Hool for ELF64 binaries providing several functionalities, among which:
- display information about ELF header, section table, program table, symbol table, etc. (output is readelf-like)
- provide information about function location in binary
- allow to patch a binary to add code (see limitations in corresponding section)
./elph -h example/helloworld./elph -p payload/bash -o infected_binary elph
Because all the information needed are parsed by elfph with no use of external tool (such as readelf), there is no requirement, except a c compiler and a linux system.
This time I made a Makefile, so you can just use it.
make
Basic usage: ./elph [options] target_binary
With no option, this will basically do nothing but parse target_binary and return.
Option -q (or --quiet) disable global information printing
The following options are available and allow to display information about the binary given as last parameter:
-h: Binary header information (such as binary format, architecture, number of sections, etc.)-S: Section headers information-s: Display symbol table-l: Program headers information
One of elph aims is to locate embedded functions of a binary. For now, the function detection is trivial and is only based on symbol table information. Of course, this is not possible for a stripped binary, so one of the next steps is to implement some heuristical function searching algorithms.
-f: Print infomation about functions found in symbol table (such as name, offset in file)
The patch of a binary is the other main aim of elph. From a x86_64 payload (see payload/ for examples), elph includes it in the target binary,
and modify the entry point of the program to execute the payload. Please note that in no way the initial binary is modified ; a new file is generated.
-p path/to/payload: This option gives the path to the payload to include into target binary. As soon as-pis specified, elph will generate a new binary that includes this payload.-o path/to/generated/binary: Gives the path to the modified binary. If unset, then the generated binary is./patched-j: If this option is specified, the payload will be completed with a jump to the initial entry code of the binary. This means that after the payload will be executed, the program will run normally. If not specified, it is very likely that the program will crash after having executed the payload (depending on the patcing strategy and the payload).
./elph -o malicious -p payload/bash example/helloworld: This will add a shellcode tohelloworld, and so running this program will now result in a bash opening../elph -o harmless -p payload/nop -j example/helloworld: This will add a payload consisting of four NOPs in the binary, and because-jwas specified, after the NOPs the program will jump to the initial entry point, and then print "Hello world". Without-joption, the program crashes.
In current version, two methods of patching are implemented. The method being used is decided regarding the size of the payload. In both cases, we use the fact that NOTE segment is almost always present in binaries, and almost always useless.
If the target binary has a NOTE segment, and if this NOTE segment is large enough to embed the payload, then this method is choosen. Basically, it consists in:
- Changing type and flags of
NOTEsegment to support code execution - Load payload in
NOTEsegment - Modify the entry point to point into the beginning of the payload
If it is not possible to incorporate the payload in NOTE segment, then a new segment is created at the end of the file. In order to preserve consistency of offsets in file, we cannot add an entry into program header table (which is at the beginning of the ELF file). So we overwrite the NOTE segment header, and replace it with a header corresponding to the new segment. Finally, we load the payload at the end of the file, and edit the entry point.
Currently, elph only supports 64 bits binary in little-endian mode.
The current patching methods are, by design, very easy to detect. Thus, if the goal is to patch a binary remaining as discrete as possible, a lot of work still has to be done.