preeny
preeny.一个有用的preload集合
github项目地址:https://github.com/zardus/preeny
Preeny有以下模块:
Name | Summary |
---|---|
dealarm | Disables alarm() |
defork | Disables fork() |
deptrace | Disables ptrace() |
derand | Disables rand() and random() |
desigact | Disables sigaction() |
desock | Channels socket communication to the console |
desock_dup | Channels socket communication to the console (simpler method) |
ensock | The opposite of desock -- like an LD_PRELOAD version of socat! |
desrand | Does tricky things with srand() to control randomness. |
mallocwatch | When ltrace is inconvenient, mallocwatch provides info on heap operations. |
writeout | Some binaries write() to fd 0, expecting it to be a two-way socket. This makes that work (by redirecting to fd 1). |
patch | Patches programs at load time. |
startstop | Sends SIGSTOP to itself on startup, to suspend the process. |
Preeny安装:
$ git clone https://github.com/zardus/preeny.git $ apt-get install libini-config3 libini-config-dev $ cd preeny $ make 在64位x86主机上构建32位x86 preeny $ CFLAGS = -m32 make
使用方法:
让程序内的sock(),fork(),alarm()函数失效
LD_PRELOAD=x86_64-linux-gnu/desock.so:x86_64-linux-gnu/defork.so:x86_64-linux-gnu/dealarm.so ~/code/security/codegate/2015/rodent/rodent
去随机化:
derand.so
覆盖 rand()
and random()
# this will return 42 on each rand() call 每一次rand()都返回42 LD_PRELOAD=x86_64-linux-gnu/derand.so tests/rand # this will return 1337 on each rand() call #每一次rand()都返回1337 RAND=1337 LD_PRELOAD=x86_64-linux-gnu/derand.so tests/rand
desrand.so
可以覆盖 srand
# this simply sets the seed to 42 #rand函数种子变为42 (默认设置为42) LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand # this sets the seed to 1337 #设置seed为1337 SEED=1337 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand # this sets the seed to such that the first "rand() % 128" will be 10 #设置mod为128 并且第一次rand()%128 的值设置为10 WANT=10 MOD=128 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand # finally, this makes the *third* "rand() % 128" be 10 #设置mod为128 并且第三次rand()%128 的值设置为10
SKIP=2 WANT=10 MOD=128 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand
下面这两功能我还没用过:与fuzz相关
De-socketing Certain tools (such as American Fuzzy Lop, for example) are unable to handle network binaries. Preeny includes two "de-socketing" modules. desock.so neuters socket(), bind(), listen(), and accept(), making it return sockets that are, through hackish ways, synchronized to stdin and stdout. desock_dup.so is a simpler version for programs that dup accepted sockets over file descriptors 0, 1, and 2. A discussion of the different ways to de-socket program, and why Preeny does it the way it does, can be found here. En-socketing You can also use preeny to turn a normal binary into a socket binary! Just set the PORT environment variable (default is 1337) and preload ensock.so!
Patch
可以利用patch.so修改指定位置的值
# tests/hello 有一个简单的输出Hello world的程序 Hello world! # cat hello.p 编写.p文件 指定源字符 字符地址 目地字符 [hello] address=0x4005c4 content='4141414141' [world] address=0x4005ca content='6161616161' # PATCH="hello.p" LD_PRELOAD=x86_64-linux-gnu/patch.so tests/hello --- section hello in file hello.p specifies 5-byte patch at 0x4005c4 --- section world in file hello.p specifies 5-byte patch at 0x4005ca AAAAA aaaaa!
Always believe that good things will come.