add shared library sample. add backdoor_init and backdoor_init_stage2

CMakeLists.txt

@@ -20,11 +20,17 @@ set(SOURCES
 
 target_sources(xzre PRIVATE ${SOURCES})
 target_sources(xzre_lib PRIVATE ${SOURCES})
+target_compile_definitions(xzre_lib PRIVATE XZRE_SHARED)
+target_compile_options(xzre_lib PRIVATE -fdata-sections)
 
 target_link_libraries(xzre ${LZMA_LIBRARY})
 target_link_libraries(xzre_lib ${LZMA_LIBRARY})
 
+target_link_options(xzre PRIVATE "LINKER:--no-undefined")
+target_link_options(xzre_lib PRIVATE "LINKER:--no-undefined")
+
 target_link_options(xzre PRIVATE -T ${CMAKE_SOURCE_DIR}/xzre.lds)
+target_link_options(xzre_lib PRIVATE -T ${CMAKE_SOURCE_DIR}/xzre.lds)
 
 # disassemble the sample code to compare against the dasm
 add_custom_target(xzre_dasm ALL 

xzre.c

@@ -2,7 +2,10 @@
  * Copyright (C) 2024 Stefano Moioli <[email protected]>
  **/
 #include "xzre.h"
+#include <elf.h>
+#include <link.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
@@ -11,11 +14,21 @@ extern void dasm_sample_end();
 extern void dasm_sample_dummy_location();
 extern BOOL secret_data_append_trampoline(secret_data_shift_cursor shift_cursor, unsigned shift_count);
 
+static global_context_t my_global_ctx = { 0 };
+
+/**
+ * @brief disables all validation by marking all shift operations as executed
+ */
+void xzre_secret_data_bypass(){
+	for(int i=0; i<ARRAY_SIZE(my_global_ctx.shift_operations); i++){
+		my_global_ctx.shift_operations[i] = 1;
+	}
+}
+
+#ifndef XZRE_SHARED
 extern char __executable_start;
 extern char __etext;
 
-static global_context_t my_global_ctx = { 0 };
-
 void xzre_secret_data_init(){
 	global_ctx = &my_global_ctx;
 	memset(global_ctx, 0x00, sizeof(*global_ctx));
@@ -39,6 +52,53 @@ void xzre_secret_data_test(){
 		puts("secret data push FAIL!");
 	}
 }
+#else
+void xzre_secret_data_init(){}
+void xzre_secret_data_test(){}
+#endif
+
+
+/**
+ * @brief quick and dirty hack to get the ldso ELF location
+ * 
+ * @return void* 
+ */
+static void *get_ldso_elf(){
+	char cmdBuf[128];
+	char getLdElf[] = "grep -E 'r--p 00000000.*/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' /proc/%zu/maps | cut -d '-' -f1";
+	snprintf(cmdBuf, sizeof(cmdBuf), getLdElf, getpid());
+	FILE *hProc = popen(cmdBuf, "r");
+	memset(cmdBuf, 0x00, sizeof(cmdBuf));
+	char *s = fgets(cmdBuf, sizeof(cmdBuf), hProc);
+	pclose(hProc);
+	if(!s) return NULL;
+	u64 addr = strtoull(s, NULL, 16);
+	return (void *)addr;
+}
+
+extern void *got_ref;
+
+void main_shared(){
+	// prevent fork bomb in system command
+	unsetenv("LD_PRELOAD");
+	xzre_secret_data_bypass();
+
+	void *ldso_elf = get_ldso_elf();
+	if(!ldso_elf){
+		puts("Failed to get LDSO elf");
+		exit(1);
+	}
+
+	elf_handles_t handles = {0};
+	elf_info_t einfo;
+	if(!elf_parse(ldso_elf, &einfo)){
+		puts("elf_parse failed");
+		return;
+	}
+
+	puts("main_shared(): OK");
+}
+
 
