README ¶
dynelfsymbols
This is a small program meant to assist in creating backdoor/MitM libraries.
It's only really been tested on Linux. Feel free to give it a try on other operating systems.
Please run it with -h
for more info.
For legal use only.
Searching for good binaries to backdoor
When given one or more directories, dynelfsymbols
prints a list of ELF files
in those directories as well as the library or libraries which from which the
ELF file imports the fewest number of symbols, and from which library or
libraries the symbols are imported.
As long as the first path given is a directory individual files may be given as
well. This is to enable searching in the standard locations (/bin
,
/usr/bin
, such) as well as searching individual site-specific binaries (e.g.
/opt/foo/hackjob
).
Example:
$ ./dynelfsymbols ./hackjob /usr/bin /sbin
File Count Libraries
---- ----- ---------
./hackjob 1 libm.so.6
/sbin/apparmor_parser 1 ld-linux-x86-64.so.2
/sbin/blkdiscard 1 librt.so.1
/sbin/cgdisk 1 libgcc_s.so.1 libm.so.6 libuuid.so.1
/sbin/dumpe2fs 1 libuuid.so.1
/sbin/ethtool 1 libm.so.6
/sbin/findfs 1 libblkid.so.1
/sbin/fixparts 1 libgcc_s.so.1
/sbin/fsck 1 librt.so.1
/sbin/gdisk 1 libgcc_s.so.1 libm.so.6 libuuid.so.1
/sbin/parted 1 libtinfo.so.5
/sbin/runuser 1 libpam_misc.so.0
/sbin/sgdisk 1 libgcc_s.so.1 libm.so.6 libuuid.so.1
/sbin/sulogin 1 libcrypt.so.1
/sbin/swaplabel 1 libuuid.so.1
/sbin/ureadahead 1 libblkid.so.1 librt.so.1
In this example, ./hackjob
is probably a good candidate, as is /sbin/gdisk
.
Inspecting the binary
When given a single file, dynelfsymbols
prints out the imported symbols, the
required version of each symbol, and the library from which the symbol is to
be imported.
Example:
$ ./dynelfsymbols /sbin/gdisk
Library Symbol Version
------- ------ -------
libgcc_s.so.1 _Unwind_Resume GCC_3.0
libm.so.6 log2 GLIBC_2.2.5
libuuid.so.1 uuid_generate UUID_1.0
libc.so.6 __cxa_atexit GLIBC_2.2.5
libc.so.6 __errno_location GLIBC_2.2.5
libc.so.6 __fxstat64 GLIBC_2.2.5
libc.so.6 __libc_start_main GLIBC_2.2.5
libc.so.6 __sprintf_chk GLIBC_2.3.4
...snip...
Backdooring a binary
C stub source code for a malicious library can be generated by passing
-c libraryname
as well as the path to a binary. Please read the generated
C source code for more information.
Example:
$ ./dynelfsymbols -c libuuid.so.1 /sbin/gdisk
#define _GNU_SOURCE
#include <dlfcn.h>
#include <err.h>
/* Begin version script:
------------------------
VERSIONSCRIPT UUID_1.0 {
VERSIONSCRIPT global:
VERSIONSCRIPT uuid_generate;
VERSIONSCRIPT };
---------------------
End version script */
/* Constructor prototype */
static void con(void) __attribute__((constructor));
/* Exported function prototypes */
TYPE_CHANGEME uuid_generate(ARGS_CHANGEME);
/* Pointers to real functions */
static TYPE_CHANGEME (*uuid_generate_real)(ARGS_CHANGEME);
/* Exported functions which call real functions */
TYPE_CHANGEME uuid_generate(ARGS_CHANGEME) {return uuid_generate_real(ARGS_CHANGEME);}
/* con is called when the library is loaded */
void
con(void)
{
char *e;
/* Load the real libuuid.so.1 */
if (NULL == dlopen("libuuid.so.1", RTLD_NOW|RTLD_GLOBAL))
errx(1, "dlopen: %s", dlerror());
/* Get hold of the real functions */
/* uuid_generate */
dlerror();
uuid_generate_real = dlsym(RTLD_NEXT, "uuid_generate");
if (NULL != (e = dlerror()))
errx(2, "dlsym uuid_generate: %s", e);
/************************************
* Further malicious code goes here *
************************************/
}
/*
Slice off the version script and save it to a file named "vs". After modifying
the ARGS_CHANGEMEs and TYPE_CHANGEMEs to reflect the real function prototypes,
he rest of this C source code can be compiled with a command similar to:
cc -O2 -shared -fPIC -Wl,--version-script=vs -o foo.so foo.c -lc -ldl
*/