injex 0.1.0

Gives users the possibility to inject into and manipulate processes
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372

use crate::memory::MemoryManipulation;
use error::{InjectionError, InjectionResult};
use std::{fs::OpenOptions, path::Path};

#[cfg(target_os = "linux")]
use {
    dynasm::dynasm,
    dynasmrt::x64::X64Relocation,
    dynasmrt::{DynasmApi, DynasmLabelApi, VecAssembler},
    goblin::{elf::sym::Sym, Object},
    nix::{
        sys::signal::{self, Signal},
        unistd::Pid,
    },
    procfs::process::{MMapPath, MemoryMap, Process as LinuxProcess},
    regex::Regex,
    std::{fs::File, io::prelude::*},
};
pub mod error;

#[cfg(target_os = "linux")]
fn find_memory_region(regex: &str, process: &LinuxProcess) -> Option<MemoryMap> {
    let re = match Regex::new(regex) {
        Ok(re) => re,
        Err(_) => return None,
    };
    let mapped_memory_regions = match process.maps() {
        Ok(m) => m,
        Err(_) => return None,
    };
    mapped_memory_regions.into_iter().find(|x| {
        if let MMapPath::Path(path_buf) = &x.pathname {
            if re.is_match(path_buf.to_str().unwrap()) {
                return true;
            }
        }
        return false;
    })
}

#[cfg(target_os = "linux")]
fn find_elf_symbol_addr(mem_map: &MemoryMap, sym_name: &str) -> Option<u64> {
    fn find_elf_symbol(path: &MMapPath, sym_name: &str) -> Option<Sym> {
        let buffer = match path {
            MMapPath::Path(p) => match std::fs::read(p) {
                Ok(buf) => buf,
                Err(_) => return None,
            },
            _ => return None,
        };
        let elf_option = match Object::parse(&buffer) {
            Ok(Object::Elf(elf)) => Some(elf),
            _ => None,
        };
        if let Some(elf) = elf_option {
            match elf.syms.iter().find(|sym| {
                if let Some(Ok(name)) = elf.strtab.get(sym.st_name) {
                    name == sym_name
                } else {
                    false
                }
            }) {
                Some(sym) => return Some(sym),
                None => (),
            }
            elf.dynsyms.iter().find(|sym| {
                if let Some(Ok(name)) = elf.dynstrtab.get(sym.st_name) {
                    name == sym_name
                } else {
                    false
                }
            })
        } else {
            None
        }
    }
    match find_elf_symbol(&mem_map.pathname, sym_name) {
        Some(elf_symbol) => Some(mem_map.address.0 + elf_symbol.st_value),
        None => None,
    }
}
/// Injects an dynamic library into a process
#[cfg(target_os = "linux")]
pub fn inject<P, T>(manipulator: &T, pid: i32, library: P) -> InjectionResult<()>
where
    P: AsRef<Path>,
    T: MemoryManipulation,
{
    let library_path = match library.as_ref().to_str() {
        Some(s) => {
            println!("Injection library: {}", s);
            format!("{}\0", s)
        }
        None => {
            return Err(InjectionError::LibraryNotFound(
                "user-defined library".to_owned(),
            ))
        }
    };
    const STACK_BACKUP_SIZE: usize = 8 * 16;
    const STAGE_TWO_SIZE: u32 = 0x8000;

    let process = match LinuxProcess::new(pid) {
        Ok(proc) => proc,
        Err(_) => return Err(InjectionError::ProcessNotFound(pid)),
    };
    let ld = match find_memory_region(r".*/ld-.*\.so", &process) {
        Some(mem_map) => mem_map,
        None => return Err(InjectionError::LibraryNotFound("ld.so".to_owned())),
    };
    // let librt = match find_memory_region(r".*/librt-.*\.so", &process) {
    //     Some(mem_map) => mem_map,
    //     None => return Err(InjectionError::LibraryNotFound("librt.so".to_owned())),
    // };
    let dl_open_address = match find_elf_symbol_addr(&ld, "_dl_open") {
        Some(addr) => addr,
        None => return Err(InjectionError::SymbolNotFound("_dl_open".to_owned())),
    };
    // let shm_open_address = match find_elf_symbol_addr(&librt, "shm_open") {
    //     Some(addr) => addr,
    //     None => return Err(InjectionError::SymbolNotFound("shm_open".to_owned())),
    // };
    // let shm_unlink_address = match find_elf_symbol_addr(&librt, "shm_unlink") {
    //     Some(addr) => addr,
    //     None => return Err(InjectionError::SymbolNotFound("shm_unlink".to_owned())),
    // };

    match signal::kill(Pid::from_raw(pid), Signal::SIGSTOP) {
        Ok(_) => (),
        Err(e) => return Err(InjectionError::InternalError(e.to_string())),
    }

