kubo / injector Goto Github PK
View Code? Open in Web Editor NEWLibrary for injecting a shared library into a Linux or Windows process
License: GNU General Public License v2.0
Library for injecting a shared library into a Linux or Windows process
License: GNU General Public License v2.0
Hey @kubo,
Love your tool so much and tend to use it for my experiments! I was just wondering, is it possible to pass an argument to a shared object which is being injected. For example, I need to pass sockfd
which is int
to my init
function.
__attribute__((constructor))
void init(int sockfd)
{
... snip ...
}
How can I do this? Or, if it can be implemented, can you suggest me how to do this and I fork your repository and add this by myself.
I also found injector_call
, but it works only with void(*)(void)
, I just want to add a support for void(*)(int)
. Is it possible?
I really need this for my new project, so I'll be glad if you help me.
Thanks in advance.
P.S. Another question that comes to my mind: Will injector work within statically linked executable (compiled with libinjector and -static
)?
P.P.S. I checked it with -static
and it works. It's a surprise for me, because I thought that dlopen
works only with dynamic linking. Turns out, if you compile cmd/main.c
with -static
injection will work.
Hey, thanks for making this!
Line 270 in 6ccf4d4
I have a suggestion to add an API to either let users set the regex or set the full path of libc in case of weird paths/names/versioning. The regex works reasonably well but I don't think we'll be able to catch them all?
I'm trying to inject into the provided test target with the test library and I haven't been able to do it successfully, image here. I'm fairly sure the error stems from the injector__call_function
function in remote_call.c
but I don't have the C knowledge to figure out a fix.
Once in about 30 injections (seems random, hard to reproduce) the target process will pause and the shared object will not get injected. Any signal send to target will resume it and injector will print The target process unexpectedly stopped by signal <signum>.
Another try will result in crash of the target with error Inconsistency detected by ld.so: dl-open.c: 272: dl_open_worker: Assertion _dl_debug_initialize (0, args->nsid)->r_state == RT_CONSISTENT' failed!
.
I inject the same .so
, but with different names to the same process.
My system:
Ubuntu 18.04.5 LTS
x86_64
gcc 7.5.0
it seems not work because glibc changed
I installed UserLand (v2.7.3) on my android phone, lxde desktop. Target process after injection fails with an error "Trace/breakpoint trap". Arch: aarch64, linux kernel version 3.18.71
Hi !
When i try running the injector on ubuntu i get the following error.
Could you explain me whats going on here?
Thx in advance!
failed to open /run/host/usr/lib/x86_64-linux-gnu/libc.so.6. (dev:0x811, ino:9439334)
In include/injector.h
, both INJERR_NO_LIBRARY
and INJERR_NO_FUNCTION
are defined as -4
which makes return values ambiguous.
System info:
OS: Ubuntu 21.10 x86_64
Kernel: 5.13.0-28-generic
Uptime: 3 hours, 1 min
Packages: 2677 (dpkg), 17 (snap)
Shell: bash 5.1.8
Resolution: 3840x2160
WM: Mutter
WM Theme: Adwaita
Theme: Adwaita [GTK3]
Icons: Adwaita [GTK3]
Terminal: gnome-terminal
CPU: AMD Ryzen 5 1600 (12) @ 3.500GHz
GPU: NVIDIA GeForce GTX 1060 6GB
Command:
$ ./injector -p [PID] [.DLL name here]
Error:
targeting process with pid [PID]
Could not find libc
It would be great to add support RISC-V architecture
Hi, @kubo
I found your tool very useful. Frankly, I have started developing a project where I want to use injector as a dependency for injecting shared libraries to a processes. So, I am just curious about if will you implement MIPS support to it? It will be great to have an ability to do injecting on embedded devices with this architecture.
Thanks,
Ivan Nikolsky (@enty8080)
Hi
can you add option to run app with injection shared library on start?
for sample, we start app in freeze mode (as fork() + ptrace(PTRACE_TRACEME, 0, 0, 0) + execv),
after waiting SIGTRAP, do inject shared library and continue execute app?
(as for windows like CreateProcess suspend and inject)
I think this will be very helpful options too. Thanks
Hey @kubo, I was wondering if we could implement safe injection on linux (without the deadlock risk, etc.). One solution that comes to mind is modifying the shellcode to first fork
, and then dlopen
in the new thread as done here and written here. This will also make injection behavior on Linux more similar to Windows and Mac, in which injector loads the shared library in a new thread.
