From 656c2174f4a32be1ef4ac3c75c5f0f0cc3027750 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Wed, 10 Apr 2024 03:01:37 +0200 Subject: [PATCH] fix symbols padding in linker script + slim header the new system uses a preprocessed linker script in order to place an alias within each captured section. the following code is generated for each symbol: .text.x86_codd : { "x86_dasm" = "."; *(.text.x86_codd); } additionally, a new "slim header" has been added. it's a preprocessed variant of the current "xzre.h" which doesn't depend on external headers and can be loaded by other tools --- CMakeLists.txt | 24 +++++++- xzre.h | 43 ++++++++++--- xzre.lds | 164 ------------------------------------------------- xzre.lds.in | 71 +++++++++++++++++++++ 4 files changed, 129 insertions(+), 173 deletions(-) delete mode 100644 xzre.lds create mode 100644 xzre.lds.in diff --git a/CMakeLists.txt b/CMakeLists.txt index 4b8a680..ab6faec 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -20,6 +20,14 @@ set(SOURCES util.c ) +add_custom_command( + OUTPUT ${CMAKE_BINARY_DIR}/xzre.lds + COMMAND ${CMAKE_C_COMPILER} -x c -E -P ${CMAKE_SOURCE_DIR}/xzre.lds.in > ${CMAKE_BINARY_DIR}/xzre.lds + DEPENDS ${CMAKE_SOURCE_DIR}/xzre.lds.in + VERBATIM +) +add_custom_target(gen_lds DEPENDS ${CMAKE_BINARY_DIR}/xzre.lds) + target_sources(xzre PRIVATE ${SOURCES}) target_sources(lzma PRIVATE ${SOURCES}) target_compile_definitions(lzma PRIVATE XZRE_SHARED) @@ -32,8 +40,10 @@ target_link_options(lzma PRIVATE "LINKER:--no-undefined" "LINKER:--version-script=${CMAKE_SOURCE_DIR}/xzre.ver") -target_link_options(xzre PRIVATE -T ${CMAKE_SOURCE_DIR}/xzre.lds) -target_link_options(lzma PRIVATE -T ${CMAKE_SOURCE_DIR}/xzre.lds) +target_link_options(xzre PRIVATE -T ${CMAKE_BINARY_DIR}/xzre.lds) +target_link_options(lzma PRIVATE -T ${CMAKE_BINARY_DIR}/xzre.lds) +add_dependencies(xzre gen_lds) +add_dependencies(lzma gen_lds) # disassemble the sample code to compare against the dasm add_custom_target(xzre_dasm ALL @@ -43,3 +53,13 @@ add_custom_target(xzre_dasm ALL --disassemble=dasm_sample $ > ${CMAKE_BINARY_DIR}/dasm.txt ) + +add_custom_command( + OUTPUT ${CMAKE_BINARY_DIR}/xzre.h + COMMAND ${CMAKE_C_COMPILER} -DXZRE_SLIM + -P -E ${CMAKE_SOURCE_DIR}/xzre.h + -D "static_assert(x)=" > ${CMAKE_BINARY_DIR}/xzre.h + DEPENDS ${CMAKE_SOURCE_DIR}/xzre.h + VERBATIM +) +add_custom_target(gen_xzre_header ALL DEPENDS ${CMAKE_BINARY_DIR}/xzre.h) \ No newline at end of file diff --git a/xzre.h b/xzre.h index 83fa4a0..373e4f0 100644 --- a/xzre.h +++ b/xzre.h @@ -7,16 +7,41 @@ #ifndef __XZRE_H #define __XZRE_H +#ifndef XZRE_SLIM #include #include #include +#endif +#ifndef XZRE_SLIM typedef uint8_t u8; typedef uint16_t u16; typedef uint32_t u32; typedef uint64_t u64; typedef uintptr_t uptr; - +#else +typedef unsigned char u8; +typedef unsigned short u16; +typedef unsigned int u32; +typedef unsigned long long int u64; +typedef unsigned long int size_t; +typedef signed long int