    // wait for process to stop
    while process.status().unwrap().state != "T (stopped)"
        && process.status().unwrap().state != "t (tracing stop)"
    {}

    let mut syscall_file = File::open(format!("/proc/{}/syscall", pid))?;
    let mut syscall_buffer = String::new();
    syscall_file.read_to_string(&mut syscall_buffer)?;
    syscall_buffer.pop();
    let syscall_buffer: Vec<&str> = syscall_buffer.rsplit(" ").collect();

    let current_rip = usize::from_str_radix(syscall_buffer[0].trim_start_matches("0x"), 16)?;
    let current_rsp = usize::from_str_radix(syscall_buffer[1].trim_start_matches("0x"), 16)?;

    //println!("Instruction Pointer: {:x}", current_rip);
    let mut ops: VecAssembler<X64Relocation> = VecAssembler::new(0x00);

    dynasm!(ops
        ; pushf
        ; push rax
        ; push rbx
        ; push rcx
        ; push rdx
        ; push rbp
        ; push rsi
        ; push rdi
        ; push r8
        ; push r9
        ; push r10
        ; push r11
        ; push r12
        ; push r13
        ; push r14
        ; push r15

        // Open shared memory object: stage two
        // funzt nicht gibt ffffffff
        // ; lea rdi, [>shared_object]
        // ; mov rsi, 2
        // ; mov rdx, 0400 // sollte egal sein
        // ; mov rax, QWORD shm_open_address as i64
        // ; call rax
        // ; mov r14, rax

        ; mov rax, 2 // SYS_OPEN
        ; lea rdi, [>shared_object]
        ; xor rsi, rsi // O_RDONLY
        ; xor rdx, rdx // Mode sollte egal sein bei 0_RDONLY
        ; syscall
        ; mov r14, rax // Save the fd

        // mmap it
        ; mov rax, 9 // SYS_MMAP
        ; xor rdi, rdi // addr
        ; mov rsi, STAGE_TWO_SIZE as i32 // len
        ; mov rdx, 0x7 // prot (rwx)
        ; mov r10, 0x2 // flags (MAP_PRIVATE)
        ; mov r8, r14 // fd
        ; xor r9, r9 // off
        ; syscall
        ; mov r15, rax // save mmap addr

        // close the file
        ; mov rax, 3 // SYS_CLOSE
        ; mov rdi, r14 // fd
        ; syscall

        // // Unlink shared memory object
        // ; lea rdi, [>shared_object]
        // ; mov rax, QWORD shm_unlink_address as i64
        // ; call rax

        // Delete the file
        ; mov rax, 87 // SYS_UNLINK
        ; lea rdi, [>shared_object]
        ; syscall

        // Jump to Stage two
        ; jmp r15

        ; shared_object:
        ; .bytes "/tmp/stage_two.bin\0".as_bytes()
    );

    let shell_code_buf = ops.finalize()?;

    let mut code_backup = vec![0_u8; shell_code_buf.len()];
    manipulator.read(current_rip, &mut code_backup)?;
    let mut stack_backup = [0_u8; STACK_BACKUP_SIZE];
    manipulator.read(current_rsp - STACK_BACKUP_SIZE, &mut stack_backup)?;

    let mut ops: VecAssembler<X64Relocation> = VecAssembler::new(0x00);

    dynasm!(ops
        ; cld
        ; fxsave [>moar_regs]

        // Open /proc/self/mem
        ; mov rax, 2 // SYS_OPEM
        ; lea rdi, [>proc_self_mem]
        ; mov rsi, 2 // flags (O_RDWR)
        ; xor rdx, rdx
        ; syscall
        ; mov r15, rax // save the fd

