X-C3LL/hookity.py

## hookity.py
#!/usr/bin/env python3

# Author: Juan Manuel Fernandez (@TheXC3LL)

import sys
import r2pipe
import binascii

# Edit with your needs
targets = ["sym.__GI___close_nocancel", "sym.__read_nocancel", "sym.__open_nocancel", "sym.__mmap", "sym.__GI___fstat64"]

def usage():
    print("python3 hookity.py <ld.so-with-symbols>")
    exit();

def location(r2, symbol):
    refs = r2.cmdj("axtj " + symbol)
    return refs

def verify(r2, sig):
    test = binascii.hexlify(bytes(sig)).decode("ascii")
    hits = r2.cmdj("/xj " + test)
    if len(hits) == 1:
        return test
    else:
        return -1

def signature(r2, addr):
    for i in range(6,30):
        potential = r2.cmdj("pxj " + str(i) + " @ " + str(addr - i + 1))
        sig = verify(r2, potential)
        return sig

if __name__ == "__main__":
    print("\t\t-=[ Hookity - @TheXC3LL ]=-\n\n")
    if len(sys.argv) != 2:
        usage()
    print("[*] Opening " + sys.argv[1])
    r2 = r2pipe.open(sys.argv[1])
    print("[*] Analyzing file...")
    r2.cmd("aa")
    print("-------[ Signatures ]-------")
    for x in targets:
        addrs = location(r2, x)
        for addr in addrs:
            found = signature(r2, addr["from"])
            if found != -1:
                print(x + ":" + found + ":" + str(int(len(found) / 2)))
                break

## output
➜  research python3 hookity.py ef896a699bb1c2e4e231642b2e1688b2f1a61e.debug 2>/dev/null
  -=[ Hookity - @TheXC3LL ]=-


[*] Opening ef896a699bb1c2e4e231642b2e1688b2f1a61e.debug
[*] Analyzing file...
-------[ Signatures ]-------
sym.__GI___close_nocancel:45e04489ffe8:6
sym.__open_nocancel:ec98000000e8:6
sym.__mmap:9d20ffffffe8:6
sym.__GI___fstat64:85f0feffffe8:6
	#!/usr/bin/env python3

	# Author: Juan Manuel Fernandez (@TheXC3LL)

	import sys
	import r2pipe
	import binascii

	# Edit with your needs
	targets = ["sym.__GI___close_nocancel", "sym.__read_nocancel", "sym.__open_nocancel", "sym.__mmap", "sym.__GI___fstat64"]

	def usage():
	print("python3 hookity.py <ld.so-with-symbols>")
	exit();

	def location(r2, symbol):
	refs = r2.cmdj("axtj " + symbol)
	return refs

	def verify(r2, sig):
	test = binascii.hexlify(bytes(sig)).decode("ascii")
	hits = r2.cmdj("/xj " + test)
	if len(hits) == 1:
	return test
	else:
	return -1

	def signature(r2, addr):
	for i in range(6,30):
	potential = r2.cmdj("pxj " + str(i) + " @ " + str(addr - i + 1))
	sig = verify(r2, potential)
	return sig

	if __name__ == "__main__":
	print("\t\t-=[ Hookity - @TheXC3LL ]=-\n\n")
	if len(sys.argv) != 2:
	usage()
	print("[*] Opening " + sys.argv[1])
	r2 = r2pipe.open(sys.argv[1])
	print("[*] Analyzing file...")
	r2.cmd("aa")
	print("-------[ Signatures ]-------")
	for x in targets:
	addrs = location(r2, x)
	for addr in addrs:
	found = signature(r2, addr["from"])
	if found != -1:
	print(x + ":" + found + ":" + str(int(len(found) / 2)))
	break
	➜ research python3 hookity.py ef896a699bb1c2e4e231642b2e1688b2f1a61e.debug 2>/dev/null
	-=[ Hookity - @TheXC3LL ]=-


	[*] Opening ef896a699bb1c2e4e231642b2e1688b2f1a61e.debug
	[*] Analyzing file...
	-------[ Signatures ]-------
	sym.__GI___close_nocancel:45e04489ffe8:6
	sym.__open_nocancel:ec98000000e8:6
	sym.__mmap:9d20ffffffe8:6
	sym.__GI___fstat64:85f0feffffe8:6