What do you think?
I have a Linux 3.10.79 embedded system with glibc-2.18 running on an armv7l processor. When I use the injector on any process, the process crashes with a segfault.
Running the target process with LD_DEBUG=all
only yields:
7198: file=/path/to/my/lib.so [0]; dynamically loaded by /lib/libc.so.6 [0]
7198: file=/path/to/my/lib.so [0]; generating link map
The fault address is this line in _dl_map_object_from_fd
, more specifically in the STR
instruction for the statement. At the time of crash, the stack pointer points to like -0x800 bytes to the top of the stack that was mmap
ed by the injector, so that seems alright at least.
The variable it tries to store to is in this mapped area:
b6f15000-b6f16000 r-xp 0001e000 fe:01 281 /lib/ld-2.18.so
Does /proc/pid/maps
accurately reflect the access rights at runtime (even if they were changed after the initial mapping)? Then it would explain the segfault since it's not writable. It seems to be the .data.rel.ro
segment. A test program I compiled can call dlopen
on the same library just fine though, so it doesn't seem to be a general issue with the system.
failed to open /usr/lib/x86_64-linux-gnu/libc-2.31.so.(error: No such file or directory).
sudo snap install libreoffice
env:
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
x86_64
cc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
injector_uninject
succeeds even though it doesn't unload libraries when the libc is musl. That's because musl's dlclose
is a no-op. See https://wiki.musl-libc.org/functional-differences-from-glibc.html#Unloading_libraries
Same code, not work on a vm machine which is win10 2016 Enterprise Edition . Any possible reason I should check?
C:\Users\alex\CLionProjects\SDScriptHook\vendor\dllinjector\src\windows\injector.c: In function 'funcaddr':
C:\Users\alex\CLionProjects\SDScriptHook\vendor\dllinjector\src\windows\injector.c:395:12: warning: implicit declaration of function 'bsearch_s'; did you mean 'bsearch'? [-Wimplicit-function-declaration]
395 | name = bsearch_s((void*)"LoadLibraryW", names, exp->NumberOfNames, sizeof(DWORD), cmp_func, (void*)rva_to_va);
| ^~~~~~~~~
| bsearch
C:\Users\alex\CLionProjects\SDScriptHook\vendor\dllinjector\src\windows\injector.c:395:10: warning: assignment to 'const DWORD *' {aka 'const long unsigned int *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
395 | name = bsearch_s((void*)"LoadLibraryW", names, exp->NumberOfNames, sizeof(DWORD), cmp_func, (void*)rva_to_va);
| ^
C:\Users\alex\CLionProjects\SDScriptHook\vendor\dllinjector\src\windows\injector.c:403:10: warning: assignment to 'const DWORD *' {aka 'const long unsigned int *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
403 | name = bsearch_s((void*)"FreeLibrary", names, exp->NumberOfNames, sizeof(DWORD), cmp_func, (void*)rva_to_va);
| ^
C:\Users\alex\CLionProjects\SDScriptHook\vendor\dllinjector\src\windows\injector.c:411:10: warning: assignment to 'const DWORD *' {aka 'const long unsigned int *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
411 | name = bsearch_s((void*)"GetLastError", names, exp->NumberOfNames, sizeof(DWORD), cmp_func, (void*)rva_to_va);
| ^
could this be used to inject dlls into a wine process?
Same code, on two pc, one work and one not.
The error msg from injector_error()
is:
LoadLibrary in the target process failed: Invalid access to memory location.
What's the maybe reason..
Currently injector only support inject library to existing process.
So, possible to create new process (suspend) and inject?
Also support set parameter and environment from command line.
Thanks for your great job! It work prefect.
However I'm new to windows api, and I now want to uninject the injected success lib. Can I do this, and how, thanks.
Support macos too.
It would be great to add support PowerPC architecture
Hi, @kubo
May I ask you if it is possible to inject a shared object library from buffer instead of from the disk. It might be useful when you don't have access to the file system. Moreover, it would be useful if you don't want to write object to disk in order to inject it.
Is it hard to achieve? How can it be done?
Thanks in advance,
Ivan Nikolskiy (@enty8080)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.