Drow : Injects Code Into ELF Executables Post-Build

Drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF containing an embedded user-supplied payload that executes at runtime.

  • Drow takes the following steps to create the new patched ELF:
    • Map in the umodified target ELF executable and the user-supplied payload, a position-independent blob
    • Locate the first executable segment by parsing program headers
    • Locate the last section in the executable segment by parsing section headers
    • Expand the last section (in the segment) section header’s sh_size and program header’s p_memsz/p_filesz by the size of the user-supplied payload
    • Fixup section headers’ sh_offset‘s and program headers’ p_offset‘s (move down sections and segments to make room for the payload and a small “stager stub”)
    • Fix offsets in the ELF header (e_shoff, e_phoff, etc..)
    • Modify the ELF header e_entry (ELF entrypoint offset) to point to the injected code
    • Create a new ELF containing the injected code and modified ELF headers

In addition to injecting the user-supplied payload, drow injects a small code stub that is prepended to the beginning of the payload. This stub is designed to call into the payload. If the payload is written to return to the caller, after the payload returns the stager then tailcalls into _start, restoring execution so the program can run as intended.

Building

Install gcc and scons. Then run scons from the root of the directory.

Other Information

In addition to building drow, this project also builds a Linux x86-64 payload named rappers_delight.bin that simply prints to stdout. This can be used for testing. Currently, drow only works with ELF64 files targetting x86-64.

Other Work

There has been a lot of open source work done in this domain. I encourage you to also check out the following projects and associated publications:

R K

Recent Posts

2025-03-04 (Tuesday) : Group Claiming To Be BianLian Sends Paper-Based Extortion Letters via Postal Service

On March 4, 2025, a group claiming to be the notorious threat actor BianLian began…

19 hours ago

Blindsight : Advanced Techniques In Red Teaming And LSASS Memory Exploitation

Blindsight is a red teaming tool designed to dump LSASS (Local Security Authority Subsystem Service)…

19 hours ago

Hiphp : Mastering Remote Management Of PHP Websites

Hiphp, developed by Yasserbdj96, is an open-source tool designed to create a backdoor for controlling…

19 hours ago

PowerShell-Hunter : A Comprehensive Toolset For Threat Hunting

PowerShell-Hunter is a robust collection of PowerShell-based tools designed to aid security analysts in detecting…

19 hours ago

DE-TH-Aura : Detection Engineering And Threat Hunting By SecurityAura

DE-TH-Aura, an initiative by SecurityAura, focuses on enhancing detection engineering and threat hunting capabilities using…

20 hours ago

MassVulScan : A Comprehensive Network Scanning Tool

MassVulScan is a powerful network scanning tool designed for pentesters and system administrators to identify…

22 hours ago