the main problem with using data to put your code is that on serious systems.. the data is rw-, so you cant execute.
the relative branch cant always reach data if text is big and absolute branches fail on PIE bins. ldpreload just works on dynamic bins.. so.. i just got an idea.. whats mapped in all binaries (on linux?) even if its pie, static, ...? static bins require an elf loader to run, this is /lib/ld-linux.so .. the patch is hardcodrd in the elf headers so u can patch that path easily to /lib/ld-hook.so and take glibc's ld.so to be filled with your code and hotpatch the binary right before jumping to the entrypoint. another way to place code in a binary will be to hijack vdso. this shared lib is hardcoded in the kernel and its preloaded on all binaries. its required to get the signal and syscall trampolines.. but you can add more code there.. and use the %gs segment to find the address of the vdso. this can be done in 3 opcodes. the main pb with the second solution is that it depends on linux, and changing code requires new kernel compilations. another thought.. it is possible to get a shared ld.so to enable ld-preload even on static binaries? :) i really have very few time to play with those things right now.. so.. if anybody tries to implement any of those things please share your experience here ;) i dont know anybody that tried to do that before and it can open some new ways for analyzing bins on unix systems. On Jan 10, 2012, at 9:41 PM, Rafael de Oliveira Costa <[email protected]> wrote: > Hi Jan > > > I think that your another approach about using .data segment is > > similar to "Phrack 66: manual binary mangling with radare" mentioned > > before. but I really need to add an instruction in some specific > > places in a .text segment. > In this case how about writing a wrapper application that debugs the > target, places breakpoints at the desired offsets, does it's magic and > then resumes execution? > That would save you the trouble of fixing all non-relative offsets. > The downsides are a performance loss and potential anti-debug tricks > you'd need to fool... > > I think this could help me but in my case I really need to fix the offsets. > any Idea to realize that ? > > Another approach would be DLL injection on Windows or LD_PRELOAD on > *nix if the target is part of a loaded library. > > I can't do this because I'm working with embedded systems and Its doesn't run > windows or *nix > > I hope this helps, since I ran out of ideas. > > Thanks anyway and I really appreciate your ideas > _______________________________________________ > radare mailing list > [email protected] > http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
_______________________________________________ radare mailing list [email protected] http://lists.nopcode.org/listinfo.cgi/radare-nopcode.org
