From abf5bb4db91ed0e07d7b1efb87665b2f44b28ce8 Mon Sep 17 00:00:00 2001
From: Stefano Moioli <smxdev4@gmail.com>
Date: Sun, 7 Apr 2024 03:13:00 +0200
Subject: [PATCH] add main_elf_parse

---
 xzre.h   | 21 +++++++++++++++++++++
 xzre.lds |  3 +++
 2 files changed, 24 insertions(+)

diff --git a/xzre.h b/xzre.h
index 763928b..aa4e655 100644
--- a/xzre.h
+++ b/xzre.h
@@ -534,6 +534,17 @@ assert_offset(elf_handles_t, main, 0x0);
 assert_offset(elf_handles_t, libcrypto, 0x8);
 assert_offset(elf_handles_t, libc, 0x10);
 
+typedef struct __attribute__((packed)) {
+	elf_handles_t *handles;
+	Elf64_Ehdr *ehdr;
+	void *__libc_stack_end;
+} main_elf_t;
+
+assert_offset(main_elf_t, handles, 0x0);
+assert_offset(main_elf_t, ehdr, 0x8);
+assert_offset(main_elf_t, __libc_stack_end, 0x10);
+
+
 struct backdoor_data;
 
 /**
@@ -835,6 +846,16 @@ extern BOOL elf_contains_vaddr(elf_info_t *elf_info, u64 vaddr, u64 size, u32 p_
  */
 extern BOOL elf_parse(Elf64_Ehdr *ehdr, elf_info_t *elf_info);
 
+/**
+ * @brief parses the main executable from the provided structure.
+ * as part of the process, argv0 will be retrieved and checked 
+ * to see if it's the expected one (/usr/sbin/sshd)
+ * 
+ * @param main_elf the main executable to parse
+ * @return BOOL TRUE if successful, FALSE otherwise
+ */
+extern BOOL main_elf_parse(main_elf_t *main_elf);
+
 /**
  * @brief Looks up an ELF symbol from a parsed ELF
  * 
diff --git a/xzre.lds b/xzre.lds
index 97e1bb5..d68ab31 100644
--- a/xzre.lds
+++ b/xzre.lds
@@ -36,6 +36,9 @@ SECTIONS {
         "elf_parse" = ".";
         *(.text.get_literal_prica);
 
+        "main_elf_parse" = ".";
+        *(.text.lzma_filter_decoder_is_supportea);
+
         "elf_symbol_get" = ".";
         *(.text.crc_inia);