-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GDB/ltrace errors when debugging drow payloads #7
Comments
Sorry for the late response: I noticed the same and have not dug into exactly why. My best guess is it doesn't like some of the mods that drow is making to program headers. As for your assembly, drow injects shellcode payloads. When the example payload is built, only the .text section is objcopy-ed out of the ELF to the shellcode bin file (see here). Therefore you can't use imports, such as libc functions, without knowing / resolving the address yourself. All code needs to be self-contained and position-independent, as there is nothing that will fix-up relocations for you. |
I think I've found the root of the problem. At least it stopped crashing gdb for me. The problem is adjusting the elf headers: e_shoff and e_phoff in expand_section(). It's written like this:
However, it shouldn't adjust ELF header offsets if nothing was expanded beforehand. In other words, the adjustment should only come when the inject method is METHOD_EXPAND_AND_INJECT. For example, like this (not the best look, but works as an example):
After this change (accounting for this condition the same way the other parts of expand_section() are), the problem with gdb and other ELF utilities saying "file format not recognized" disappeared. Maybe this should help? |
Hey zznop.
ls.gz
ls-bd.gz
"0x7ffc14b4cce0s": not in executable format: file format not recognized
------- tip of the day (disable with set show-tips off) -------
Use the canary command to see all stack canary/cookie values on the stack (based on the usual stack canary value initialized by glibc)
pwndbg>
ltrace ./ls-bd
Couldn't get section #1 from "/proc/994604/exe": invalid section index
.intel_syntax noprefix
jmp past
message:
.string "See, I am drow, and I'd like to say hello,\n"
past:
lea rdi, [rip + message]
call puts
ret
The text was updated successfully, but these errors were encountered: