Re: [ELFIO-info] ELF not executable anymore after load/save
A header-only C++ library for accessing files in ELF binary format
Brought to you by:
to_serge
Menu
▾
▴
Re: [ELFIO-info] ELF not executable anymore after load/save
|
From: Serge B. <ser...@he...> - 2012-06-19 09:34:13
|
Hi,
One more thing : it seems that I can't add a section to an existing ELF :
/ elfio e;
e.load("foo");
e.sections.add("new");
e.save("foo");/
When running this code, it crashes with a seg fault when calling
"add()". Am I misusing it ?
Thank you for your answer.
Cheers,
Serge.
Le 14. 06. 12 10:20, Serge Burdet a écrit :
> Hi,
>
> Sure : my goal is to develop a simple packer. It would be able to
> encrypt the .text section of an ELF and add a new executable section
> to it (let's call it .new). .new would be able to decrypt .text. Then
> modify the entry point to jump directly to .new, so when you run the
> file, the .new decrypts .text and jumps to it. The original .text then
> executes (I hope I'm clear, don't hesitate to ask if not ;) ). This is
> part of a project we're doing here at HEIG-VD.
>
> So far I've been able to add my own section with my own machine code
> to an ELF using the /objcopy --add-section/ tool. Now, with ELFIO, I'd
> like to modify the entry point and flag the new section as executable.
> That works, by the way, my only trouble is the "sections-segments" thing.
>
> Thank you for your workaround, I'm gonna try it today.
>
> What I tried already is to re-add manually the sections to the
> segments, using the a segment's /add_section_index/ function (
> targetSegment->add_section_index(sectionToAdd->get_index(),
> sectionToAdd->get_addr_align()); ). After that, I try to run the
> modified ELF, and I think it launches but crashes instantly, and the
> shell says "Processus arrêté" (it's french) which literally means
> "Process stopped", could be "Process killed".
> And a weird fact about this is that the size of the ELF hugely
> increases : from 8kB to 4MB !
>
> Thank you very much for your help and explanations.
>
> Cheers,
>
> Serge.
>
>
> Le 13. 06. 12 16:25, Serge Lamikhov-Center a écrit :
>>
>> Hi Serge,
>>
>> I have at looked at the issue and here are the results concluded:
>>
>> You are right - ELFIO's 'load' function does not automatically relate
>> sections to the containing segments. That is by design though. Data
>> content for segments and sections is still valid.
>>
>> While segments are usually built from sections by linker (and in case
>> of ELFIO library usage, it is the only option), it is not always
>> possible to process ELF file in reverse order (restore sections from
>> segment content). Some segments may not contain child sections and in
>> generic case, no sections at all may exist in executable file.
>>
>> I have checked that your proposed method working fine for relocatable
>> files (object files), but not for executable files. (The example
>> program elfcopy.c is attached with this email.)
>>
>> As a workaround, you may try (I didn't check it by myself) the
>> following method:
>>
>> -process input file
>>
>> -for each _/segment/_ in input file create new _/section/_ with the
>> same content in another output file
>>
>> -build new segment that would contain this, just created, section
>>
>> -Properly set sections/segments attributes and entry address
>>
>> Probably, it will be better if you could explain your intention first.
>>
>> Best regards,
>>
>> Serge
>>
>>
>>
>> ------------------------------------------------------------------------
>> From: to_...@ho...
>> To: ser...@he...
>> CC: elf...@li...
>> Subject: RE: [ELFIO-info] ELF not executable anymore after load/save
>> Date: Mon, 11 Jun 2012 17:08:17 +0300
>>
>> Hi Serge,
>>
>> I had never tried to use the library in such flow. Please let me look
>> at this.
>>
>> Best regards,
>> Serge
>>
>> ------------------------------------------------------------------------
>> Date: Mon, 11 Jun 2012 13:58:37 +0200
>> From: ser...@he...
>> To: to_...@ho...
>> CC: elf...@li...
>> Subject: Re: [ELFIO-info] ELF not executable anymore after load/save
>>
>> Hi Serge,
>>
>> Thank you for your answer, I'm new to the ELF format and I really
>> appreciate your help.
>>
>> I feel like I'm missing something with ELFIO (2.0.0), because as soon
>> as I save an ELF, all its sections get un-mapped from the segments,
>> even if I don't modify it. For example this trivial code :
>>
>> / elfio e;
>> e.load("foo");
>> e.save("foo2");/
>>
>> After running it, /foo2/ isn't executable, as sections doesn't seem
>> to be mapped to segments anymore (excerpt of /readelf -l foo2/) :
>>
>> / Section to Segment mapping:
>> Segment Sections...
>> 00
>> 01
>> 02
>> 03
>> 04
>> 05
>> 06
>> 07
>> 08 /
>>
>> Is there a function that I have to call after loading /foo/ so its
>> mapping stays untouched ?
>>
>> Thank you for your answer.
>>
>> Best regards,
>>
>> Serge.
>>
>>
>> Le 11. 06. 12 13:27, Serge Lamikhov-Center a écrit :
>>
>>
>> Hi Serge,
>>
>>
>> The answer depends on the purpose of the section you are adding.
>> There is no problem to add a section outside segment, but, loader
>> usually works with segments only. Therefore, in case the
>> intention is to load a section and execute it, most probably, you
>> need to add it into existing or new segment.
>>
>>
>> Best regards,
>>
>> Serge
>>
>> ------------------------------------------------------------------------
>> Date: Fri, 8 Jun 2012 10:33:00 +0200
>> From: ser...@he... <mailto:ser...@he...>
>> To: elf...@li...
>> <mailto:elf...@li...>
>> Subject: [ELFIO-info] ELF not executable anymore after load/save
>>
>> Hi everyone,
>>
>> I'm using ELFIO to try and add a new section to ELF files.
>> This is my problem : as soon as I load and save an ELF, it stops
>> to be executable. /readelf -l/ shows that sections aren't mapped
>> to segments anymore.
>>
>> Is this a normal behaviour ? Do I have to manually add the
>> sections to the segments ?
>>
>> Thank you for your answers !
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference Exclusive live event will cover
>> all the ways today's security and threat landscape has changed
>> and how IT managers can respond. Discussions will include
>> endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________ ELFIO-info
>> mailing list ELF...@li...
>> <mailto:ELF...@li...>
>> https://lists.sourceforge.net/lists/listinfo/elfio-info
>>
|
