ezinject

Modular binary injection framework

Supported Architectures:

Linux
- glibc
- uClibc (tested on ARM, MIPS)
- Android (tested on Android 2.x - 10.x)
FreeBSD (tested on FreeBSD 12)
Windows
- NT 6 (tested on Windows 10)
Darwin (tested on macOS 11)

ezinject implements a single instrumentation primitive: remote calls

We proceed as following:

Create a remote memory segment (via shared memory or remote allocation), that will hold the payload
- If using shared memory, use remote syscalls to attach the shared memory in the target process
Invoke the payload remotely, in shared memory.

The stack at entry will contain a pointer to the context, and a pointer to the function to call.

The payload pops the parameters and the function to call from the stack, then calls the function in C (thus emitting a proper call with a stack frame)
The payload implementation creates a mutex/event, then opens the target library and awaits for the thread to be created.
The ezinject's crt (linked in the library) creates a local copy of the context, then creates a new thread.
The crt signals that the thread is ready to be awaited
The newly created thread prepares argv, then invokes lib_preinit and lib_main functions in the library
The user code is invoked. It can call any function inside the target, replace or hook functions (with libhooker in userland)

The following is an example on Debian and derivates, needs to be adjusted for each platform.

./build.sh

On Terminal 1

$ cd build/samples/dummy
$ ./target

On Terminal 2

$ cd build
$ sudo ./ezinject `pidof target` samples/dummy/libdummy.so

Expected output

return1() = 1

changes to

return1() = 13370

echo "print('hello ' * 3 + 'from python');" > hello.py
export EZPY=`python -c "import sys; print(':'.join(sys.path))"`
echo "python path: $EZPY"

Find libpython:

find /usr/lib -name "libpython*"

Put correct libpython and paths in example below:

sudo ./ezinject `pidof target` samples/pyloader/libpyloader.so /usr/lib/x86_64-linux-gnu/libpython2.7.so.1 /usr/lib/python2.7 $EZPY hello.py

Name		Name	Last commit message	Last commit date
Latest commit History 355 Commits
android-shmem @ 50cb47d		android-shmem @ 50cb47d
arch		arch
cmake-modules		cmake-modules
crt		crt
os		os
patches		patches
samples		samples
targets		targets
test		test
.cirrus.yml		.cirrus.yml
.gitignore		.gitignore
.gitmodules		.gitmodules
AUTHORS		AUTHORS
CMakeLists.txt		CMakeLists.txt
COPYING		COPYING
README.md		README.md
appveyor.yml		appveyor.yml
build.sh		build.sh
config.h.in		config.h.in
elfparse.c		elfparse.c
elfparse.h		elfparse.h
ezinject.c		ezinject.c
ezinject.h		ezinject.h
ezinject_arch.h		ezinject_arch.h
ezinject_common.h		ezinject_common.h
ezinject_compat.c		ezinject_compat.c
ezinject_compat.h		ezinject_compat.h
ezinject_injcode.c		ezinject_injcode.c
ezinject_injcode.h		ezinject_injcode.h
ezinject_injcode_common.c		ezinject_injcode_common.c
ezinject_injcode_glibc.c		ezinject_injcode_glibc.c
ezinject_injcode_posix.c		ezinject_injcode_posix.c
ezinject_injcode_posix_common.c		ezinject_injcode_posix_common.c
ezinject_injcode_uclibc.c		ezinject_injcode_uclibc.c
ezinject_injcode_util.c		ezinject_injcode_util.c
ezinject_injcode_windows.c		ezinject_injcode_windows.c
ezinject_injcode_windows_common.c		ezinject_injcode_windows_common.c
ezinject_util.c		ezinject_util.c
ezinject_util.h		ezinject_util.h
ezpatch.c		ezpatch.c
log.h		log.h