kubo / injector Goto Github PK

Hey @kubo,

Love your tool so much and tend to use it for my experiments! I was just wondering, is it possible to pass an argument to a shared object which is being injected. For example, I need to pass sockfd which is int to my init function.

__attribute__((constructor))
void init(int sockfd)
{
... snip ...
}

How can I do this? Or, if it can be implemented, can you suggest me how to do this and I fork your repository and add this by myself.

I also found injector_call, but it works only with void(*)(void), I just want to add a support for void(*)(int). Is it possible?

I really need this for my new project, so I'll be glad if you help me.

Thanks in advance.

P.S. Another question that comes to my mind: Will injector work within statically linked executable (compiled with libinjector and -static)?

P.P.S. I checked it with -static and it works. It's a surprise for me, because I thought that dlopen works only with dynamic linking. Turns out, if you compile cmd/main.c with -static injection will work.

Hey, thanks for making this!

I have a suggestion to add an API to either let users set the regex or set the full path of libc in case of weird paths/names/versioning. The regex works reasonably well but I don't think we'll be able to catch them all?

I'm trying to inject into the provided test target with the test library and I haven't been able to do it successfully, image here. I'm fairly sure the error stems from the injector__call_function function in remote_call.c but I don't have the C knowledge to figure out a fix.

Once in about 30 injections (seems random, hard to reproduce) the target process will pause and the shared object will not get injected. Any signal send to target will resume it and injector will print The target process unexpectedly stopped by signal <signum>.

Another try will result in crash of the target with error Inconsistency detected by ld.so: dl-open.c: 272: dl_open_worker: Assertion _dl_debug_initialize (0, args->nsid)->r_state == RT_CONSISTENT' failed!.

I inject the same .so, but with different names to the same process.

My system:

Ubuntu 18.04.5 LTS
x86_64
gcc 7.5.0

it seems not work because glibc changed

I installed UserLand (v2.7.3) on my android phone, lxde desktop. Target process after injection fails with an error "Trace/breakpoint trap". Arch: aarch64, linux kernel version 3.18.71

Hi !
When i try running the injector on ubuntu i get the following error.
Could you explain me whats going on here?
Thx in advance!
failed to open /run/host/usr/lib/x86_64-linux-gnu/libc.so.6. (dev:0x811, ino:9439334)

In include/injector.h, both INJERR_NO_LIBRARY and INJERR_NO_FUNCTION are defined as -4 which makes return values ambiguous.

System info:

OS: Ubuntu 21.10 x86_64
Kernel: 5.13.0-28-generic
Uptime: 3 hours, 1 min
Packages: 2677 (dpkg), 17 (snap)
Shell: bash 5.1.8
Resolution: 3840x2160
WM: Mutter
WM Theme: Adwaita
Theme: Adwaita [GTK3]
Icons: Adwaita [GTK3]
Terminal: gnome-terminal
CPU: AMD Ryzen 5 1600 (12) @ 3.500GHz
GPU: NVIDIA GeForce GTX 1060 6GB

Command:

$ ./injector -p [PID] [.DLL name here]

Error:

targeting process with pid [PID]
Could not find libc

It would be great to add support RISC-V architecture

Hi, @kubo

I found your tool very useful. Frankly, I have started developing a project where I want to use injector as a dependency for injecting shared libraries to a processes. So, I am just curious about if will you implement MIPS support to it? It will be great to have an ability to do injecting on embedded devices with this architecture.

Thanks,
Ivan Nikolsky (@enty8080)

Hi
can you add option to run app with injection shared library on start?
for sample, we start app in freeze mode (as fork() + ptrace(PTRACE_TRACEME, 0, 0, 0) + execv),
after waiting SIGTRAP, do inject shared library and continue execute app?
(as for windows like CreateProcess suspend and inject)
I think this will be very helpful options too. Thanks

Hey @kubo, I was wondering if we could implement safe injection on linux (without the deadlock risk, etc.). One solution that comes to mind is modifying the shellcode to first fork, and then dlopen in the new thread as done here and written here. This will also make injection behavior on Linux more similar to Windows and Mac, in which injector loads the shared library in a new thread.

What do you think?

I have a Linux 3.10.79 embedded system with glibc-2.18 running on an armv7l processor. When I use the injector on any process, the process crashes with a segfault.

Running the target process with LD_DEBUG=all only yields:

  7198:     file=/path/to/my/lib.so [0];  dynamically loaded by /lib/libc.so.6 [0]
  7198:     file=/path/to/my/lib.so [0];  generating link map

The fault address is this line in _dl_map_object_from_fd, more specifically in the STR instruction for the statement. At the time of crash, the stack pointer points to like -0x800 bytes to the top of the stack that was mmaped by the injector, so that seems alright at least.

The variable it tries to store to is in this mapped area:

b6f15000-b6f16000 r-xp 0001e000 fe:01 281        /lib/ld-2.18.so

Does /proc/pid/maps accurately reflect the access rights at runtime (even if they were changed after the initial mapping)? Then it would explain the segfault since it's not writable. It seems to be the .data.rel.ro segment. A test program I compiled can call dlopen on the same library just fine though, so it doesn't seem to be a general issue with the system.

failed to open /usr/lib/x86_64-linux-gnu/libc-2.31.so.(error: No such file or directory).

sudo snap install libreoffice

env:
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

x86_64

cc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0

injector_uninject succeeds even though it doesn't unload libraries when the libc is musl. That's because musl's dlclose is a no-op. See https://wiki.musl-libc.org/functional-differences-from-glibc.html#Unloading_libraries

Same code, not work on a vm machine which is win10 2016 Enterprise Edition . Any possible reason I should check?

could this be used to inject dlls into a wine process?

Hi @kubo ,

Can you please add rule to compile windows sources using mingw cross-compiler if it is possible.

I love this tool a lot BTW.

Regards,
Ivan Nikolsky (@enty8080)

Same code, on two pc, one work and one not.
The error msg from injector_error() is:

LoadLibrary in the target process failed: Invalid access to memory location.

What's the maybe reason..

Currently injector only support inject library to existing process.
So, possible to create new process (suspend) and inject?

Also support set parameter and environment from command line.

Thanks for your great job! It work prefect.

However I'm new to windows api, and I now want to uninject the injected success lib. Can I do this, and how, thanks.

Support macos too.

It would be great to add support PowerPC architecture

Hi, @kubo

May I ask you if it is possible to inject a shared object library from buffer instead of from the disk. It might be useful when you don't have access to the file system. Moreover, it would be useful if you don't want to write object to disk in order to inject it.

Is it hard to achieve? How can it be done?

Thanks in advance,
Ivan Nikolskiy (@enty8080)