preeny.一个有用的preload集合
github项目地址:https://github.com/zardus/preeny
Preeny有以下模块:
| Name | Summary |
|---|---|
| dealarm | Disables alarm() |
| defork | Disables fork() |
| deptrace | Disables ptrace() |
| derand | Disables rand() and random() |
| desigact | Disables sigaction() |
| desock | Channels socket communication to the console |
| desock_dup | Channels socket communication to the console (simpler method) |
| ensock | The opposite of desock -- like an LD_PRELOAD version of socat! |
| desrand | Does tricky things with srand() to control randomness. |
| mallocwatch | When ltrace is inconvenient, mallocwatch provides info on heap operations. |
| writeout | Some binaries write() to fd 0, expecting it to be a two-way socket. This makes that work (by redirecting to fd 1). |
| patch | Patches programs at load time. |
| startstop | Sends SIGSTOP to itself on startup, to suspend the process. |
Preeny安装:
$ git clone https://github.com/zardus/preeny.git
$ apt-get install libini-config3 libini-config-dev
$ cd preeny
$ make
在64位x86主机上构建32位x86 preeny
$ CFLAGS = -m32 make使用方法:
让程序内的sock(),fork(),alarm()函数失效
LD_PRELOAD=x86_64-linux-gnu/desock.so:x86_64-linux-gnu/defork.so:x86_64-linux-gnu/dealarm.so ~/code/security/codegate/2015/rodent/rodent
去随机化:
derand.so 覆盖 rand() and random()
# this will return 42 on each rand() call 每一次rand()都返回42
LD_PRELOAD=x86_64-linux-gnu/derand.so tests/rand
# this will return 1337 on each rand() call #每一次rand()都返回1337
RAND=1337 LD_PRELOAD=x86_64-linux-gnu/derand.so tests/randdesrand.so 可以覆盖 srand
# this simply sets the seed to 42 #rand函数种子变为42 (默认设置为42)
LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand
# this sets the seed to 1337 #设置seed为1337
SEED=1337 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand
# this sets the seed to such that the first "rand() % 128" will be 10 #设置mod为128 并且第一次rand()%128 的值设置为10
WANT=10 MOD=128 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand
# finally, this makes the *third* "rand() % 128" be 10 #设置mod为128 并且第三次rand()%128 的值设置为10SKIP=2 WANT=10 MOD=128 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand下面这两功能我还没用过:与fuzz相关
De-socketing
Certain tools (such as American Fuzzy Lop, for example) are unable to handle network binaries. Preeny includes two "de-socketing" modules. desock.so neuters socket(), bind(), listen(), and accept(), making it return sockets that are, through hackish ways, synchronized to stdin and stdout. desock_dup.so is a simpler version for programs that dup accepted sockets over file descriptors 0, 1, and 2.
A discussion of the different ways to de-socket program, and why Preeny does it the way it does, can be found here.
En-socketing
You can also use preeny to turn a normal binary into a socket binary! Just set the PORT environment variable (default is 1337) and preload ensock.so!
Patch
可以利用patch.so修改指定位置的值
# tests/hello 有一个简单的输出Hello world的程序
Hello world!
# cat hello.p 编写.p文件 指定源字符 字符地址 目地字符
[hello]
address=0x4005c4
content='4141414141'
[world]
address=0x4005ca
content='6161616161'
# PATCH="hello.p" LD_PRELOAD=x86_64-linux-gnu/patch.so tests/hello
--- section hello in file hello.p specifies 5-byte patch at 0x4005c4
--- section world in file hello.p specifies 5-byte patch at 0x4005ca
AAAAA aaaaa!
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
