Last active
July 6, 2019 16:15
-
-
Save integeruser/f34e8afa8bbca14c10f0703376cbc881 to your computer and use it in GitHub Desktop.
Use LIEF and ctypes to execute functions in executables from Python
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import ctypes | |
| if __name__ == "__main__": | |
| # $ ./export.py ./playground 0x0000000000000778 f3 | |
| playground = ctypes.CDLL("./playground-f1") | |
| res = playground.f1(1, 2) | |
| print(res) | |
| print() | |
| # $ ./export.py ./playground 0x000000000000073e f2 | |
| playground = ctypes.CDLL("./playground-f2") | |
| playground.f2.argtypes = [ctypes.c_char_p] | |
| playground.f2.restype = ctypes.c_void_p | |
| buf = ctypes.create_string_buffer(b"Hello, World!") | |
| print(buf.value) | |
| res = playground.f2(buf) | |
| print(hex(res)) | |
| print(ctypes.cast(res, ctypes.c_char_p).value) | |
| print(buf.value) | |
| print() | |
| # $ ./export.py ./playground 0x000000000000071a f1 | |
| playground = ctypes.CDLL("./playground-f3") | |
| class s3(ctypes.Structure): | |
| _fields_ = [("a", ctypes.c_int), ("b", ctypes.c_char_p)] | |
| playground.f3(s3(10, b"Hello, World!")) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| # -*- coding: utf-8 -*- | |
| import argparse | |
| import lief | |
| if __name__ == "__main__": | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument("executable", type=argparse.FileType()) | |
| parser.add_argument("func_address", type=lambda address: int(address, 0)) | |
| parser.add_argument("func_name") | |
| args = parser.parse_args() | |
| executable_filepath = args.executable.name | |
| executable = lief.parse(executable_filepath) | |
| executable.add_exported_function(args.func_address, args.func_name) | |
| new_executable_filepath = "{}-{}".format(executable_filepath, args.func_name) | |
| executable.write(new_executable_filepath) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| // gcc -o playground playground.c | |
| /* ************************************************************************** */ | |
| int f1(int a, int b) | |
| { | |
| printf("f1()\n"); | |
| return a + b; | |
| } | |
| /* ************************************************************************** */ | |
| void *f2(void *s) | |
| { | |
| printf("f2()\n"); | |
| return memset(s, 0x41, strlen(s)); | |
| } | |
| /* ************************************************************************** */ | |
| struct s3 | |
| { | |
| int a; | |
| char *b; | |
| }; | |
| void f3(struct s3 s) | |
| { | |
| printf("f3()\n"); | |
| printf("s.a: %d\n", s.a); | |
| printf("s.b: %s\n", s.b); | |
| } | |
| /* ************************************************************************** */ | |
| int main(int argc, char const *argv[]) | |
| { | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment