iamdynamic/4/so.asm at master · linuxthor/iamdynamic · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
; linuxthor
;
; shared object ELF 'preloading' via dynamic interpreter
;
; this shared object is loaded as the interpreter for some ELF file (as specified in
; it's .dynamic section) where it performs an action before passing back control by:
;
; 1) resolving the full path to the ELF via /proc/self/exe
; 2) executing the linux dynamic linker passing the ELF path
;
; the code is quite messy as it uses rip relative addressing
;
; (this is a complete hack / PoC but it works!)
;
; assemble with:
; nasm -f elf64 so.asm -o so.o
; gcc -shared so.o -o 0.so
;

global _init:function
_init:
    mov rax, 1                      ;  sys_write
    mov rdi, 1
    lea rsi, [rel $ + (msg - $)]
    mov rdx, len
    syscall

    mov rax, 89                     ;  sys_readlink
    lea rdi, [rel $ + (rdl - $)]
    lea rsi, [rsp + 64]
    mov rdx, 64
    syscall

    mov byte [(rsp + 64) + rax], 0
    lea rbx, [rsp + 64]

    mov rax, 59                     ;  sys_execve
    lea rdi, [rel $ + (cmd - $)]
    mov [rsp], rdi
    mov [rsp+8], rbx
    mov rsi, rsp
    mov rdx, 0
    syscall

    mov rax, 60                     ;  sys_exit
    mov rdi, 0
    syscall

    cmd db '/lib64/ld-linux-x86-64.so.2',0
    rdl db '/proc/self/exe',0
    msg db 'i am dynamic loader',0x0d,0x0a,0
    len equ $ - msg