An architecture-agnostic ELF file flattener for shellcode

Related tags

Emulators elfloader
Overview

Summary

elfloader is a super simple loader for ELF files that generates a flat in-memory representation of the ELF.

Pair this with Rust and now you can write your shellcode in a proper, safe, high-level language. Any target that LLVM can target can be used, including custom target specifications for really exotic platforms and ABIs. Enjoy using things like u64s on 32-bit systems, bounds checked arrays, drop handling of allocations, etc :)

It simply concatenates all LOAD sections together, using zero-padding if there are gaps, into one big flat file.

This file includes zero-initialization of .bss sections, and thus can be used directly as a shellcode payload.

If you don't want to waste time with fail-open linker scripts, this is probably a great way to go.

This doesn't handle any relocations, it's on you to make sure the original ELF is based at the address you want it to be at.

Usage

To use this tool, simply:

Usage: elfloader [--binary] [--base=<addr>] <input ELF> <output>
    --binary      - Don't output a FELF, output the raw loaded image with no
                    metadata
    --base=<addr> - Force the output to start at `<addr>`, zero padding from
                    the base to the start of the first LOAD segment if needed.
                    `<addr>` is default hex, can be overrided with `0d`, `0b`,
                    `0x`, or `0o` prefixes.
                    Warning: This does not _relocate_ to base, it simply starts
                    the output at `<addr>` (adding zero bytes such that the
                    output image can be loaded at `<addr>` instead of the
                    original ELF base)
    <input ELF>   - Path to input ELF
    <output>      - Path to output file

To install this tool run:

cargo install --path .

Now you can use elfloader from anywhere in your shell!

Dev

This project was developed live here:

https://www.youtube.com/watch?v=x0V-CEmXQCQ

Example

There's an example in example_small_program, simply run make or nmake and this should generate an example.bin which is 8 bytes.

pleb@gamey ~/elfloader/example_small_program $ make
cargo build --release
    Finished release [optimized] target(s) in 0.03s
elfloader --binary target/aarch64-unknown-none/release/example_small_program example.bin
pleb@gamey ~/elfloader/example_small_program $ ls -l ./example.bin 
-rw-r--r-- 1 pleb pleb 8 Nov  8 12:27 ./example.bin

pleb@gamey ~/elfloader/example_small_program $ objdump -d target/aarch64-unknown-none/release/example_small_program

target/aarch64-unknown-none/release/example_small_program:     file format elf64-littleaarch64


Disassembly of section .text:

00000000133700b0 <_start>:
    133700b0:   8b000020        add     x0, x1, x0
    133700b4:   d65f03c0        ret

Now you can write your shellcode in Rust, and you don't have to worry about whether you emit .data, .rodata, .bss, etc. This will handle it all for you!

There's also an example with .bss and .rodata

pleb@gamey ~/elfloader/example_program_with_data $ make
cargo build --release
    Finished release [optimized] target(s) in 0.04s
elfloader --binary target/aarch64-unknown-none/release/example_program_with_data example.bin
pleb@gamey ~/elfloader/example_program_with_data $ ls -l ./example.bin
-rw-r--r-- 1 pleb pleb 29 Nov  8 12:39 ./example.bin
pleb@gamey ~/elfloader/example_program_with_data $ objdump -d target/aarch64-unknown-none/release/example_program_with_data

target/aarch64-unknown-none/release/example_program_with_data:     file format elf64-littleaarch64


Disassembly of section .text:

0000000013370124 <_start>:
    13370124:   90000000        adrp    x0, 13370000 <_start-0x124>
    13370128:   90000008        adrp    x8, 13370000 <_start-0x124>
    1337012c:   52800029        mov     w9, #0x1                        // #1
    13370130:   91048000        add     x0, x0, #0x120
    13370134:   3904f109        strb    w9, [x8, #316]
    13370138:   d65f03c0        ret
pleb@gamey ~/elfloader/example_program_with_data $ readelf -l target/aarch64-unknown-none/release/example_program_with_data

Elf file type is EXEC (Executable file)
Entry point 0x13370124
There are 4 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000120 0x0000000013370120 0x0000000013370120
                 0x0000000000000004 0x0000000000000004  R      0x1
  LOAD           0x0000000000000124 0x0000000013370124 0x0000000013370124
                 0x0000000000000018 0x0000000000000018  R E    0x4
  LOAD           0x000000000000013c 0x000000001337013c 0x000000001337013c
                 0x0000000000000000 0x0000000000000001  RW     0x4
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     0x0

