Is it possible to modify an environmental variable's name inside a library with some sort of editor. I'm thinking maybe a hex editor ?
I wish to modify the name but without altering its length:
envfoobar (9 chars)
yellowbar (9 chars)
Obviously, recompilation would be perfect but I do not know what exact flags were used to compile this library.
What's stopping you? You can even use a text editor (as long as it's a decent editor and knows how to handle binary data, like vim does). If the library is referring to the name of the environment variable through a string, and the string is in the library in the data segment (ie. it's not a string built at runtime), then it's trivial to edit a library in this way. Just don't delete or introduce new characters. I've done this under Linux. Some other OSes may digitally sign binaries and prevent this from working. Some OSes use a standard checksum or hash in which case you'll have to recompute it.
If you can find the name with the strings command on the library it might work. You could load the library up in your favorite hex editor change the string and give it a shot.
It's a hacky thing to do but it could work. Let us know.
Related
I've seen some binary files where the developer was a bit paranoid it seems and obfuscated all text in a binary. I hadn't seen anything like it before and didn't find any obvious options to compile an ELF with hidden text. Even standard OS API strings were hidden which was strange given they are usually visible.
These programs wouldn't exactly have any text that isn't exposed when it runs. Except unknown text. But hiding the whole lot just red flags and it makes it look suspicious.
Are there easy ways to hide text that is compiled into an ELF? Be that with easy compiler/linking options. I imagine a decoder could be inserted at main() but how could the text section be easily encoded?
I can imagine a custom way to do it would be to have an implicit decoder in the code with a key. Then use that key to encode text of the ELF. So that it is easily encoded.
You must have been looking at compressed executable files.
There are various tools available to compress executable files and decompress them at load time, such as upx for linux. Most text in the binary file will become unreadable to the naked eye , but be aware that it is a very ineffective method to hide sensitive data as hackers will have no difficulty decompressing the executable to gain access to the actual data.
Using encrypted strings in your executable, whose contents will have been produced by a script during the build process is a better approach, but the code to decrypt them must still be available somewhere in the executable, just harder to locate. If the data is sufficiently valuable (database password, bitcoin keys...), hackers will get it.
I guess that by "text" you mean human readable text (and not the code segment a.k.a. text segment).
You could just encrypt or obfuscate it into a read only
const char encrypted_text[] = {
// a lot of encrypted bytes like 0x01, 0x43, etc
// the C file containing that would be generated by some script
};
Then you'll use your de-obfuscation or decryption routines to get the real (unciphered) text.
I'm not sure it is worth the trouble. Life is too short.
I've normally seen this when analyzing malware. The authors do this to to prevent static analysis tools like strings from working. Additionally, such authors might load functions by using dlopen and dlsym to get functions that they need.
For example, in the code snippet below;
printf("Hello World");
I would see the string "Hello World" in the output of strings and by looking at the import section of the elf file, I'd see that the program is making use of printf. So without running the program it is possible to get a sense of what it is doing.
Now lets assume that the author wrote a function char* decrypt(int). This function take an index into a sting table (which each string is encrypted) and returns the decrypted string. The above one line of code would now notionally look like
void* pfile = dlopen(decrypt(3));
void* pfunct = dlsym(pfile, decrypt(15));
pfunct(decrypt(5));
Again, remember that the above is closer to pseudo-code then actually compileable code. Now in this case using static analysis tools we would not see the strings or the function names (in the import section).
Additionally, if we were attempting to reverse engineer the code we would need to take time to decrypt the strings and work through the logic to determine what functions are being called. It's not that this can't be done but it will slow down that analyst, which means that it will be longer till a mitigation for the malware is created.
And now to your question;
Are there easy ways to hide text that is compiled into an ELF? Be that
with easy compiler/linking options. I imagine a decoder could be
inserted at main() but how could the text section be easily encoded?
There is not compiler / linker option that does this. The author of this would need to choose to do this, write the appropriate functions (i.e. decrypt) above and write a utility to produce the encrypted forms of the strings. Additionally, as others have suggested once this is done, the entire application can be encryped/compressed (think of a self-extracting zip file) thus the only thing you see initially with static analysis tools would be the stub to decrypt of decompress the file.
see https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf for an example of this. (granted this is Windows based, but the techniques for encryption and dynamically loading functions is the same. Look at section on API calls)
If interested you can also see; https://www.researchgate.net/publication/224180021_On_the_analysis_of_the_Zeus_botnet_crimeware_toolkit and https://arxiv.org/pdf/1406.5569.pdf
I have to draw a box in C, using ncurses;
First, I have defined some values for simplicity:
#define RB "\e(0\x6a\e(B" (ASCII 188,Right bottom, for example)
I have compiled with gcc, over Ubuntu, with -finput-charset=UTF-8 flag.
But, if I try to print with addstr or printw, I get the hexa code.
What I`m doing wrong?
ncurses defines the values ACS_HLINE, ACS_VLINE, ACS_ULCORNER, ACS_URCORNER, ACS_LLCORNER and ACS_LRCORNER. You can use those constants in addch and friends, which should result in your seeing the expected box characters. (There's lots more ACS characters; you'll find a complete list in man addch.)
ncurses needs to know what it is drawing because it needs to know exactly where the cursor is all the time. Outputting console control sequences is not a good idea; if ncurses knows how to handle the sequence, it has its own abstraction for the feature and you should use that abstraction. The ACS ("alternate character set") defines are one of those abstractions.
