-
Notifications
You must be signed in to change notification settings - Fork 0
kspalaiologos/elfdude
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
██████████ █████ ███████████ █████ █████ | ░░███░░░░░█░░███ ░░███░░░░░░█ ░░███ ░░███ | ░███ █ ░ ░███ ░███ █ ░ ███████ █████ ████ ███████ ██████ | ░██████ ░███ ░███████ ███░░███ ░░███ ░███ ███░░███ ███░░███ | ░███░░█ ░███ ░███░░░█ ░███ ░███ ░███ ░███ ░███ ░███ ░███████ | ░███ ░ █ ░███ █ ░███ ░ ░███ ░███ ░███ ░███ ░███ ░███ ░███░░░ | ██████████ ███████████ █████ ░░████████ ░░████████░░████████░░██████ | ░░░░░░░░░░ ░░░░░░░░░░░ ░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░░░░ ░░░░░░ | ____________________________________________________________________________+ v0.005 a small ELF32 packer (c) 2024 kamila szewczyk, prototyped on a sunny sunday afternoon of 23-06-2024 ===> table of contents 1. introduction 2. basic usage 3. rpn calculator 4. how it works 5. limitations 6. acknowledgements, copyright & license 7. changelog ===> 1. introduction elfdude is a versatile executable packer. it's capable of generating tiny ELF files that run on 32-bit x86 Linux systems (i386 or later). it fills the niche of a small, simple and easy-to-use packer that generates ELF32 files. comparison with other ELF processors: - upx: elfdude is much simpler and smaller, supports and more advanced compression algorithms. upx is generally more serious (it supports many other platforms besides i386 Linux) but offers worse compression ratio on very small files (demos) and on very large files (UCL does not scale). elfdude is also generally slower than upx. currently, it also does not implement some UPX features. - ezuri, midgetpack: elfdude is merely a packer and not an encryption tool, not intended to be used for malware. ezuri/midgetpack do not support compression. elfdude does not provide the same level of security as either. - gzexe: elfdude is generally competitive with gzexe in terms of compression ratio. gzexe generates shell scripts, not ELF files. further, it depends on the system's gzip implementation, which may not be available. - papaw: similar to elfdude. elfdude is generally a bit more advanced and efficient. ===> 2. basic usage refer to `elfdude -h'. generally, `-m X' sets the compression mode. the number does not really correspond to compression quality, so make sure to test a bunch. `--bss_size' and `--bss_base' set the base address and the size of the bss section in the packed image. it's a zeroed section meant for static data. `--image_base' sets the base address of the image (the entry point). it's usually within the first 16M of the address space, but you can set it to more or less whatever. `--image_pad' specifies the size of zero-padding after the image in the packed file. it's useful for self-modifying code assuming `--wx' is not set. `--wx' makes the pages containing the entry point read-only. this is useful for compatibility with some systems like selinux that implement data execution prevention. invocation example: >>> % cat > hello.asm <<EOF ; hello.asm: binary format, 32bit, origin 0x1000000 use32 org 0x1000000 mov eax, 4 mov ebx, 1 mov ecx, message mov edx, 51 int 0x80 mov eax, 1 xor ebx, ebx int 0x80 message: db 'HelloHelloHelloHelloHelloHelloHelloHelloHelloHello', 0x0a EOF % fasm hello.asm hello.bin # assembles the source % elfdude -m 1 # sets the method to LZSS --image_base=0x1000000 # sets the image base address --image_pad=32 # adds extra padding at the end --bss_base=0x2000000 # sets the bss base address --bss_size=32 # sets the bss size hello.bin hello.elf <<< ===> 3. rpn calculator rpn.asm is a toy rpn calculator. build it without bss and wx. ===> 4. how it works elfdude uses a bunch of stubs written using fasm syntax; the packer modifies the addresses, offsets and sizes in the stubs to match the packed image. the stub is a simple ELF32 executable that allocates pages with `mmap' for the resulting machine code and the bss section. then, the data appended to the stub is decompressed and copied to the allocated memory. the entry point (the first instruction at the base address) is then executed. register state is preserved on stub startup and restored before the jump to the entry point. methods: - lzmw: Lempel-Ziv-Miller-Wegman, variant of LZW that adapts quicker. - lzss: Lempel-Ziv-Storer-Szymanski, a simple dictionary-based algorithm it uses a byte-wise encoding similar to this of LZ4. - store: no compression, just stores the data. - lzssopt: a variant of LZSS that takes more time to find good matches. - ppmii (low order): a variant of D. Shkarin's PPMDvJ with max order of 4 - ppmii (mid order): a variant of D. Shkarin's PPMDvJ with max order of 6 - ppmii (high order): a variant of D. Shkarin's PPMDvJ with max order of 8 ===> 5. limitations Current list of improvements yet to be made: - support for (dynamically linked) ELFs. - tool that turns ELFs into flat images. - support for more algorithms. - support FreeBSD/OpenBSD/NetBSD - golf down the stubs. - support shell script stubs like gzexe. ===> 6. acknowledgements, copyright & license elfdude was written by kamila szewczyk in 2024. it can be freely distributed as freeware. the author is not responsible for any damage caused by the use of this software. the software is provided as-is and comes with no warranty. thanks to: - andy kelley for zig-cc - tomek grysztar for fasm - rich felker for musl - mark oberhumer for upx - igor pavlov for lzma - dymitry shkarin for ppmd - many more. feel like you should be on the list? let me know. https://palaiologos.rocks - kspalaiologos@gmail.com ===> 7. changelog v0.004: golf down stubs, implement --wx for selinux compatibility. improved error checking. verbose output mode. lzssopt compression mode that uses near-optimal parsing, cli tool preserves permissions owner and time now. v0.005: added PPM support, made all stubs --wx by default (no RWX sections), added low/mid/high order PPMII modes, verbose mode now displays blake2b sums. fixed some internal bugs.
About
a small & primitive elf32 packer.
Topics
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published