zznop/drow zznop/drow

  • Stars
    star
    222
  • Rank 179,123 (Top 4 %)
  • Language
    C
  • License
    MIT License
  • Created over 4 years ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
zznop/drow
github

zznop

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Injects code into ELF executables post-build

drow Build Status

demo ich

Description

TL;DR

drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF contianing an embedded user-supplied payload that executes at runtime.

Slightly more detail ...

Drow takes the following steps to create the new patched ELF:

  1. Map in the umodified target ELF executable and the user-supplied payload, a position-independent blob
  2. Locate the first executable segment by parsing program headers
  3. Locate the last section in the executable segment by parsing section headers
  4. Expand the last section (in the segment) section header's sh_size and program header's p_memsz/p_filesz by the size of the user-supplied payload
  5. Fixup section headers' sh_offset's and program headers' p_offset's (move down sections and segments to make room for the payload and a small "stager stub")
  6. Fix offsets in the ELF header (e_shoff, e_phoff, etc..)
  7. Modify the ELF header e_entry (ELF entrypoint offset) to point to the injected code
  8. Create a new ELF containing the injected code and modified ELF headers

In addition to injecting the user-supplied payload, drow injects a small code stub that is prepended to the beginning of the payload. This stub is designed to call into the payload. If the payload is written to return to the caller, after the payload returns the stager then tailcalls into _start, restoring execution so the program can run as intended.

Building

Install gcc and scons. Then run scons from the root of the directory.

Other Information

In addition to building drow, this project also builds a Linux x86-64 payload named rappers_delight.bin that simply prints to stdout. This can be used for testing. Currently, drow only works with ELF64 files targetting x86-64.

Other Work

There has been a lot of open source work done in this domain. I encourage you to also check out the following projects and associated publications:

More Repositories

1

sploit

Go package that aids in binary analysis and exploitation
Go
173
star
2

bnida

Suite of plugins that provide the ability to transfer analysis data between Binary Ninja and IDA
Python
116
star
3

bn-uefi-helper

Helper plugin for analyzing UEFI firmware
C
87
star
4

pop-nedry

x86-64 Windows shellcode that recreates the Jurassic Park hacking scene (Ah, ah, ah... you didn't' say the magic word!)
Assembly
85
star
5

flyr

Block-based software vulnerability fuzzing framework
C
48
star
6

ghidra_scripts

My open source Ghidra scripts
Java
47
star
7

vizzy

Tool for profiling heap usage and memory management
C
29
star
8

binjago

Binary Ninja plugin for ROP gadget calculation
Python
27
star
9

ida-genesis

Suite of IDA scripts for SEGA Genesis ROM hacking
Python
27
star
10

bn-genesis

Binary Ninja plugin suite for SEGA Genesis ROM hacking
Python
26
star
11

bn-kconfig-recover

Automated recovery of Linux kernel build configurations
Python
23
star
12

ich

Linux crash harness with runtime process instrumentation
C
22
star
13

bn-kallsyms

Binary Ninja plugin for importing symbols to a kernel binary from /proc/kallsyms
Python
19
star
14

bn-brainfuck

Brainfuck architecture module and loader for Binary Ninja
Python
15
star
15

jump

Kriss Kross Jump-themed SEGA Genesis ROM CTF Challenge (Because why not?)
Assembly
14
star
16

retrofuzz

RetroFuzz is a fuzzer for SEGA Genesis emulators
Go
9
star
17

ida-sms

IDA scripts for SEGA Master System ROM Hacking
Python
7
star
18

efi-inspector

Binary Ninja plugin for inspecting UEFI firmware images
Python
6
star
19

smd-utils

SEGA Megadrive/Genesis binary utilities
Python
5
star
20

zpatch

Framework for applying patches to binary files
C
4
star
21

te-loader

Binary Ninja plugin for loading Terse Executables
Python
3
star
22

bn-recursion

Binary Ninja plugin for locating indirect and direct recursive logic in a binary
Python
2
star
23

retroctf-org

CTF platform for retro game challenges
JavaScript
1
star