A few issues:
if your program writes something like "\e(0\x6a\e(B" using addstr, then ncurses (any curses implementation) will translate the individual characters to printable form as described in the addch manual page.
ncurses supports line-drawing for commonly-used pseudo-graphics using symbols (such as ACS_HLINE) which are predefined characters with the A_ALTCHARSET attribute combined. You can read about those in the Line Graphics section of the addch manual page.
the code 0x6a is ASCII j, which (given a VT100-style mapping) would be the lower left corner. The curses symbol for that is ACS_LRCORNER.
you cannot write the line-drawing characters with addstr; instead addch, addchstr are useful. There are also functions oriented to line-drawing (see box and friends).
running in Ubuntu, your locale encoding is probably UTF-8. To make your program work properly, it should initialize the locale as described in the Initialization section of the ncurses manual page. In particular:
setlocale(LC_ALL, "");
Also, your program should link against the ncursesw library (-lncursesw) to use UTF-8, rather than just ncurses (-lncurses).
when compiling on Ubuntu, to use the proper header definitions, you should define _GNU_SOURCE.
BTW, maybe I'm probably arriving somewhat late to the party but I'll give you some insight that might or not shed some light and skills for your "box drawing" needs.
As of 2020 I'm involved in a funny project on my own mixing Swift + Ncurses (under OSX for now, but thinking about mixing it with linux). Apparently it works flawlessly.
The thing is, as I'm using Swift, internally it all reduces to "importing .h and .c" files from some Darwin.ncurses library the MacOS Xcode/runtime offers.
That means (I hope) my newly acquired skills might be useful for you because apparently we're using the very same .h and .c files for our ncurses needs. (or at least they should be really similar)
Said that:
As of now, I "ignored" ACS_corner chars (I can't find them under swift/Xcode/Darwin.ncurses runtime !!!) in favour of pure UTF "corner chars", which also exist in the unicode pointspace, look:
https://en.wikipedia.org/wiki/Box-drawing_character
What does it mean? Whenever I want to use some drawing box chars around I just copy&paste pure UTF-8 chars into my strings, and I send these very strings onto addstr.
Why does it work? Because as someone also answered above, before initializing ncurses with initscr(), I just claimed "I want a proper locale support" in the form of a setlocale(LC_ALL, ""); line.
What did I achieve? Apparently pure magic. And very comfortable one, as I just copy paste box chars inside my normal strings. At least under Darwin.ncurses/OSX Mojave I'm getting, not only "bounding box chars", but also full UTF8 support.
Try the "setlocale(LC_ALL, ""); initscr();" approach and tell us if "drawing boxes" works also for you under a pure C environment just using UTF8 bounding box chars.
Greetings and happy ncursing!
I have a .so library and I want to replace a string hardcoded inside it by another one which is longer in its length. Is it possible?
If you have the source and can recompile the library: fine. go for it.
If you mean via a hex editor or similar: Very dangerous to try.
Adding one char might work depending on how much padding etc is applied (possibly none, so even adding 1 char will break). The more you add the more chance it will fail.
Assuming "without source", I think the real answer is "No".
If the variable has a symbol and is always looked up by it, you could LD_PRELOAD a small library that just exports that symbol.
Alternatively, for a oneshot technique, you could load the program under gdb and set it (which will implicitly malloc a string for you).
Yes, you can, but it isn't easy. (I've done similar things using each of the approaches below).
Option 1: Sometimes, the string that follows the target string isn't used, or isn't very commonly used. For example, it might be an error message string. In that case, you can just write over it, and hope that whatever used that string isn't going to break if it sees something else (namely, the tail end of your new string).
Option 2: You can use a disassembler (like IDA) to locate uses of the string in the program, and rewrite those to point at a new region of the binary. Then you can write your new string in that new area. This isn't nearly as bad as you might think, especially if you have a good disassembler that can show you references to the data section.
I'm here looking at some C source code and I've found this:
fprintf(stderr, _("Try `%s --help' for more information.\n"), command);
I already saw the underscore when I had a look at wxWidget, and I read it's used for internationalization. I found it really horrible (the least intutive name ever), but I tought it's just another weird wxWidget convention.
Now I find it again in some Alsa source. Does anyone know where it comes from?
It comes from GNU gettext, a package designed to ease the internationalization process. The _() function is simply a string wrapper. This function basically replaces the given string on runtime with a translation in the system's language, if available (i.e. if they shipped a .mo file for this language with the program).
It comes from gettext. Originally thought out, internationalization was too long to type each time you needed a string internationalized. So programmers created the shortcut i18n (because there are 18 letters in between the 'i' and the 'n' in internationalization) and you may see source code out there using that. Apparently though i18n was still too long, so now its just an underscore.
That would be from gettext
I want to do the inverse of this question.
I am embedding a file into an executable as an array, and I would later like to extract the embedded file from the executable.
It seems like objcopy might be useful here but I haven't figured out the proper incantation yet.
(Edit: clarify question, I somehow removed the crux of it in editing originally...)
If you place the embedded file within its own section you can use objcopy to extract that section into a raw output file, I think.
Look into gcc's __attribute__((section("embedded_file") ))
Or if you are getting the file into the exe some other way using the linker you should be able to get it into another section another way, but I'm not familiar with doing that.
Put a recognizable pattern at the beginning of the array to help you find the data in the file.
If you're creating a Windows executable, put the data into a binary resource in the executable instead of just encoding it into an array -- you can then use normal Windows resource functions (FindResource, LoadResource, etc.) to get the data (though this is a bit trickier to get working correctly than it initially seems like it should be).