Skip to content

JustThinkingHard/infektor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
src
src
Β 
Β 
Makefile
Makefile
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ’‰ Infektor - ELF Code Cave Injector

⚠️ DISCLAIMER

This tool is a Proof of Concept (PoC) for educational purposes. It demonstrates advanced ELF binary manipulation techniques used in malware persistence. Do not use this on critical systems or binaries you do not own.

  • πŸ“ Overview

    Infektor is a user-space utility designed to establish persistence for the Rootkit. It targets an existing system ELF binary (e.g., /usr/sbin/cron), injects a shellcode payload, and redirects the program's entry point.

  • πŸ›‘οΈ Stealth Technique: Alignment Padding Injection

    Unlike "dumb" injectors that append data to the end of a file (altering its size and raising alerts), Infektor uses a stealthier approach:

    1. No File Size Change: It searches for existing "Code Caves" (alignment padding) within the binary.
    2. No Segment Shift: It does not move sections or headers, minimizing the risk of breaking the binary.
    3. Safety Check: It calculates the available gap between the Text segment and the Data segment. If the gap is too small for the payload, the injection aborts safely to prevent corruption.

  • βš™οΈ How It Works (The "Code Cave")

    Compilers (like GCC) align memory segments to page boundaries (usually 4096 bytes). This leaves unused space (zeros) at the end of the executable code.

    Visual Representation:

        +-----------------------+ <--- File Start
    | ELF Header            |
    +-----------------------+
    | .text (Code)          | <--- Program code
    | [INSTRUCTION]         |
    | [INSTRUCTION]         |
    +-----------------------+ <--- End of Code (p_filesz)
    | 00 00 00 00 00 00...  | \
    | 00 00 PAYLOAD 00...   |  } THE GAP (Padding)
    | 00 00 00 00 00 00...  | /
    +-----------------------+ <--- Start of next segment (.data)
    | .data                 |
    +-----------------------+

    The Infection Process:

    Map: Loads the target binary into memory.

    Scan: Finds the executable PT_LOAD segment.

    Measure: Calculates the distance to the next segment to ensure the payload fits.

    Inject: Writes the shellcode into the padding zeros.

    Patch: Updates the ELF Entry Point (e_entry) to point to the new payload.

    Extend: Slightly increases the segment's p_filesz and p_memsz to officially include the payload, without increasing the file size.

  • πŸ”¨ Compilation

    The C injector depends on external symbols defined in the assembly payload (payload.s).

    Prerequisites:

    • gcc (C Compiler)

    • nasm (Assembler)

    Build:

        Make

  • πŸš€ Usage

    Syntax:

        sudo ./infektor <path_to_binary>

  • πŸ› Troubleshooting

        CRITICAL ERROR: Not enough padding space!

    The target binary was compiled with optimization (e.g., -Os) or is too small, leaving no gap between segments.

    Solution: Try a different target binary (e.g., sudo, NetworkManager, rsyslogd) or recompile the target without optimization if possible.

        No PT_LOAD found

    The binary format is unusual or statically linked in a non-standard way.

        Segmentation Fault

    The payload executed, but the jump back to the original entry point failed. Check payload.s logic.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages