From c9048bd2b40b7edd604c4b7ad18617e96a987975 Mon Sep 17 00:00:00 2001
From: mykola2312 <49044616+mykola2312@users.noreply.github.com>
Date: Mon, 10 Apr 2017 01:53:45 +0300
Subject: [PATCH] Initial commit

---
 proc.c         |  89 +++++++++++++++++++++++++++
 proc.h         |  26 ++++++++
 sh2load        | Bin 0 -> 14501 bytes
 sh2load.c      | 162 +++++++++++++++++++++++++++++++++++++++++++++++++
 sh2load32      | Bin 0 -> 12870 bytes
 vm_shell32.bin | Bin 0 -> 40 bytes
 vm_shell32.s   |  14 +++++
 vm_shell64.bin | Bin 0 -> 42 bytes
 vm_shell64.s   |  16 +++++
 vmap.c         |  60 ++++++++++++++++++
 vmap.h         |  41 +++++++++++++
 11 files changed, 408 insertions(+)
 create mode 100644 proc.c
 create mode 100644 proc.h
 create mode 100644 sh2load
 create mode 100644 sh2load.c
 create mode 100644 sh2load32
 create mode 100644 vm_shell32.bin
 create mode 100644 vm_shell32.s
 create mode 100644 vm_shell64.bin
 create mode 100644 vm_shell64.s
 create mode 100644 vmap.c
 create mode 100644 vmap.h

diff --git a/proc.c b/proc.c
new file mode 100644
index 0000000..4411114
--- /dev/null
+++ b/proc.c
@@ -0,0 +1,89 @@
+#include "proc.h"
+
+int is_numeric(char* s)
+{
+	while(*s)
+	{
+		if(!isdigit(*s))
+			return 0;
+		s++;
+	}
+	return 1;
+}
+
+int walk_proc(walk_proc_callback func,void *data)
+{
+	struct dirent* dr;
+	DIR* d;
+	if(!(d = opendir("/proc")))
+		return -1;
+	while((dr = readdir(d)))
+	{
+		if(dr->d_type == DT_DIR)
+		{
+			if(is_numeric(dr->d_name))
+			{	
+				if(func(atoi(dr->d_name),data))
+					return 1;
+			}
+		}
+	}
+	closedir(d);
+	return 0;
+}
+
+int walk_thread(pid_t pid,walk_thread_callback func,void *data)
+{
+	struct dirent* dr;
+	DIR* d;
+	char path[256];
+	sprintf(path,"/proc/%d/task",pid);
+	if(!(d = opendir(path)))
+		return -1;
+	while((dr = readdir(d)))
+	{
+		if(dr->d_type == DT_DIR)
+		{
+			if(is_numeric(dr->d_name)==1)
+			{
+				if(func(atoi(dr->d_name),data))
+					return 1;
+			}
+		}
+	}
+	closedir(d);
+	return 0;
+}
+
+int suspend_proc_callback(pid_t tid,void *data)
+{
+	int status;
+	if(*(bool*)data == true)
+	{
+		ptrace(PTRACE_ATTACH,tid,0,0);
+		waitpid(tid,&status,0);
+	}
+	else
+	{
+		ptrace(PTRACE_DETACH,tid,0,0);
+		waitpid(tid,&status,0);
+	}
+	return 0;
+}
+
+int suspend_proc(pid_t pid,bool suspend)
+{
+	return walk_thread(pid,&suspend_proc_callback,(void*)&suspend);
+}
+
+int open_proc(pid_t pid)
