Merge pull request #3 from postmanlabs/elf

Reimplement ELF support

Author: robertgzr

README.markdown

@@ -65,53 +65,6 @@ The run-time lookup uses APIs from `<mach-o/getsect.h>`.
 
 ### Linux
 
-For ELF executables, the resources are added as sections. Unfortunately
-there is no guaranteed metadata about sections in the ELF format, the
-section header table (SHT) is optional and can be stripped after linking
-(`llvm-strip --strip-sections`). So while the resources are added as
-sections, the run-time lookup requires a bespoke implementation, which
-makes it the most complex and non-standard out of the platforms. There
-are N+1 sections used for the implementation, where the extra section
-serves as our own version of the SHT (which can't be stripped). Finding
-the SHT section at run-time is done via a static pointer in the code
-which is looked up by its symbol name and has its value updated after
-the sections are injected.
-
-The build-time equivalent is somewhat involved since our version of
-the SHT has to be manually constructed after adding the sections, and
-the section updated with the new content. There's also not a standard
-tool that can change the value of a static variable after linking, so
-instead the SHT is found by a symbol which is added via
-`objcopy --binary-architecture`. The following instructions show how
-to embed the binary data at build-time for ELF executables, with the
-section holding the data name "foobar":
+For ELF executables, the resources are added as notes.
 
-```sh
-# The binary data should be on disk in a file named foobar - the name
-# of the file is important as it is used in the added symbols
-$ objcopy --input binary --output elf64-x86-64 \
-  --binary-architecture i386:x86-64 \
-  --rename-section .data=foobar,CONTENTS,ALLOC,LOAD,READONLY,DATA \
-  foobar foobar.o
-# Also create an empty section for the SHT
-$ objcopy --input binary --output elf64-x86-64 \
-  --binary-architecture i386:x86-64 \
-  --rename-section .data=foobar,CONTENTS,ALLOC,LOAD,READONLY,DATA \
-  postject_sht postject_sht.o
-# Link the created .o files at build-time. Also define
-# `__POSTJECT_NO_SHT_PTR` so that the run-time code uses the
-# symbol added by `--binary-architecture` to find the SHT
-$ clang++ -D__POSTJECT_NO_SHT_PTR test.cpp foobar.o postject_sht.o
-# Dump the sections with readelf, and grab the virtual address and
-# size for the "foobar" section
-$ readelf -S a.out
-# Manually create the SHT - replace 0xAA with the virtual address
-# and 0xBB with the size from the readelf output
-$ python3 -c "import struct; print((struct.pack('<I', 1) + bytes('foobar', 'ascii') + bytes([0]) + struct.pack('<QI', 0xAA, 0xBB)).decode('ascii'), end='');" > postject_sht
-# Update the SHT section with the correct content
-$ objcopy --update-section postject_sht=postject_sht a.out
-```
-
-The run-time lookup finds our version of the SHT through the static
-pointer, and then parses the contents of our SHT to look for the
-section with the requested name.
+The build-time equivalent is to use a linker script.

examples/test.c

@@ -3,10 +3,6 @@
 
 #include "../postject-api.h"
 
-#if defined(__linux__) && !defined(__POSTJECT_NO_SHT_PTR)
-volatile void *_binary_postject_sht_start = (void *)POSTJECT_SHT_PTR_SENTINEL;
-#endif
-
 int main()
 {
 	size_t size;

examples/test.cpp

@@ -3,10 +3,6 @@
 
 #include "../postject-api.h"
 
-#if defined(__linux__) && !defined(__POSTJECT_NO_SHT_PTR)
-volatile void *_binary_postject_sht_start = (void *)POSTJECT_SHT_PTR_SENTINEL;
-#endif
-
 int main()
 {
 	size_t size;

postject-api.h

@@ -11,23 +11,14 @@
 #include <mach-o/dyld.h>
 #include <mach-o/getsect.h>
 #elif defined(__linux__)
+#include <elf.h>
 #include <link.h>
+#include <sys/param.h>
+#include <sys/auxv.h>
 #elif defined(_WIN32)
 #include <windows.h>
 #endif
 
