linux-crt.git
3 years agoImprove payload library master
ilammy [Sun, 25 Feb 2018 11:00:06 +0000 (13:00 +0200)]
Improve payload library

Now the example payload can be used to add password preview button to
GTK applications. This is more interesting than writing file in /tmp.

3 years agoClear ptrace options in the helper thread
ilammy [Sat, 24 Feb 2018 19:31:53 +0000 (21:31 +0200)]
Clear ptrace options in the helper thread

clone() duplicates ptrace options as well. We need to clear them so that
our wait() does not stop on the syscalls performed by the new thread.
In particular, we are not interested in the PTRACE_EVENT_CLONE produced
by pthread_create(). We need only the exit code of the thread.

3 years agoSimple payload library
ilammy [Sat, 24 Feb 2018 12:13:37 +0000 (14:13 +0200)]
Simple payload library

3 years agoReal shellcode
ilammy [Sat, 24 Feb 2018 12:08:18 +0000 (14:08 +0200)]
Real shellcode

This is the real shellcode which loads the payload, resolves the entry
point, and starts a new detached thread executing the entry.

We also do some error handling for debugging.

3 years agoLaunching shellcode
ilammy [Sat, 24 Feb 2018 09:59:13 +0000 (11:59 +0200)]
Launching shellcode

3 years agoInjecting shellcode
ilammy [Mon, 19 Feb 2018 21:04:33 +0000 (23:04 +0200)]
Injecting shellcode

3 years agoRemote clone() syscall
ilammy [Sun, 18 Feb 2018 11:45:40 +0000 (13:45 +0200)]
Remote clone() syscall

Add support for injecting clone() system calls into remote processes.

clone() actually takes a bunch of optional pointer arguments, but we
will not need to use them all.

In order to be able to trace the newly created process we also set the
PTRACE_O_TRACECLONE option. The thread will be created pre-stopped and
we will need to restart it later. The parent tracer will also receive a
PTRACE_EVENT_CLONE which we need to skip over.  Without this option the
new thread will be untraceable and unwaitable.

3 years agoMapping pages for shellcode
ilammy [Fri, 16 Feb 2018 22:23:23 +0000 (00:23 +0200)]
Mapping pages for shellcode

3 years agoDrop old library scanning code
ilammy [Fri, 16 Feb 2018 21:38:00 +0000 (23:38 +0200)]
Drop old library scanning code

3 years agoLocating SYSCALL + RET instrunctions in libc
ilammy [Fri, 16 Feb 2018 21:34:09 +0000 (23:34 +0200)]
Locating SYSCALL + RET instrunctions in libc

We will actually need a syscall followed by a retq for clone()
invocation, so look for this sequence in libc. There should be one, at
least in the clone() implementation of libc itself.

3 years agoResolving libpthread symbols
ilammy [Fri, 16 Feb 2018 21:25:42 +0000 (23:25 +0200)]
Resolving libpthread symbols

3 years agoResolving libdl symbols
ilammy [Fri, 16 Feb 2018 21:19:12 +0000 (23:19 +0200)]
Resolving libdl symbols

It turned out that we will actually need to use proper libdl and
libpthread libraries for injection. That's why we are going to look for
the real libraries.

Also, add support for ELFOSABINONE, libdl on my machine seems to be
using this ABI in its ELF header. It still parses okay.

3 years agoSimplify main() function
ilammy [Fri, 16 Feb 2018 21:03:00 +0000 (23:03 +0200)]
Simplify main() function

3 years agoMapping remote memory for the shellcode
ilammy [Sun, 11 Feb 2018 17:28:03 +0000 (19:28 +0200)]
Mapping remote memory for the shellcode

3 years agoLocating SYSCALL instruction in libc
ilammy [Sun, 11 Feb 2018 16:55:14 +0000 (18:55 +0200)]
Locating SYSCALL instruction in libc

3 years agoResolving libdl symbols in libc
ilammy [Sun, 11 Feb 2018 15:09:15 +0000 (17:09 +0200)]
Resolving libdl symbols in libc

3 years agoLocating dynamic symbol table
ilammy [Wed, 7 Feb 2018 17:51:43 +0000 (19:51 +0200)]
Locating dynamic symbol table

3 years agoMapping libc of the remote process
ilammy [Sun, 4 Feb 2018 18:59:28 +0000 (20:59 +0200)]
Mapping libc of the remote process

3 years agoAttaching to processes
ilammy [Sun, 4 Feb 2018 12:44:37 +0000 (14:44 +0200)]
Attaching to processes

3 years agoCommand-line parsing
ilammy [Sun, 4 Feb 2018 11:51:46 +0000 (13:51 +0200)]
Command-line parsing

3 years agoProject skeleton
ilammy [Sun, 4 Feb 2018 11:21:04 +0000 (13:21 +0200)]
Project skeleton

3 years agoInitial empty commit
ilammy [Sun, 4 Feb 2018 10:47:56 +0000 (12:47 +0200)]
Initial empty commit