        // seek to code
        ; mov rax, 8 // SYS_LSEEK
        ; mov rdi, r15 // fd
        ; mov rsi, QWORD current_rip as i64 // offset
        ; xor rdx, rdx // whence (LEEK_SET)
        ; syscall

        // restore code
        ; mov rax, 1 // SYS_WRITE
        ; mov rdi, r15 // fd
        ; lea rsi, [>old_code] // backup buffer
        ; mov rdx, code_backup.len() as i32 // count
        ; syscall

        // close /proc/self/mem
        ; mov rax, 3 // SYS_CLOSE
        ; mov rdi, r15 // fd
        ; syscall

        // move pushed regs to our new stack
        ; lea rdi, [>new_stack_base - (STACK_BACKUP_SIZE as isize)]
        ; mov rsi, QWORD (current_rsp - STACK_BACKUP_SIZE) as i64
        ; mov rcx, STACK_BACKUP_SIZE as i32
        ; rep movsb

        // restore original stack
        ; mov rdi, QWORD (current_rsp - STACK_BACKUP_SIZE) as i64
        ; lea rsi, [>old_stack]
        ; mov rcx, STACK_BACKUP_SIZE as _
        ; rep movsb

        ; lea rsp, [>new_stack_base - (STACK_BACKUP_SIZE as isize)]

        // call _dl_open
        ; lea rdi, [>lib_path]
        ; mov rsi, 2
        ; xor rcx, rcx
        ; mov rax, QWORD dl_open_address as i64
        ; call rax

        ; fxrstor [>moar_regs]
        ; pop r15
        ; pop r14
        ; pop r13
        ; pop r12
        ; pop r11
        ; pop r10
        ; pop r9
        ; pop r8
        ; pop rdi
        ; pop rsi
        ; pop rbp
        ; pop rdx
        ; pop rcx
        ; pop rdx
        ; pop rax
        ; popf
        ; mov rsp, QWORD current_rsp as i64
        ; jmp QWORD [>old_rip]

        ; old_rip:
        ; .qword current_rip as i64

        ; old_code:
        ; .bytes code_backup.as_slice()

        ; old_stack:
        ; .bytes &stack_backup
        ; .align 16

        ; moar_regs:
        ; .bytes &[0_u8; 512]
        //; .space 512

        ; lib_path:
        ; .bytes library_path.as_bytes()

        ; proc_self_mem:
        ; .bytes "/proc/self/mem\0".as_bytes()

        ; new_stack:
        ; .align 0x8000

        ; new_stack_base:
    );

    let mut injection_buf = ops.finalize()?;

    // let shared_fd = mman::shm_open(
    //     "/stage_two",
    //     OFlag::O_CREAT | OFlag::O_RDWR,
    //     Mode::S_IRWXG | Mode::S_IRWXU | Mode::S_IRWXO,
    // )
    // .unwrap();
    // unistd::ftruncate(shared_fd, injection_buf.len() as i64).unwrap();
    // let shared_data = unsafe {
    //     mman::mmap(
    //         0 as *mut std::ffi::c_void,
    //         injection_buf.len(),
    //         ProtFlags::PROT_WRITE,
    //         MapFlags::MAP_SHARED,
    //         shared_fd,
    //         0,
    //     )
    //     .unwrap()
    // };
    // unsafe {
    //     ptr::copy_nonoverlapping(
    //         injection_buf.as_ptr(),
    //         shared_data as *mut u8,
    //         injection_buf.len(),
    //     );
    //     mman::munmap(shared_data, injection_buf.len()).unwrap();
    //     unistd::close(shared_fd).unwrap();
    // }

    let mut stage_two = OpenOptions::new()
        .write(true)
        .truncate(true)
        .create(true)
        .open("/tmp/stage_two.bin")?;

    let mut perms = stage_two.metadata()?.permissions();
    perms.set_readonly(false);
    stage_two.set_permissions(perms)?;
    stage_two.write_all(&mut injection_buf)?;

    manipulator.write(current_rip, shell_code_buf.as_slice())?;

    match signal::kill(Pid::from_raw(pid), Signal::SIGCONT) {
        Ok(_) => (),
        Err(e) => return Err(InjectionError::InternalError(e.to_string())),
    }
    Ok(())
}