[prev in list] [next in list] [prev in thread] [next in thread]
List: unix-virus
Subject: elfsh 0.5b6-pre1 available : new features
From: The ELFsh team <elfsh () devhell ! org>
Date: 2003-03-20 9:06:19
[Download RAW message or body]
Even if the documentation has not been updated, the new MAJOR upgrade
beta version of the ELF shell is available to the public, it is still a
development version but should be okay for most people's needs . For a
complete list of changes since 0.5b3 or older version, see the changelog
file .
The most up-to-date references for the elfsh/libelfsh API are elfsh.h and
libelfsh.h prototypes :P the code is quite commented and there's a lot of
examples in the tgz, should be enough for the moment
Here is the few features that may help the most :
- Simple scripting
http://devhell.org/projects/elfsh/logs/0.5/*
- Atomic commands (set/get/add/sub/mul/div/mod) :
http://devhell.org/projects/elfsh/logs/0.5/regression-tests.esh
http://devhell.org/projects/elfsh/logs/0.5/regression-tests.out
See 'info' command for detailed format for objects paths, everything
or nearly is supported, but we are still working on instruction
reassembling so that we can provide advanced asm encoding in scripting
soon .
- Memory copy transfer commands :
http://devhell.org/projects/elfsh/logs/0.5/strings_tests.esh
http://devhell.org/projects/elfsh/logs/0.5/strings_tests.out
These are particulary useful ;P the format of the section [index] field can
be :
[index]
[index:array_index%array_elemsz]
The format it used to provide different ways to specify the file
location to be written at . In all case, we write at :
section[index].raw + (array_index * array_elemsz)
If none of array_index and array_elemsz are specified, the data is written
starting at the base address of the section . If array_elemsz is not
specified, it is assumed 1 so that array_index is used as a byte offset from
the beginning of the section .
The specified data to be written can be another place in the file (using the
same parameter format) or an immediate value (string or integer) . The
immediate format support \xXX hexa value mixed with ascii, you can of course
use \x00, and you dont have to supply the lenght of your string) .
If you specify an integer, elfsh will dynamically change its type to a string
type, and write the integer as a 4 byte lenght string . You can use this
behavior to append entries in various sections like got, ctors, dtors . Since
immediate value matching a {symbol,dynsymbol,section} name are resolved, you
can do stuff like :
write 1.section[index].raw printf : write the printf value at offset 0
write 1.section[index:42].raw 0x11223344 : write the integer at offset 42
append .section_name hehe\x00\x42 : append 6 bytes in requested sect
append .section_name 0x11223344 : append an integer to the requested sect
extend .section_name size : append size NUL bytes in requested sect
- Module support, associated to elfsh internal API for command management :
http://devhell.org/projects/elfsh/logs/0.5/modules.out
* Mandatory void elfsh_init() constructor
* Optional void elfsh_fini() destructor
All function of elfsh and libelfsh can be used in modules, these elfsh
function may be the most useful :
* Api to deal with command adding, removing, and hijacking :
vm_setcmd(char *name, void *exec_handler, void *reg_handler, u_int flags);
vm_addcmd(char *name, void *exec_handler, void *reg_handler, u_int flags);
vm_delcmd(char *name);
. exec_handler is the command execution handler
. reg_handler is the registration handler (used to fetch the option in the
token queue, depending on nbr and format of them, choose one in elfsh/opt.c)
. flags is 1 if the command does I/O on the current file (e.g. if it needs a
current object, this param may be removed in the future)
- Relocation rebuilding for ET_EXEC objects
* findrel shell command (create elfshrel_t array for each section)
* elfsh_relocate*() API in libelfsh/remap.c
* Experimental 'remap' command (modremap.c) by spacewalker@altern.org
modremap is based on elfsh_relocate*() behavior, which still contains
false positives on most of the binaries, but has been working on /bin/ls and
various others /bin/* binaries, so we provide it as an experimental ELFsh
module . More sophisticated FP detection code is beeing written at the moment
so that bigger binaries like ssh/sshd can be relocated, remapped, and
relinked .
http://devhell.org/projects/elfsh/logs/0.5/remap_script.esh
http://devhell.org/projects/elfsh/logs/0.5/remap_script.out
- Quiet/Embedded command line mode (-q)
* Interresting for using with laptop or embedded hardware screens
* Interresting for calling elfsh from shellscripts
bash-2.05$ elfsh -q -f /bin/ls -set /bin/ls.got[21] malloc -w /tmp/newls
bash-2.05$ elfsh -q -f /bin/ls -get /bin/ls.got[21]
080490E6
bash-2.05$ elfsh -q -f /tmp/newls -get /tmp/newls.got[21]
08049100
bash-2.05$ elfsh -q -f /bin/ls -get malloc
08049100
bash-2.05$
-q : quiet
-w : specify output file
You can call all monolithic commands with all objects like if you were in
imode, even in command line, you can do more than one command before
dumping the file with -w .
* et_dyn target in the Makefile for linking the whole package in a library
- Last Hints :
* A good libreadline version is 4.3 .
* Libasm can still be retreived from devhell.org/projects/libasm/
* ELFsh snapshots can be retreived on the ELFsh ML archives
A discussion about the use of GUILE scripting in combinaison with elfsh
scripting has been started . If you are experienced in GUILE and you
have something serious to say/do about the idea to implement such interface
(through a ELFsh module), contact us . For curious peoples, sample GUILE
scripts can be found at :
http://www.gnu.org/software/guile/docs/guile-ref/Scripting-Examples.html
Enjoy
--
The ELF shell team
http://devhell.org/projects/elfsh/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic