Skip to content
A novel technique to hide code from debuggers
Branch: master
Clone or download
Luis Hebendanz
Luis Hebendanz Typo
Latest commit 300fa7b May 22, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
doc Changed README May 22, 2019
html Changed presentation May 22, 2019
include Fixed missing executable permission bit in first segment May 22, 2019
src Changed README May 22, 2019
tests Added shellcode.py May 22, 2019
.gitignore Changed gitignore May 8, 2019
0pack-presentation.pdf Changed presentation May 22, 2019
CMakeLists.txt Added argument parser May 10, 2019
HunterGate.cmake Working header injection May 8, 2019
LICENSE Initial commit May 8, 2019
README.md Typo May 22, 2019
build.sh
index.html test May 22, 2019

README.md

0pack

Description

An ELF x64 binary payload injector written in c++ using the LIEF library. Injects shellcode written in fasm as relocations into the header. Execution begins at entrypoint 0 aka the header, this confuses or downright breaks debuggers. The whole first segment is rwx, this can be mitigated at runtime through an injected payload which sets the binaries segment to just rx.

Compiler flags

The targeted binary must have following flags: gcc -m64 -fPIE -pie

Statically linking is not possible as -pie and -static are incompatible flags. Or in other terms:

-static means a statically linked executable with no dynamic
> relocations and only PT_LOAD segments.  -pie means a shared library with
> dynamic relocations and PT_INTERP and PT_DYNAMIC segments.

Presentation links

HTML: https://luis-hebendanz.github.io/0pack/
PDF: https://github.com/Luis-Hebendanz/0pack/raw/master/0pack-presentation.pdf
Video: https://github.com/Luis-Hebendanz/0pack/raw/master/html/showcase_video.webm

Debugger behaviour

Debuggers don't generally like 0 as the entrypoint and oftentimes it is impossible to set breakpoints at the header area. Another often occured issue is that the entry0 label gets set incorrectly to the main label. Which means the attacker can purposely mislead the reverse engineer into reverse engineering fake code by jumping over the main method. Executing db entry0 in radare2 has this behaviour.

Affected debuggers

  • radare2
  • Hopper
  • gdb
  • IDA Pro --> Not tested

0pack help

Injects shellcode as relocations into an ELF binary
Usage:
  0pack [OPTION...]

  -d, --debug            Enable debugging
  -i, --input arg        Input file path. Required.
  -p, --payload arg      Fasm payload path.
  -b, --bin_payload arg  Binary payload path.
  -o, --output arg       Output file path. Required.
  -s, --strip            Strip the binary. Optional.

-b, --bin_payload

The bin_payload option reads a binary file and converts it to ELF relocations. 0pack appends to the binary payload a jmp to the original entrypoint.

-p, --payload

Needs a fasm payload, 0pack prepends and appends a "push/pop all registers" and a jmp to the original entrypoint to the payload.

Remarks

Altough I used the LIEF library to accomplish this task, I wouldn't encourage to use it. It is very inconsistent and intransparant in what it is doing. Often times the library is downright broken. I did not find a working library for x64 PIE enabled ELF binaries. If someone has suggestions, feel free to email me on: luis.nixos@gmail.com

Dependencies

  • cmake version 3.12.2 or higher
  • build-essential
  • gcc
  • fasm

Use build script

$ ./build.sh

Build it manually

  $ mkdir build
  $ cd build
  $ cmake ..
  $ make
  $ ./../main.elf
You can’t perform that action at this time.