-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathTODO
77 lines (57 loc) · 2.99 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
-- Difficult issues
A.1. Fix heuristics.c so that code injection detection yields less
false positives. This detects shared libraries that were
injected in some way other than dlopen() and LD_PRELOAD.
probably with mmap() or __libc_dlopen_mode() or ptrace
shellcode. We need to switch over to some code that uses
ld.so.cache for speed.
Status: Completed, replaced heuristics.c with dlopen.c in
commit: 0f8bcd7ef4869d12ba1b7c284ae80811765dc23c
A.2. Currently in libecfs when retrieving the GOT info there
are GOT entries that are filled with addresses other than
what we guessed should be there by looking at the PLT and
symbol table. Even if there is no shared library injection
we get mismatched addresses in our GOT info code in libecfs
this must be fixed.
Status: Needs investigation
A.3. Currently some injected objects (SHT_INJECTED) such as when
an ET_REL has been found in the process. We create a section
header that only covers the text of that object, and not the
data segment. This is especially important for injected executables
or shared objects, since often we want to extract these for
analysis after the fact.
Status: Incomplete
-- Medium issues
B.4. Add code to readecfs so that it builds section headers on extracted
objects 'with readecfs -O' option.
status incomplete
B.5. Enhance SHT_INJECTION so that when it detects ELF objects (in core_accessors.c)
that it also marks the data segment as INJECTED.
status: incomplete
B.6. Add support for reconstruction .init_array and .fini_array sections
status: complete :)
B.7. Symbol resolution is currently done with linear lookups, instead we should
switch to using the .gnu.hash.
status: incomplete
B.8. If .plt section isn't found we should not guess its size like we currently
do by just giving a default value of 64 (Which is given for any sections we can't
find the size of for one reason or another). Formula for calculating PLT size is:
J (number of JUMP_SLOT relocations) * size of PLT entry size (Usually 16) + 3 reserved
entries * size of PLT entry size.
status: incomplete
-- Easy
C.1 Add feature to readecfs so that in the -g option it prints out the relocation
name that is associated with each listed GOT entry.
C.2. Fix libecfs bug where it adds a base to the pltVaddr resulting in an incorrect
address
C.3. Add code so that each anonymous and file mapping has its own section header.
What if for instance we know some data was stored in mmap.rwx.1 and we wanted to
readecfs -O (or objcopy) it onto disk? Currently there is no way to access just that
memory mapping, unless the phdr's are used.
C.4. sh_link properly set for .dynamic, .rela.dyn, .rela.plt all need to point to either
.dynstr or .dynsym depending on which section.
-- Bugs of unknown difficulty
D.1 When trying to create an ecfs-core from a UPX packed sshd process
Jul 26 17:45:46 elfmaster kernel: [23122.882602] ecfs64[17306]: segfault at 328000 ip 000000000040865a sp 00007fff93be6cd0 error 4 in ecfs64[400000+2700
0]
check_segments_for_elf_objects() is the function that is segfaulting