Keebler is a tool for injecting standalone binary payloads into ELF executables.
The payload is inserted at the end of the segment containing the target's
Execution of the payload is achieved by modifying the
.ctors section to point to the first byte of the payload.
In order to not interrupt the normal functioning of the target program, the payload must behave like a function.
That means it must return, and it must restore any registers that the target's policy requires (typically base pointer and *bx).
Compiling is as simple as running
make in the base directory.
This will produce
keebler64 for working with 32 bit and 64 bit ELF files respectively.
Because the payloads must be standalone they cannot depend on any runtime linking (i.e. you cannot use library routines). This basically limits you to writing and dealing with assembly. Some sample payloads are supplied to give you an idea what a valid payload looks like.
Preparing a payload involves assembling it with
as (producing an elf object).
And then extracting just the assembled code with
as payload.s -o payload.o objcopy -O binary payload.o payload
Writing standalone assembly is a pain in the ass.
bootstrap.pl script is meant to alleviate this a bit.
The script combines an elf file (read: any executable) with a bootstrapping template (there is at least one in
The resulting payload with the encapsulated elf file, will when run, unpack the elf and execute it.
bootstrap.pl is simple:
bootstrap.pl -e executable -t bootstrap.s -o payload
Infecting an elf file is as easy as running:
keebler64 target payload result
It is valid to have result be the same file as target as the entire file is copied into memory before altering.