/* * 0x4553 - ElectronicSouls - 0x4553 * search in a binary or core dump for a user supplied string and get the exact location in memory. * idea is based on sectorx's segment.c which is much better, but this was made for fun and works well so wtf :) */ #include #include #include #include #include #include void Header(int fd) { Elf32_Ehdr ehdr; lseek(fd,0,SEEK_SET); read(fd,&ehdr,sizeof(Elf32_Ehdr)); fprintf(stderr,"ELF Binary Header:\n"); fprintf(stderr,"ident..: %s\n",ehdr.e_ident); fprintf(stderr,"type...: "); switch (ehdr.e_type){ case 2: printf("Executable\n"); break; case 4: printf("Core\n"); break; default: printf("Invalid File!\n"); exit(1); break; } fprintf(stderr,"\n"); } int main(int argc, char *argv[]) { struct stat st_str; Elf32_Ehdr *elf_hdr; Elf32_Phdr *p_hdr; char *file_buf; int fd = 0, i = 0, e = 0, s; fprintf(stderr,"\n[MemLocate]\n"); if(argc<3) { fprintf(stderr, "%s [core] [string]\n", argv[0]); return(-1); } if((fd=open(argv[1],O_RDONLY))<0) { fprintf(stderr, "Unable to open file!\n"); return(-1); } fprintf(stderr,"%s has a valid format!\n",argv[1]); fprintf(stderr,"trying to locate string: %s\n\n",argv[2]); fstat(fd,&st_str); file_buf=(char *)malloc(st_str.st_size); memset(file_buf,0,st_str.st_size); if (read(fd,file_buf,st_str.st_size)<0) { fprintf(stderr, "error! read() failed..\n"); free(file_buf); close(fd); return(-1); } elf_hdr = (Elf32_Ehdr *)file_buf; Header(fd); for (i=0; i < elf_hdr->e_phnum; i++) { p_hdr = (Elf32_Phdr *) (file_buf+elf_hdr->e_phoff+(i*elf_hdr->e_phentsize)); for (e = p_hdr->p_offset; e < p_hdr->p_offset+p_hdr->p_filesz; e++) if(!strncmp(file_buf+e,argv[2],strlen(argv[2]))){ fprintf(stderr, "[String found at: 0x%08x]\n", ((p_hdr->p_vaddr+e) - p_hdr->p_offset)); } } fprintf(stderr,"\n"); free(file_buf); close(fd); exit(0); }