-#if defined(__linux__)
-// NOTE - This needs to be a sentinel value, if it's initialized to
-//        NULL then it won't have a spot in the executable to change
-#define POSTJECT_SHT_PTR_SENTINEL 0000000001
-extern volatile void* _binary_postject_sht_start;
-
-struct postject_elf_section {
-  uint64_t virtual_address;  // Don't use a pointer here, standardize size
-  uint32_t size;
-};
-#endif
-
 struct postject_options {
   const char* elf_section_name;
   const char* macho_framework_name;
@@ -101,49 +92,53 @@ static const void* postject_find_resource(const char* name,
 
   return ptr;
 #elif defined(__linux__)
-  void* ptr = NULL;
-
-  // This executable might be a Position Independent Executable (PIE), so
-  // the virtual address values need to be added to the relocation address
-  uintptr_t relocation_addr = _r_debug.r_map->l_addr;
-
-  if (_binary_postject_sht_start != (void*)POSTJECT_SHT_PTR_SENTINEL) {
-#if defined(__POSTJECT_NO_SHT_PTR)
-    void* sht_ptr = (void*)&_binary_postject_sht_start;
-#else
-    void* sht_ptr =
-        (void*)(relocation_addr + (uintptr_t)_binary_postject_sht_start);
-#endif
+	void *ptr = NULL;
+
+	if (options != NULL && options->elf_section_name != NULL) {
+		name = options->elf_section_name;
+	}
+
+	uintptr_t p = getauxval(AT_PHDR);
+	size_t n = getauxval(AT_PHNUM);
+	uintptr_t base_addr = p - sizeof(ElfW(Ehdr));
+
+	// iterate program header
+	for (; n > 0; n--, p += sizeof(ElfW(Phdr))) {
+		ElfW(Phdr) *phdr = (ElfW(Phdr) *)p;
+
+		// skip everything but notes
+		if (phdr->p_type != PT_NOTE) {
+			continue;
+		}
+
+		// note segment starts at base address + segment virtual address
+		uintptr_t pos = (base_addr + phdr->p_vaddr);
+		uintptr_t end = (pos + phdr->p_memsz);
+
+		// iterate through segment until we reach the end
+		while (pos < end) {
+			if (pos + sizeof(ElfW(Nhdr)) > end) {
+				break; // invalid
+			}
+
+			ElfW(Nhdr) *note = (ElfW(Nhdr) *)(uintptr_t)pos;
+			if (note->n_namesz != 0 && note->n_descsz != 0 &&
+			    strncmp((char *)(pos + sizeof(ElfW(Nhdr))),
+				    (char *)name, sizeof(name)) == 0) {
+				*size = note->n_descsz;
+				// advance past note header and aligned name
+				// to get to description data
+				return (void *)((uintptr_t)note +
+						sizeof(ElfW(Nhdr)) +
+						roundup(note->n_namesz, 4));
+			}
+
+			pos += (sizeof(ElfW(Nhdr)) + roundup(note->n_namesz, 4) +
+				roundup(note->n_descsz, 4));
+		}
+	}
+	return NULL;
 
-    // First read the section count
-    uint32_t section_count = *((uint32_t*)sht_ptr);
-    sht_ptr = (uint32_t*)sht_ptr + 1;
-
-    uint32_t i;
-    for (i = 0; i < section_count; i++) {
-      // Read the section name as a null-terminated string
-      const char* section_name = (const char*)sht_ptr;
-      sht_ptr = (char*)sht_ptr + strlen(section_name) + 1;
-
-      // Then read the virtual_address (8 bytes)
-      uint64_t virtual_address = *((uint64_t*)sht_ptr);
-      sht_ptr = (uint64_t*)sht_ptr + 1;
-
-      // Finally read the section size (4 bytes)
-      uint32_t section_size = *((uint32_t*)sht_ptr);
-      sht_ptr = (uint32_t*)sht_ptr + 1;
-
-      if (strcmp(section_name, name) == 0) {
-        if (size != NULL) {
-          *size = (size_t)section_size;
-        }
-        ptr = (void*)(relocation_addr + (uintptr_t)virtual_address);
-        break;
-      }
-    }
-  }
-
-  return ptr;
 #elif defined(_WIN32)
   void* ptr = NULL;
   char* resource_name = NULL;

postject.py

@@ -59,103 +59,21 @@ def get_executable_format(filename):
 def inject_into_elf(filename, section_name, data, overwrite=False):
     app = lief.ELF.parse(filename)
 
-    struct_endian_char = ">"
-
-    if app.header.identity_data == lief.ELF.ELF_DATA.LSB:
-        struct_endian_char = "<"
-
-    existing_section = app.get_section(section_name)
+    existing_section = None
+    for note in app.notes:
+        if note.name == section_name:
+            existing_section = note
 
     if existing_section:
         if not overwrite:
             return False
 
-        app.remove_section(section_name, clear=True)
-
-    # Create the new section we're injecting
-    section = lief.ELF.Section()
-    section.name = section_name
-    section.content = data
-    section.add(lief.ELF.SECTION_FLAGS.ALLOC)  # Ensure it's loaded into memory
-
-    # Important to use the return value to get the updated
-    # information like the virtual address, LIEF is returning
-    # a separate object instead of updating the existing one
-    section = app.add(section)
-
-    sections = [section]
-
-    # The contents of our SHT section are laid out as:
-    # * section count (uint32)
-    # * N sections:
-    #   * name as a null-terminated string
-    #   * virtual address (uint64)
-    #   * section size (uint32)
-    postject_sht = app.get_section("postject_sht")
-
-    if postject_sht:
-        contents = postject_sht.content
-
-        section_count = struct.unpack(f"{struct_endian_char}I", contents[:4])[0]
-        idx = 4
-
-        for _ in range(section_count):
-            name = ""
-
-            while True:
-                ch = contents[idx]
-                idx += 1
-
-                if ch != 0:
-                    name += chr(ch)
-                else:
-                    break
-
-            # We're already overwriting this section
-            if name == section_name:
-                continue
+        app.remove(note)
 
-            section = app.get_section(name)
-
-            if not section:
-                raise RuntimeError("Couldn't find section listed in our SHT")
-            else:
-                sections.append(section)
-
-            idx += 12  # Skip over the other info
-
-        app.remove_section("postject_sht", clear=True)
-
-    section_count = struct.pack(f"{struct_endian_char}I", len(sections))
-    content_bytes = section_count
-
-    for section in sections:
-        content_bytes += bytes(section.name, "ascii") + bytes([0])
-        content_bytes += struct.pack(f"{struct_endian_char}QI", section.virtual_address, section.size)
-
-    postject_sht = lief.ELF.Section()
-    postject_sht.name = "postject_sht"
-    postject_sht.add(lief.ELF.SECTION_FLAGS.ALLOC)  # Ensure it's loaded into memory
-    postject_sht.content = list(content_bytes)
-
-    postject_sht = app.add(postject_sht)
-
-    # TODO - How do we determine the size of void* from the ELF?
-    # TODO - Why does it appear to only be 4 bytes when sizeof(void*) is showing 8?
-    # TODO - Do we need to care or just let LIEF patch the address and assume it's fine?
-
-    symbol_found = False
-
-    # Find the symbol for our SHT pointer and update the value
-    for symbol in app.symbols:
-        if symbol.demangled_name == "_binary_postject_sht_start":
-            symbol_found = True
-            app.patch_address(symbol.value, postject_sht.virtual_address)
-            break
-
-    if not symbol_found:
-        print("ERROR: Couldn't find symbol")
-        sys.exit(1)
+    note = lief.ELF.Note()
+    note.name = section_name
+    note.description = data
+    note = app.add(note)
 
     app.write(filename)