000002c4: .note.ABI-tag ALLOC LOAD READONLY DATA HAS_CONTENTS
 [3]      0x004002e8->0x004005e8 at 0x000002e8: .rela.plt ALLOC LOAD READONLY DATA HAS_CONTENTS
 [4]      0x00401000->0x0040101b at 0x00001000: .init READONLY CODE HAS_CONTENTS
 [5]      0x00401020->0x00401220 at 0x00001020: .plt READONLY CODE HAS_CONTENTS
 [6]      0x00401240->0x00577223 at 0x00001240: .text READONLY CODE HAS_CONTENTS
 [7]      0x00577224->0x00577231 at 0x00177224: .fini READONLY CODE HAS_CONTENTS
 [8]      0x00578000->0x0059a7c4 at 0x00178000: .rodata ALLOC LOAD READONLY DATA HAS_CONTENTS
 [9]      0x0059a7c4->0x0059a7c5 at 0x0019a7c4: .stapsdt.base ALLOC LOAD READONLY DATA HAS_CONTENTS
 [10]     0x0059a7e0->0x0059a840 at 0x0019a7e0: rodata.cst32 ALLOC LOAD READONLY DATA HAS_CONTENTS
 [11]     0x0059a840->0x005c2308 at 0x0019a840: .eh_frame ALLOC LOAD READONLY DATA HAS_CONTENTS
 [12]     0x005c2308->0x005c78c7 at 0x001c2308: .gcc_except_table ALLOC LOAD READONLY DATA HAS_CONTENTS
 [13]     0x005c85a0->0x005c8608 at 0x001c85a0: .tdata ALLOC LOAD DATA HAS_CONTENTS
 [14]     0x005c8608->0x005c8658 at 0x001c8608: .tbss ALLOC
 [15]     0x005c8608->0x005c8650 at 0x001c8608: .init_array ALLOC LOAD DATA HAS_CONTENTS
 [16]     0x005c8650->0x005c8660 at 0x001c8650: .fini_array ALLOC LOAD DATA HAS_CONTENTS
 [17]     0x005c8660->0x005d2f48 at 0x001c8660: .data.rel.ro ALLOC LOAD DATA HAS_CONTENTS
 [18]     0x005d2f48->0x005d2fe0 at 0x001d2f48: .got ALLOC LOAD DATA HAS_CONTENTS
 [19]     0x005d2fe8->0x005d3100 at 0x001d2fe8: .got.plt ALLOC LOAD DATA HAS_CONTENTS
 [20]     0x005d3100->0x005d4c44 at 0x001d3100: .data ALLOC LOAD DATA HAS_CONTENTS
 [21]     0x005d4c60->0x005dd2d8 at 0x001d4c44: .bss ALLOC
 [22]     0x00000000->0x0000002b at 0x001d4c44: .comment READONLY HAS_CONTENTS
 [23]     0x00000000->0x000018cc at 0x001d4c70: .note.stapsdt READONLY HAS_CONTENTS
 [24]     0x005de000->0x005de033 at 0x0024a000: .coDDde ALLOC LOAD READONLY CODE HAS_CONTENTS


Подскажите, пожалуйста, где я мог нахимичать при модификации elf?
 
Подождите ...
Wait...
Пока на собственное сообщение не было ответов, его можно удалить.