Skip to content
/ cxa-finalize-infect Public

An ELF infector that hijacks the __cxa_finalize function

License

MIT license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

v-rzh/cxa-finalize-infect

BranchesTags

Repository files navigation

cxa-finalize-infect

An ELF infector that hijacks __cxa_finalize function. The parasite infects the code segment padding (Silvio Cesare's padding method).

Building

Run make or make debug=on for a debug build.

Usage

[joey@gibson]$ ./infect_cxa_finalize
Usage: ./infect_cxa_finalize [-p] [-d] <parasite.o> <host.elf>

    -p    Hijack __cxa_finalize in .plt.got
    -d    Hijack __cxa_finalize in __do_glob_dtors_aux

The infector expects the parasite to be an ELF object file, with all of the code contained in the .text section. At the moment the beginning of code is also treated as the parasite entry point. Check the test directory for some examples.

The -d option is for binaries that were compiled with no PLT, however it won't work if the PLT is present.

Testing

The test directory contains a few very simple parasites and a small collection of ELF binaries distributed with GNU/Linux compiled with and without PLT. Run the run_tests.sh to infect each binary and test the infection.

About

An ELF infector that hijacks the __cxa_finalize function

Resources

Readme

License

MIT license
Activity

Stars

6 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages