Awesome
ELFcrypt
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMNNNNNNNNNNNNNNNNNNMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMNNmdhso///+o++osyyhdmNNNNNNNNNNMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMNmmhs/:...`````..........:ohmNNNNNNNNNNNNMMMMMMMMMMMMMMMM
MMMMMMMNmds:..````````...............:sdmmNNNNNNNNNNNNMMMMMMMMMMMM
MMMMNNNNm+.`.....````.............------odmmmmNNNNNNNNNNNMMMMMMMMM
MNNNNNNdo......`````..........-------:---:ymmmmmmmNNNNNNNNNMMMMMMM
NNNNNNdy.......```.....-------::::::::::--:odmmmmmmmmNNNNNNNNMMMMM
NNNNNmh:...........---::::::::::::::::::----odmmmmmmmmmmNNNNNNNMMM
NNNmmdo......-...---:::::::----::::::------.-odddmmmmmmmmNNNNNNNNM
Nmmmms.....----.------:::::::::::::----::--.-:odddddmmmmmmmNNNNNNN
mmmmd:....---------:-..-------:::--..-oso/::///hdddddmmmmmmmmNNNNN
mmmmy-..---::---.-++++/:----://++///+oo+oooyhs/sdddddddmmmmmmmNNNN
mmmdy-.---:///--.:++osyhsosyhyo/::oyhso//ooyhyo+dddddddddmmmmmmmNN
mmddy.-syysoo+-..:++//+osdhys+:/oooyys+/++::sso+hddddddddddmmmmmmN
mddds.:ohydhhs:..-/+/:/oyy+/::/dddy/oyss+/+so//ohddddddddddmmmmmmm
ddddy.-:syddhso--::/+osss////+hdyydhossyhddysoo+hddddddddddddmmmmm
ddddh/--/hhsyyhyo/+shyssys+:o+hho+hyosdmmmdysssohdddddddddddddmmmm
dddddh:-:+sssosyyydmmmmdho::+/+/+sso+oshmmmhysooddddddddddddddmmmm
dddddh/--/oysyhdhyyhmmdhs+:::---:+--:++shddhyo+sdddddddddddddddmmm
dddddho/::/oyhdddssyhhhoso::-://+ooshhyoyhhsosyhdddddddddddddddmmm
ddddddyo/::+syyhdsssssysddyssydhhhdmNmdooyysyhddddddddddddddddddmm
ddddddho+///oosyhssssossoooohhsyydhsyy+/ohhyhddddddddddddddddddmmm
dddddddy+/:/+o+syhhyysoosso+++::+ssosssssyyydddddddddddddddddddmmm
dddddddh//::/o+o+ydddhssooooos+oyhhhhddh+sshddddddddddddddddddddmm
ddddddhho::::/++/-ydddhyyso++//oyyssyhysoosddddddddddddddddddddmmm
ddddddhhs----://:-+yhhyhddyo+/+ssyydmmddhsdddddddddddddddddddddmmm
dddddhhy+---.-:-:os/shyydmmmdyhddmmmdhmmssdddddddddddddddddddddmmm
dddddddh/---.--ohyhy:-/oyhhdmddmmmd+-.sNdosyhhddddddddddddddddmmmm
dddddddy:+----:hs+hdh+.`..-/shdmmy:..-dNNhhsoooosyhdddddddddddmmmm
dddddddy:+/---:ss:/yddh+-.---/yds.```./hNNdmmdddyyyhdmNNNmmmmmmmmm
mdddddds//:-:-:+ys:-+hmdhyso/--+-.--::/omNmmdmNNNdyyyhmmmhhmNNNNNN
mmddddy+//::+///ohh/.-+omNNNmdsyddmmmmmmNNNNNmdmmdhhddydmyyhNdNNNN
mmmdyo+++o+++///oymmo..oNNNNNNNmdyysyyhhhNNdhhyssydhddsmsddmdyNNNN
dhyssyyyhhss+/++symNNy-+mNmNNmds:-----::+mdyyyyyssymmdmNhdNNsyNNNN
yyyyysyydhhd++osydNNNNd/smmdy/--......--:hmhhyhhysydNNdymNmyyNNNNN
yyhddhhmNNmhsssyhNNNNNNms//:-..........--oNdhhddddmNNNmdymhhhNNNNN
hshdNdmNmNhsyohmNNNNNNNNNy...........`..-:mmmmddNNhNmmNNddmNmNNNNm
ssmNNNsNyNsdshmNNNNNNNNNNNo..........``.--yNNNmdNNoNmNNNNNsmNNNNNm
shydmm+NomymyNddNNNNNNNNNNNo.......-....--sNNNNdNmyhdmdNNNsNNNNNNN
hhh+mhhyssNNddhsdhNNNNNNNNNNy............-sNNmNmmNNNdshyNNmmddmNNN
+yhyNdyhyhNNmNyhydmNNNNNNNNNNy-.......`..-/mNNmNdNyNsydmNNNmmmNNNN
hsNddNdMMNMNmhdmmNdNNNNNNNNNNNs-......``..-yNNNNdmmhoNNNNNmmNNNNNN
Version 1 Quick Start
% make
gcc -Wall -o ELFcrypt ELFcrypt.c
gcc -Wall -o example example.c
% ./ELFcrypt example
ELFcrypt by @dmfroberson
Crypting .crypted section of example, outputting to crypted
Enter passphrase: harharhar
Confirm passphrase: harharhar
% ./crypted
Enter passphrase: harharhar
Confirm passphrase: harharhar
This function was crypted
To use this in future projects, include ELFcrypt.h, add a call to ELFdecrypt() to main(), and prefix your functions that you'd like to protect with CRYPTED. After this make-believe C program is compiled, run ELFcrypt against it with whatever password you desire and it will be encrypted with RC4. See example.c for more details.
