forked from masterheroit/doghook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
attach.sh
executable file
·110 lines (88 loc) · 2.94 KB
/
attach.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env bash
pid=$(pidof hl2_linux) # Default to TF2
if [[ -n "$1" ]]; then
if [ "$1" -eq "$1" ] 2>/dev/null; then
# First argument is a int (PID)
pid=$1
else
# First argument is a string (Process ID)
pid=$(pidof $1)
fi
fi
if [ -z "$pid" ]; then
echo -e "\e[91mCould not find target process.\e[39m"
exit -1
fi
# Get the full path of the .so that we'll be faking
victim_lib=$(cat /proc/${pid}/maps | grep ".so" | shuf -n 1)
echo $victim_lib
victim_lib=${victim_lib##* }
# Some magic that I copied straight from StackOverflow
victim_lib_array=(${victim_lib//./ })
number_to_spoof=${victim_lib_array[-1]}
library_path=$(IFS=. ; echo "${victim_lib_array[*]}")
if [ "$number_to_spoof" == "so" ]; then
# If the shared library doesn't have multiple versions, let's just append .0 at the end.
number_to_spoof="$number_to_spoof.0"
else
# else we'll increase the found version by one
number_to_spoof=$(($number_to_spoof + 1))
fi
victim_lib_array[-1]="$number_to_spoof"
library_path=$(IFS=. ; echo "${victim_lib_array[*]}")
if [ -e "$library_path" ]; then
echo -e "\e[91mA error occurred. Please retry.\e[39m"
exit -1
else
sudo cp "bin/Debug/libdoghook.so" "$library_path"
# Get the file name of the resulting library
result_lib_name=$(basename ${library_path})
result_lib="${result_lib_name%.*}"
# and patch the soname
sudo patchelf --set-soname "$library_path" "$result_lib"
fi
echo "Attaching as $result_lib ($library_path) to PID $pid"
# Allows only root to use ptrace. This is temporary until the user reboots the machine.
ptrace_input=$(sudo echo "2" | sudo tee /proc/sys/kernel/yama/ptrace_scope)
# Prevent crash dumps from being sent to kisak
sudo rm -rf /tmp/dumps
sudo mkdir /tmp/dumps
sudo chmod 000 /tmp/dumps
# Pause Steam
sudo killall -19 steam
sudo killall -19 steamwebhelper
# Uses dlmopen instead of normal dlopen - Credit to LWSS
sudo gdb -n -batch \
-ex "set logging on" \
-ex "set logging file /dev/null" \
-ex "attach $pid" \
-ex "set \$linkMapID = (long int)0" \
-ex "set \$dlopen = (void*(*)(char*, int)) dlopen" \
-ex "set \$dlmopen = (void*(*)(long int, char*, int)) dlmopen" \
-ex "set \$dlinfo = (int (*)(void*, int, void*)) dlinfo" \
-ex "set \$malloc = (void*(*)(long long)) malloc" \
-ex "set \$target = \$dlopen(\"$library_path\", 2)" \
-ex "p \$target" \
-ex "p \$linkMapID" \
-ex "call \$dlmopen(0, \"$library_path\", 1)" \
-ex "set \$error = call dlerror()" \
-ex "x/s \$error" \
-ex "catch syscall exit exit_group" \
-ex "continue" \
-ex "backtrace" \
-ex "detach" \
-ex "quit"
# Resume Steam
sleep 1
sudo killall -18 steamwebhelper
sudo killall -18 steam
sudo rm -rf "$library_path"
if grep -q "$library_path" /proc/${pid}/maps; then
echo "Successfully attached to PID $pid."
else
echo -e "\e[91mA error occurred. See gdb.txt\e[39m"
exit -1
fi
if [ -f "$(pwd)/gdb.txt" ]; then
sudo rm -rf gdb.txt
fi