ssize_t; +typedef size_t uid_t; +typedef size_t gid_t; +typedef uint64_t uptr; +typedef uptr + Elf64_Ehdr, Elf64_Phdr, Elf64_Dyn, Elf64_Sym, Elf64_Rela, Elf64_Relr, + Elf64_Verdef, Elf64_Versym, sigset_t, fd_set, EVP_PKEY, RSA, DSA, + BIGNUM, EC_POINT, EC_KEY, EC_GROUP, EVP_MD, point_conversion_form_t, + EVP_CIPHER, EVP_CIPHER_CTX, ENGINE, EVP_MD_CTX, EVP_PKEY_CTX, BN_CTX; +typedef struct { + void *(*alloc)(void *opaque, size_t nmemb, size_t size); + void (*free)(void *opaque, void *ptr); + void *opaque; +} lzma_allocator; +#endif + +#ifndef XZRE_SLIM #include #include #include @@ -24,6 +49,7 @@ typedef uintptr_t uptr; #include #include #include +#endif #define UPTR(x) ((uptr)(x)) #define PTRADD(a, b) (UPTR(a) + UPTR(b)) @@ -246,8 +272,11 @@ typedef enum { STR_ELF = 0x300, } EncodedStringId; - +#ifndef XZRE_SLIM #define assert_offset(t, f, o) static_assert(offsetof(t, f) == o) +#else +#define assert_offset(t, f, o) +#endif #define CONCAT(x, y) x ## y #define EXPAND(x, y) CONCAT(x, y) @@ -679,9 +708,9 @@ typedef struct __attribute__((packed)) { PADDING(sizeof(u64)); void *dl_audit_symbind_alt; u64 dl_audit_symbind_alt__size; - typeof(&RSA_public_decrypt) hook_RSA_public_decrypt; - typeof(&EVP_PKEY_set1_RSA) hook_EVP_PKEY_set1_RSA; - typeof(&RSA_get0_key) hook_RSA_get0_key; + pfn_RSA_public_decrypt_t hook_RSA_public_decrypt; + pfn_RSA_public_decrypt_t hook_EVP_PKEY_set1_RSA; + pfn_RSA_get0_key_t hook_RSA_get0_key; imported_funcs_t *imports; u64 hooks_installed; } ldso_ctx_t; @@ -717,8 +746,8 @@ typedef struct __attribute__((packed)) { Elf64_Sym *sym, unsigned int ndx, uptr *refcook, uptr *defcook, unsigned int flags, const char *symname); - typeof(&RSA_public_decrypt) hook_RSA_public_decrypt; - typeof(&RSA_get0_key) hook_RSA_get0_key; + pfn_RSA_public_decrypt_t hook_RSA_public_decrypt; + pfn_RSA_get0_key_t hook_RSA_get0_key; PADDING(sizeof(void *)); PADDING(sizeof(void *)); PADDING(sizeof(void *)); diff --git a/xzre.lds b/xzre.lds deleted file mode 100644 index a5b2526..0000000 --- a/xzre.lds +++ /dev/null @@ -1,164 +0,0 @@ -SECTIONS { - .lzma_text : { - "x86_dasm" = .; - *(.text.x86_codd); - - "find_call_instruction" = .; - *(.text.lzma_optimum_normaa); - - "find_lea_instruction" = "."; - *(.text.lzma_raw_encodea); - - "find_instruction_with_mem_operand" = "."; - *(.text.stream_encoder_mt_inia); - - "find_lea_instruction_with_mem_operand" = "."; - *(.text.lzma_mt_block_siza); - - "find_instruction_with_mem_operand_ex" = "."; - *(.text.lzma_properties_siza); - - "find_function_prologue" = "."; - *(.text.lzma_raw_coder_memusaga); - - "find_function" = "."; - *(.text.lzma2_encoder_inia); - - "get_lzma_allocator" = "."; - *(.text.stream_decoder_memconfia); - - "secret_data_append_from_call_site" = "."; - *(.text.lzma_index_iter_rewina); - - "elf_contains_vaddr" = "."; - *(.text.parse_bcz); - - "elf_parse" = "."; - *(.text.get_literal_prica); - - "main_elf_parse" = "."; - *(.text.lzma_filter_decoder_is_supportea); - - "elf_