 Section to Segment mapping:
  Segment Sections...
   00     .rodata 
   01     .text 
   02     .bss 
   03     

Internals

This tool doesn't care about anything except for LOAD sections. It determines the endianness (little vs big) and bitness (32 vs 64) from the ELF header, and from there it creates a flat image based on program header virtual addresses (where it's loaded), file size (number of initialized bytes) and mem size (size of actual memory region). The bytes are initialized from the file based on the offset and file size, and this is then extended with zeros until mem size (or truncated if mem size is smaller than file size).

These LOAD sections are then concatenated together with zero-byte padding for gaps.

This is designed to be incredibly simple, and agnostic to the ELF input. It could be an executable, object file, shared object, core dump, etc, doesn't really care. It'll simply give you the flat representation of the memory, nothing more.

This allows you to turn any ELF into shellcode, or a simpler file format that is easier to load in hard-to-reach areas, like embedded devices. Personally, I developed this for my MIPS NT 4.0 loader which allows me to run Rust code.

FELF0001 format

This tool by default generates a FELF file format. This is a Falk ELF. This is a simple file format:

FELF0001 - Magic header
entry    - 64-bit little endian integer of the entry point address
base     - 64-bit little endian integer of the base address to load the image
<image>  - Rest of the file is the raw image, to be loaded at `base` and jumped
           into at `entry`
You might also like...
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

A new shellcode injection technique. Given as C++ header, standalone Rust program or library.
A new shellcode injection technique. Given as C++ header, standalone Rust program or library.

FunctionStomping Description This is a brand-new technique for shellcode injection to evade AVs and EDRs. This technique is inspired by Module Stompin

A Rust-based dropper for shellcode payloads.

A Rust-based dropper for shellcode payloads.

Shellcode packer written in Rust

RustPacker Shellcode packer written in Rust. Current state Functional as it packs a binary file, but very basic as it only support XOR encoding for no

A simple code that will load a shellcode directly into RAM memory in a new process
A simple code that will load a shellcode directly into RAM memory in a new process

「 🔄 」About RustSCLoader RustSCLoader is a simple code that has the intention of loading a shellcode directly into RAM memory in a new process that wi

Rusty Shellcode Reflective DLL Injection (sRDI) - A small reflective loader in Rust 4KB in size for generating position-independent code (PIC) in Rust.
Rusty Shellcode Reflective DLL Injection (sRDI) - A small reflective loader in Rust 4KB in size for generating position-independent code (PIC) in Rust.

Shellcode Reflective DLL Injection (sRDI) Shellcode reflective DLL injection (sRDI) is a process injection technique that allows us to convert a given

A memory-based evasion technique which makes shellcode invisible from process start to end.
A memory-based evasion technique which makes shellcode invisible from process start to end.

phantom A memory-based evasion technique which makes shellcode invisible from process start to end. Motivation ShellGhost Offensive Edition, and rust!

A language-agnostic "shebang interpreter" that enables you to write scripts in compiled languages.

Scriptisto It is tool to enable writing one file scripts in languages that require compilation, dependencies fetching or preprocessing. It works as a

Xaynet represents an agnostic Federated Machine Learning framework to build privacy-preserving AI applications.
Xaynet represents an agnostic Federated Machine Learning framework to build privacy-preserving AI applications.

xaynet Xaynet: Train on the Edge with Federated Learning Want a framework that supports federated learning on the edge, in desktop browsers, integrate

Network-agnostic, high-level game networking library for client-side prediction and server reconciliation.
Network-agnostic, high-level game networking library for client-side prediction and server reconciliation.

WARNING: This crate currently depends on nightly rust unstable and incomplete features. crystalorb Network-agnostic, high-level game networking librar

Xaynet represents an agnostic Federated Machine Learning framework to build privacy-preserving AI applications.
Xaynet represents an agnostic Federated Machine Learning framework to build privacy-preserving AI applications.

xaynet Xaynet: Train on the Edge with Federated Learning Want a framework that supports federated learning on the edge, in desktop browsers, integrate

Rust bindings to bgfx, a cross-platform, graphics API agnostic

Rust bindings to bgfx, a cross-platform, graphics API agnostic, "Bring Your Own Engine/Framework" style rendering library.