 int main(int argc, char *argv[]){
 	puts("xzre 0.1 by Smx :)");
@@ -81,4 +141,37 @@ int main(int argc, char *argv[]){
 	xzre_secret_data_init();
 	xzre_secret_data_test();
 	return 0;
-}
+}
+
+#ifdef XZRE_SHARED
+#include <syscall.h>
+void __attribute__((constructor)) init(){
+	main_shared();
+}
+
+static inline __attribute__((always_inline)) ssize_t inline_write(int fd, const void *buf, size_t size){
+	ssize_t ret;
+	asm volatile (
+		"syscall"
+		: "=a" (ret)
+		//                 EDI      RSI       RDX
+		: "0"(__NR_write), "D"(fd), "S"(buf), "d"(size)
+		: "rcx", "r11", "memory"
+	);
+	return ret;
+}
+
+#ifdef REPLACE_RESOLVER
+void *resolver(){
+	#if 0
+	char buf[] = "hijacked resolver!\n";
+	inline_write(STDOUT_FILENO, buf, sizeof(buf));
+	#endif
+	return NULL;
+}
+
+uint32_t  __attribute__((ifunc("resolver"))) lzma_crc32(const uint8_t *buf, size_t size, uint32_t crc);
+uint64_t  __attribute__((ifunc("resolver"))) lzma_crc64(const uint8_t *buf, size_t size, uint64_t crc);
+#endif
+
+#endif

xzre.h

@@ -29,6 +29,17 @@ typedef uintptr_t uptr;
 #define PTRADD(a, b) (UPTR(a) + UPTR(b))
 #define PTRDIFF(a, b) (UPTR(a) - UPTR(b))
 
+/*
+ * Force a compilation error if condition is true, but also produce a
+ * result (of value 0 and type int), so the expression can be used
+ * e.g. in a structure initializer (or where-ever else comma expressions
+ * aren't permitted).
+ */
+#define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
+#define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
+#define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
+#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
+
 // opcode is always +0x80 for the sake of it (yet another obfuscation)
 #define XZDASM_OPC(op) (op - 0x80)
 
@@ -131,24 +142,6 @@ assert_offset(elf_entry_ctx_t, cpuid_fn, 0x18);
 assert_offset(elf_entry_ctx_t, got_offset, 0x20);
 assert_offset(elf_entry_ctx_t, caller_locals, 0x28);
 
-typedef struct __attribute__((packed)) {
-	PADDING(0x10);
-	struct global_context *globals;
-} backdoor_shared_globals_t;
-
-assert_offset(backdoor_shared_globals_t, globals, 0x10);
-
-typedef struct __attribute__((packed)) {
-	PADDING(0x8);
-	backdoor_shared_globals_t *shared;
-	PADDING(0x70);
-	elf_entry_ctx_t *entry_ctx;
-} backdoor_setup_params_t;
-
-assert_offset(backdoor_setup_params_t, shared, 0x8);
-assert_offset(backdoor_setup_params_t, entry_ctx, 0x80);
-static_assert(sizeof(backdoor_setup_params_t) == 0x88);
-
 typedef struct __attribute__((packed)) {
 	u8* instruction;
 	u64 instruction_size;
@@ -524,6 +517,24 @@ assert_offset(global_context_t, shift_operations, 0x141);
 assert_offset(global_context_t, reg2reg_instructions_count, 0x160);
 static_assert(sizeof(global_context_t) == 0x168);
 
+typedef struct __attribute__((packed)) {
+	PADDING(0x10);
+	global_context_t *globals;
+} backdoor_shared_globals_t;
+
+assert_offset(backdoor_shared_globals_t, globals, 0x10);
+
+typedef struct __attribute__((packed)) {
+	PADDING(0x8);
+	backdoor_shared_globals_t *shared;
+	PADDING(0x70);
+	elf_entry_ctx_t *entry_ctx;
+} backdoor_setup_params_t;
+
+assert_offset(backdoor_setup_params_t, shared, 0x8);
+assert_offset(backdoor_setup_params_t, entry_ctx, 0x80);
+static_assert(sizeof(backdoor_setup_params_t) == 0x88);
+
 /**
  * @brief array of ELF handles
  * @see ElfId maps the indices
@@ -1083,6 +1094,9 @@ extern BOOL secret_data_append_from_call_site(
  */
 extern BOOL backdoor_setup(backdoor_setup_params_t *params);
 
+extern void backdoor_init(elf_entry_ctx_t *ctx, u64 *caller_frame);
+extern BOOL backdoor_init_stage2(elf_entry_ctx_t *ctx);
+
 /**
  * @brief parses the libc ELF from the supplied link map, and resolves its imports
  * 

xzre.lds

@@ -87,6 +87,12 @@ SECTIONS {
         "secret_data_append_singleton" = ".";
         *(.text.rc_read_inis);
 
+        "backdoor_init" = ".";
+        *(.text._get_cpuia);
+
+        "backdoor_init_stage2" = ".";
+        *(.text.lzma_validate_chaia);
+
         "backdoor_setup" = ".";
         *(.text.microlzma_encoder_inia);