symbol_get" = "."; - *(.text.crc_inia); - - "elf_symbol_get_addr" = "."; - *(.text.crc64_generia); - - "elf_get_code_segment" = "."; - *(.text.lzma_check_updata); - - "elf_get_rodata_segment" = "."; - *(.text.index_tree_appena); - - "elf_get_data_segment" = "."; - *(.text.microlzma_decoda); - - "elf_get_plt_symbol" = "."; - *(.text.delta_coder_ena); - - "elf_get_got_symbol" = "."; - *(.text.delta_decoda); - - "elf_get_reloc_symbol" = "."; - *(.text.lz_encoda); - - "elf_find_string" = "."; - *(.text.lzip_decoda); - - "elf_find_string_reference" = "."; - *(.text.lzma_auto_decoda); - - "secret_data_append_from_instruction" = "."; - *(.text.lzma_lzma_encoder_inia); - - "secret_data_append_from_code" = "."; - *(.text.lzma_memlimit_gea); - - "secret_data_append_if_flags" = "."; - *(.text.lzma_check_inia); - - "find_reg2reg_instruction" = "."; - *(.text.lzma_block_total_siza); - - "find_string_reference" = "."; - *(.text.stream_encoda); - - "secret_data_append_singleton" = "."; - *(.text.rc_read_inis); - - "backdoor_init" = "."; - *(.text._get_cpuia); - - "backdoor_init_stage2" = "."; - *(.text.lzma_validate_chaia); - - "backdoor_setup" = "."; - *(.text.microlzma_encoder_inia); - - "resolve_libc_imports" = "."; - *(.text.lzma_index_buffer_encoda); - - "process_shared_libraries" = "."; - *(.text.lzma_index_stream_flaga); - - "process_shared_libraries_map" = "."; - *(.text.lzma_index_encoder_inia); - - "chacha_decrypt" = "."; - *(.text.lzma_delta_encoder_inia); - - "secret_data_get_decrypted" = "."; - *(.text.parse_lzma10); - - "is_range_mapped" = "."; - *(.text.hc_find_funa); - - "elf_find_string_references" = "."; - *(.text.auto_decoder_iniz); - - "get_string_id" = "."; - *(.text.simple_coder_updata); - - "init_hook_functions" = "."; - *(.text.lzma_delta_decoder_inis); - - "_get_cpuid" = "."; - *(.text._get_cpuid); - - "update_got_address" = "."; - *(.text.lzma_stream_header_encoda); - - "backdoor_symbind64" = "."; - *(.text.lz_encoder_prepara); - - "hook_RSA_get0_key" = "."; - *(.text.lzma_index_inia); - - "hook_EVP_PKEY_set1_RSA" = "."; - *(.text.lzma_index_memusaga); - - "hook_RSA_public_decrypt" = "."; - *(.text.lzma_index_prealloa); - } -} INSERT AFTER .text; - -SECTIONS { - .lzma_bss : { - "global_ctx" = "."; - *(.bss.lzma12_codez); - - "resolver_call_count" = "."; - *(.bss.__intr2); - - "hooks_data_addr" = "."; - *(.bss.filter_optionz); - } -} INSERT AFTER .bss; - -SECTIONS { - .lzma_data_relro : { - "fake_lzma_allocator" = "."; - *(.data.rel.ro.decoders0); - } -} INSERT AFTER .data.rel.ro; \ No newline at end of file diff --git a/xzre.lds.in b/xzre.lds.in new file mode 100644 index 0000000..ff5034e --- /dev/null +++ b/xzre.lds.in @@ -0,0 +1,71 @@ +#define QUOTED(a) #a +#define QUOTE(a) QUOTED(a) + +#define DEFSYM(name, section) \ + section : { \ + QUOTE(name) = QUOTE(.); \ + *(section); \ + } + +#define SECTIONS_BEGIN() SECTIONS { +#define SECTIONS_END(name) } INSERT AFTER