API-agnostic audio plugin framework written in Rust

Because everything is better when you do it yourself - Rust VST3 and CLAP framework and plugins

Renderer-agnostic toolkit for Indie Game Developers

Indie Toolkit Renderer-agnostic toolkit for Indie Game Developers Features Not yet implemented: app_kit debug_kit input_kit asset_kit audio_kit Implem

Rust implementation of Namada, a sovereign proof-of-stake blockchain that enables asset-agnostic private transfers

Namada Overview Namada is a sovereign proof-of-stake blockchain, using Tendermint BFT consensus, that enables multi-asset private transfers for any na

Provides core language-agnostic functionality for LiveView Native across platforms

LiveView Native Core This repository contains an implementation of the LiveView Native core library, which is intended to handle all the details which

plugy empowers you to construct agnostic dynamic plugin systems using Rust and WebAssembly.

plugy plugy is a plugin system designed to enable the seamless integration of Rust-based plugins into your application. It provides a runtime environm

Prisma2D - Fast, API agnostic, software only 2D graphics crate in pure Rust.

Prisma2D: Ultra-fast CPU 2D graphics Prisma2D is a blazingly fast, efficient yet minimal crate for basic 2D graphics on the CPU. for Rust. With Prisma

Experimental engine agnostic 3D CSG library for game development written in Rust. Started as a port of csg.js to Rust.

brusher Experimental engine agnostic 3D CSG library for game development written in Rust. Started as a port of csg.js to Rust. ultimate goal My hope i

Comments
  • Don't construct image in RAM

    Don't construct image in RAM

    Currently the image is constructed in RAM, which can be a problem for large core dumps (like a VM physical memory core dump). Just output directly to a BufWriter, I don't think we need look ahead.

    enhancement 
    opened by gamozolabs 0
  • Add support for `no_std`

    Add support for `no_std`

    It might be useful to be able to have this loader itself wore in a no_std environment (eg. shellcode stage 2), so having support for no_std would be nice.

    enhancement 
    opened by gamozolabs 0
Owner
null
A file format-agnostic static site generator

mksite A file format-agnostic static site generator Installation If you already have Rust and Cargo installed: cargo install mksite Alternatively, you

Michelle S. 5 Nov 25, 2022
Make ELF formatted apps configurable

elfredo `elfredo` is a library that allows you to patch executables after they were compiled. It utilize an extra embedded section to store data/confi

Asaf Fisher 7 Sep 5, 2021
This crate allows to generate a flat binary with the memory representation of an ELF.

flatelf Library This crate allows to generate a flat binary with the memory representation of an ELF. It also allows to generate a FLATELF with the fo

Roi Martin 3 Sep 29, 2022
A small utility for modifying ELF shared library loading order.

elfpromote A small utility for modifying ELF shared library loading order. Usage $ cargo install elfpromote $ ldd blueboat_server linux-vdso.s

Heyang Zhou 5 Jul 21, 2022
Coffee is a loader for ELF (Executable and Linkable Format) object files written in Rust

Coffee is a loader for ELF (Executable and Linkable Format) object files written in Rust. It provides a mechanism to load and parse ELF files similar to COFFLoader, but specifically designed for ELF files used in Unix-like systems.

Sndav Bai 13 Jun 22, 2023
Scan the symbols of all ELF binaries in all Arch Linux packages for usage of malloc_usable_size

Scan the symbols of all ELF binaries in all Arch Linux packages for usage of malloc_usable_size (-D_FORTIFY_SOURCE=3 compatibility)

null 3 Sep 9, 2023
Determine which CPU architecture is used in a binary file.

cpu_rec_rs Determine which CPU architecture is used in a binary file. Example: $ cpu_rec_rs /bin/bash /usr/lib/firmware/rtlwifi/rtl8821aefw* Loading c

Raphaël Rigo 61 Jun 27, 2023
Windows shellcode development in Rust

Write Windows Shellcode in Rust Project overview Windows shellcode project is located in shellcode/, it can build into a PE file with only .text secti

red 171 Dec 26, 2022
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode

Xori - Custom disassembly framework Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and pro

ENDGAME 712 Nov 28, 2022
Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library

RustSCRunner Shellcode Runner/Injector in Rust using NTDLL functions directly with the ntapi Library. Surprisingly this is my first ever Rust project

null 86 Dec 18, 2021