This also will attempt to read the ELFCRYPT environment variable as input for the password:
% ELFCRYPT="harharhar" ./crypted
This function was crypted
objdump before/after
Before:
% objdump -dj .crypted example
example: file format elf64-x86-64
Disassembly of section .crypted:
0000000000401022 <crypted_main>:
401022: 55 push %rbp
401023: 48 89 e5 mov %rsp,%rbp
401026: 48 83 ec 10 sub $0x10,%rsp
40102a: 89 7d fc mov %edi,-0x4(%rbp)
40102d: 48 89 75 f0 mov %rsi,-0x10(%rbp)
401031: bf ec 10 40 00 mov $0x4010ec,%edi
401036: e8 b5 f7 ff ff callq 4007f0 <puts@plt>
40103b: b8 64 00 00 00 mov $0x64,%eax
401040: c9 leaveq
401041: c3 retq
After:
% objdump -dj .crypted crypted
crypted: file format elf64-x86-64
Disassembly of section .crypted:
0000000000401022 <crypted_main>:
401022: 68 ac 6c f3 e5 pushq $0xffffffffe5f36cac
401027: 6d insl (%dx),%es:(%rdi)
401028: 91 xchg %eax,%ecx
401029: 59 pop %rcx
40102a: d2 7b 05 sarb %cl,0x5(%rbx)
40102d: 6e outsb %ds:(%rsi),(%dx)
40102e: 20 3c 38 and %bh,(%rax,%rdi,1)
401031: 74 05 je 401038 <crypted_main+0x16>
401033: 54 push %rsp
401034: 13 d6 adc %esi,%edx
401036: 2c 31 sub $0x31,%al
401038: 18 99 4c 46 5f 38 sbb %bl,0x385f464c(%rcx)
40103e: ad lods %ds:(%rsi),%eax
40103f: e3 bb jrcxz 400ffc <__libc_csu_init+0x4c>
...
As you can see, the second binary contains a bunch of nonsensical rubbish instead of readable assembler in the .crypted section.
Quickstart Version 2
~/ELFcrypt % make
gcc -Wall -o ELFcrypt ELFcrypt.c
gcc -Wall -o ELFcrypt2 ELFcrypt2.c
gcc -Wall -o ELFcrypt2-stub ELFcrypt2-stub.c
gcc -Wall -o example example.c
~/ELFcrypt % ./ELFcrypt2 /bin/ls out
ELFcrypt2 by @dmfroberson
Enter passphrase: danger
Confirm passphrase: danger
~/ELFcrypt % cat ELFcrypt2-stub out >crypted
~/ELFcrypt % chmod +x crypted
~/ELFcrypt % ./crypted
Enter passphrase: danger
Confirm passphrase: danger
crypted ELFcrypt2.c ELFcrypt.c example.c out
ELFcrypt ELFcrypt2-stub ELFcrypt.h LICENSE.md README.md
ELFcrypt2 ELFcrypt2-stub.c example Makefile
ELFcrypt2 creates a stub program that reads whatever data resides beyond the end of its own valid ELF, decrypts this data memory, and finally executes it in memory by means of fexecve()
To use on different programs, run them through ELFcrypt2, then use cat as outlined above to create the binary.
This might not work right on older Linux systems that do not have the memfd_create() function. This can be worked around by modifying the code to create temporary files rather than utilizing this function. Maybe one day I will care enough to fix this.
Also, the contents of your crypted executable are vulnerable to memory dumps while it is running. This simply provides a layer of protection for your stuff while it is relaxing on a hostile disk drive.