Skip to content

ELF: Adding segment makes unexecutable binaries #98

Closed
@laxa

Description

@laxa

Tried to make a simple packer using lief, but it turns out I was never able to make a working binary while using lief.ELF.add_segment() function.

Reproduction steps are easy, just follow https://lief.quarkslab.com/doc/tutorials/05_elf_infect_plt_got.html and at step Injecting the hook, lief failed to add the segment on debian unstable.

On some other tests, binaries were successfully written but could not be executed. This seems to happen when adding a segment to a static binary.

Here is a sample program:

#include <stdio.h>

int     main(void)
{
    puts("Hello World");
    return 0;
}

Then:

laxa:tmp.eJeAIIAtPd:14:23:41$ gcc hello_world.c -static
laxa:tmp.eJeAIIAtPd:14:24:00$ checksec --file a.out
[*] '/tmp/tmp.eJeAIIAtPd/a.out'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

Then using the following lief script:

import lief

binary = lief.parse('a.out')

segment = lief.ELF.Segment()

segment           = lief.ELF.Segment()
segment.type      = lief.ELF.SEGMENT_TYPES.LOAD
segment.flag      = lief.ELF.SEGMENT_FLAGS.PF_R | lief.ELF.SEGMENT_FLAGS.PF_W | lief.ELF.SEGMENT_FLAGS.PF_X
segment.content   = [1, 2, 3]
segment.alignment = 8
segment           = binary.add_segment(segment, base=0xA0000000)

binary.write('a.out.bin')

And doing that right after fails:

laxa:tmp.eJeAIIAtPd:14:24:31$ python test_lief.py 
laxa:tmp.eJeAIIAtPd:14:25:18$ chmod +x a.out.bin 
laxa:tmp.eJeAIIAtPd:14:25:23$ ./a.out.bin 
Segmentation fault
laxa:tmp.eJeAIIAtPd:14:25:25$ strace ./a.out.bin 
execve("./a.out.bin", ["./a.out.bin"], [/* 51 vars */]) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x400930} ---
+++ killed by SIGSEGV +++
Segmentation fault

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions