patchelf icon indicating copy to clipboard operation
patchelf copied to clipboard

Published 20 hours ago verified publisher icon NixOS

Program header editing features

Open matheusmoreira opened this issue 1 year ago • 5 comments

I've been working on a feature for my software which lets me embed arbitrary files in ELF executables in such a way that they get loaded by the operating system automatically. A block of arbitrary data is concatenated to the ELF, a PT_LOAD segment is created for it and it becomes reachable via the auxiliary vector.

Getting the existing linkers to create these sections has been difficult. It is easier to patch the section in after the fact with tools such as patchelf.

Would you be interested in supporting the ELF file embedding use case directly? It could work like this:

patchelf --add-loadable-file-segment /my/file /my/elf

That would append /my/file to /my/elf and add a PT_LOAD segment covering it.

It would also be extremely useful to have options to add PT_NULL segments for further processing with custom tools:

patchelf --append-null-phdr /my/elf
patchelf --append-null-phdrs 2 /my/elf

Linker support for this is emerging. I recently suggested similar features to linkers and achieved mixed success. The mold maintainer responded by implementing a --spare-program-headers=N feature which will be included in the next release. ld maintainers do not seem to be interested.

Links:

matheusmoreira avatar Nov 20 '23 14:11 matheusmoreira

ld maintainers do not seem to be interested.

Also lld/ELF.

A post-link tool implementing the feature is definitely the right direction. In a lot of cases, the user using a post-link tool has limited control to the link process, so a linker option isn't too useful.

MaskRay avatar Nov 29 '23 15:11 MaskRay

@MaskRay I'd be happy to help add this feature to patchelf. Are you familiar with the codebase?

matheusmoreira avatar Nov 29 '23 21:11 matheusmoreira

I'd like to voice my support for features enabling extra program headers. We've been working on the ability to add post-hoc targeted security micropatches (on possibly opaque binary blobs) and not found a good solution for getting extra code into the binary after linking. This feature and ones like it could help a lot. A common technique I've seen is to clobber a PT_NOTE section or modify an existing PT_LOAD segment header to get a bit more space. See for example https://ofrak.com/docs/reference/ofrak/core/elf/load_alignment_modifier.html https://github.com/angr/patcherex/blob/a6c6a70c463a86415e2a571bbaef898336233bc9/patcherex/backends/detourbackends/_elf.py#L104 These techniques also are seen in the virus community (see for example here https://tmpout.sh/3/03.html) Having an off the shelf solution would be a big help. It'd also be nice if linker can support this (legitimate) use case proactively. If there is interest in patchelf accepting functionality like this, I would be interested in working on it

philzook58 avatar Jan 23 '24 21:01 philzook58

https://github.com/NixOS/patchelf/pull/544 I'll note that this pull request seems like it is one step towards segment header editing capabilities

philzook58 avatar Mar 01 '24 16:03 philzook58

@philzook58 Absolutely. Moving the PHT to the end of the file is one way to implement this. I tried to do it myself but wasn't completely successful, hopefully a developer more familiar with the patchelf code will succeed.

matheusmoreira avatar Mar 02 '24 00:03 matheusmoreira