Drow is a command-line utility that is used to inject code and hook the entrypoint of ELF executables (post-build). It takes unmodified ELF executables as input and exports a modified ELF containing an embedded user-supplied payload that executes at runtime.
sh_size
and program header’s p_memsz
/p_filesz
by the size of the user-supplied payloadsh_offset
‘s and program headers’ p_offset
‘s (move down sections and segments to make room for the payload and a small “stager stub”)e_shoff
, e_phoff
, etc..)e_entry
(ELF entrypoint offset) to point to the injected codeIn addition to injecting the user-supplied payload, drow injects a small code stub that is prepended to the beginning of the payload. This stub is designed to call into the payload. If the payload is written to return to the caller, after the payload returns the stager then tailcalls into _start
, restoring execution so the program can run as intended.
Building
Install gcc
and scons
. Then run scons
from the root of the directory.
Other Information
In addition to building drow, this project also builds a Linux x86-64 payload named rappers_delight.bin
that simply prints to stdout
. This can be used for testing. Currently, drow only works with ELF64 files targetting x86-64.
Other Work
There has been a lot of open source work done in this domain. I encourage you to also check out the following projects and associated publications:
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…