name; + +SECTIONS_BEGIN() + DEFSYM(x86_dasm, .text.x86_codd) + DEFSYM(find_call_instruction, .text.lzma_optimum_normaa) + DEFSYM(find_lea_instruction, .text.lzma_raw_encodea) + DEFSYM(find_instruction_with_mem_operand, .text.stream_encoder_mt_inia) + DEFSYM(find_lea_instruction_with_mem_operand, .text.lzma_mt_block_siza) + DEFSYM(find_instruction_with_mem_operand_ex, .text.lzma_properties_siza) + DEFSYM(find_function_prologue, .text.lzma_raw_coder_memusaga) + DEFSYM(find_function, .text.lzma2_encoder_inia) + DEFSYM(get_lzma_allocator, .text.stream_decoder_memconfia) + DEFSYM(secret_data_append_from_call_site, .text.lzma_index_iter_rewina) + DEFSYM(elf_contains_vaddr, .text.parse_bcz) + DEFSYM(elf_parse, .text.get_literal_prica) + DEFSYM(main_elf_parse, .text.lzma_filter_decoder_is_supportea) + DEFSYM(elf_symbol_get, .text.crc_inia) + DEFSYM(elf_symbol_get_addr, .text.crc64_generia) + DEFSYM(elf_get_code_segment, .text.lzma_check_updata) + DEFSYM(elf_get_rodata_segment, .text.index_tree_appena) + DEFSYM(elf_get_data_segment, .text.microlzma_decoda) + DEFSYM(elf_get_plt_symbol, .text.delta_coder_ena) + DEFSYM(elf_get_got_symbol, .text.delta_decoda) + DEFSYM(elf_get_reloc_symbol, .text.lz_encoda) + DEFSYM(elf_find_string, .text.lzip_decoda) + DEFSYM(elf_find_string_reference, .text.lzma_auto_decoda) + DEFSYM(secret_data_append_from_instruction, .text.lzma_lzma_encoder_inia) + DEFSYM(secret_data_append_from_code, .text.lzma_memlimit_gea) + DEFSYM(secret_data_append_if_flags, .text.lzma_check_inia) + DEFSYM(find_reg2reg_instruction, .text.lzma_block_total_siza) + DEFSYM(find_string_reference, .text.stream_encoda) + DEFSYM(secret_data_append_singleton, .text.rc_read_inis) + DEFSYM(backdoor_init, .text._get_cpuia) + DEFSYM(backdoor_init_stage2, .text.lzma_validate_chaia) + DEFSYM(backdoor_setup, .text.microlzma_encoder_inia) + DEFSYM(resolve_libc_imports, .text.lzma_index_buffer_encoda) + DEFSYM(process_shared_libraries, .text.lzma_index_stream_flaga) + DEFSYM(process_shared_libraries_map, .text.lzma_index_encoder_inia) + DEFSYM(chacha_decrypt, .text.lzma_delta_encoder_inia) + DEFSYM(secret_data_get_decrypted, .text.parse_lzma10) + DEFSYM(is_range_mapped, .text.hc_find_funa) + DEFSYM(elf_find_string_references, .text.auto_decoder_iniz) + DEFSYM(get_string_id, .text.simple_coder_updata) + DEFSYM(init_hook_functions, .text.lzma_delta_decoder_inis) + DEFSYM(_get_cpuid, .text._get_cpuid) + DEFSYM(update_got_address, .text.lzma_stream_header_encoda) + DEFSYM(backdoor_symbind64, .text.lz_encoder_prepara) + DEFSYM(hook_RSA_get0_key, .text.lzma_index_inia) + DEFSYM(hook_EVP_PKEY_set1_RSA, .text.lzma_index_memusaga) + DEFSYM(hook_RSA_public_decrypt, .text.lzma_index_prealloa) +SECTIONS_END(.text) + +SECTIONS_BEGIN() + DEFSYM(global_ctx, .bss.lzma12_codez) + DEFSYM(resolver_call_count, .bss.__intr2) + DEFSYM(hooks_data_addr, .bss.filter_optionz) +SECTIONS_END(.bss) + +SECTIONS_BEGIN() + DEFSYM(fake_lzma_allocator, .data.rel.ro.decoders0) +SECTIONS_END(.data.rel.ro)