-
Notifications
You must be signed in to change notification settings - Fork 23
0x10. 其他用法
liyansong2018 edited this page Feb 24, 2025
·
1 revision
elfspirit还提供了一些实用的二进制编辑功能。
将目标文件0x1000偏移处的十六进制,改为01 02 03
$ elfspirit --edit-hex -o0x1000 -s"\x01\x02\x03" -z3 hello.bin将目标文件0x1000偏移处的指针,改为0xaaff
$ elfspirit --set-pointer -o0x1000 -m0xaaff hello.bin直接提取特定的节,例如提取代码段
$ elfspirit extract -n .text hello.bin从特定偏移处提取特定大小的二进制片段,例如提取目标文件0x1000偏移处,大小为0x50个字节的二进制片段
$ elfspirit extract -o0x1000 -z0x50 hello.bin通常来说,想验证一个shellcode的可行性,我们需要通过C代码,以shellcode硬编码的方式。下面就是一个典型案例
unsigned char shellcode[] = \
"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
int main() {
int (*ret)() = (int(*)())shellcode;
ret();
return 0;
}现在,我们可以通过elfspirit,直接将shellcode转化为可执行程序了。
elfspirit支持将十六进制字符串保存为文件
# Linux/x64 - execve(/bin/ls) Shellcode (21 bytes)
"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x6c\x73\x53\x54\x5f\xb0\x3b\x0f\x05"
ref: https://www.exploit-db.com/shellcodes/49770
将上面的shellcode保存为二进制
$ elfspirit hex2bin -s"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x6c\x73\x53\x54\x5f\xb0\x3b\x0f\x05" -z21
shellcode: 50 48 31 d2 48 bb 2f 62 69 6e 2f 2f 6c 73 53 54 5f b0 3b 0f 05
[+] write [/tmp/elfspirit_out.bin] successfully!将shellcode保存为amd64的小端ELF可执行程序
$ elfspirit bin2elf -ax86 -m64 -elittle /tmp/elfspirit_out.bin
[-] /tmp/elfspirit_out.bin is not an ELF file
[+] source file length is 0x15
[+] base address is 0x400000
[+] create /tmp/elfspirit_out.bin.new执行该ELF,等同于执行命令/bin/ls
$ /tmp/elfspirit_out.bin.new- 0x01. Play with Symbol
- 0x02. Implement ELF Static Hook by Injecting .got.plt
- 0x03. ELF Virus Technology: ELF Infection
- 0x04. Transform EXE into LIB
- 0x05. Analyze Binary Protection Flags
- 0x06. Obfuscate ELF
- 0x07. Inject Shared Libraries into Executables
- 0x08. Infect ELF Interpreter
- 0x09. Forensics
- 0x10. Other Topics