+{
+	char path[256];
+	sprintf(path,"/proc/%d/mem",pid);
+	return open(path,O_RDWR);
+}
+
+void close_proc(int pd)
+{
+	close(pd);
+}
diff --git a/proc.h b/proc.h
new file mode 100644
index 0000000..4f6359d
--- /dev/null
+++ b/proc.h
@@ -0,0 +1,26 @@
+#ifndef __PROC_H
+#define __PROC_H
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <fcntl.h>
+
+typedef int (*walk_proc_callback)(int pid,void *data);
+typedef int (*walk_thread_callback)(pid_t tid,void *data);
+
+int walk_proc(walk_proc_callback func,void *data);
+int walk_thread(pid_t pid,walk_thread_callback func,void *data);
+
+int suspend_proc(pid_t pid,bool suspend);
+
+int open_proc(pid_t pid);
+void close_proc(int pd);
+
+#endif
diff --git a/sh2load b/sh2load
new file mode 100644
index 0000000000000000000000000000000000000000..5e611f8875450ca05ddb212fa8995516ea9f8b60
GIT binary patch
literal 14501
zcmeHOeQ;D&mcQu^5QTKYrx6`!z|5jZ2p>k&Q9D53;RIwL!LPxWPP#*)opew4Ye<-4
z2P(v+CuC$-u_)KsiIz3v>{wgWmLkiJNe~Luu{1c2TDv%vavi4|(2XC%WE~{?JLlc|
z`n{%K%~WmG{<C|b-?`^^KJLdm_rBMsZ+=iyyV_GwAXM>)I|OmDNdbn;s}MztnU&ab
zafJwoS>hXFJdknt1Xx1UtSLGwT`O87^}L{k_$>FBz;aK3D~eug!a`BiL!#7PwghC=
zq?4q9qC)stPIlDS(Qhyd+Q1b>7f^>#?v+&8QTNEMbQVd8HaO_8?3kizd^9%t)XDMH
zc>>^w4-gTn_?o4pOJ&3Fj1bk&lrak$;EJM8nXph)*?k9g)X%@PluE^ovOTwXDU$tH
zR1Q}xinKOXEn5@`EsV6bCp#8)EU#KvwX7l$tyse2CjX?nW_>-kq~_5Nj`}<eADU{C
zKN&0g{nyw0%;@jBPahh6A^fuU&D%+THa_aUaYYF34dJ(Z-lIYT+~wtKKvOP<MVkx$
z6Bm4k3;ux%9&o|mbHPI{_&FEcaKR@5_v4dWo&b<<9`?H6H@o0-T<}L-@H!X#moE56
zF8Et6xaNYdalzNQ;IF&jce>z9T=3&A_%$y0ZWsJ#F8GVUCyT2^U`_*S*pK;&3)W#M
zVy-(~-`W;!*AqrCZs@uQMG~EDxJF~)c2a91ttt`jXf;GU91Mk8<027@x3(M2qM4Oq
z;dne67rNe>h&J7Fi=Id{1>2iNQzV)QllIoI5o-;JX3&I481V=kgW$ht3%51JIz?MB
z5{WjE`$#Nkv<Pxbmb%_#bjHGZqfX+45kgBMX2gR{VbQ!j-fDzJ(1^B*?ZH-Vf}14Y
zO)bzf6?B~jA&1u%Y;70K@o-qIsa?BbrM{$MNySZ8{bsASc$rmQN>k>^^N)6-Lg3@@
z8J|aPO1zNJenkK99KgqqPjY7K74$^%5QtI$PxC?5{(4nwYcV}Re2^3N_}@N(ZMsmD
zNq#EJy<(o^O@HX6^fxlQ0aoTS2n|_f)P_&AP+`RfJtJwKRHe+{z|{%3O4rQ$Z8&eP
zj0!Q|hI=JOq|%0~XAj}aZMgmU9I)Z`=aXi`sZXkGu;EsWLwK(ZFTPS~gErU%v<a%x
zV#9F<tP-=~J_{A1!-kjG@Le`s-Bc3qwc(R(`ulCTed9f7!>8Kx`)oKp6jgc7hEG=@
z=ph?E!-gNR;aA!4K^rdLDOmcd4Zqr^KV-va+VJ;nIBjaG4BK$~6FF_e<vSOfjM#Ab
zPQ|#^b-qaJ85f@J7h3nA;Tap!x=s`w7h^Xy0van1;aV~~fEw{FWRn>lLn*(Xc#7%F
z5c3;}r&!JmGJhBGUg8fizk+y*-Ao_zw-Qe=o7vC&65=UVGrO3-fq071OpN)t#8Yf$
z8knC+Jgv>l2Ii*_&oP<_Fi?CYA+$;}l?-@@r(n(ang41USrA{!{O80|aApMaXNjkv
z%#2(DQ2rtD6pWc+=Kqa&3c}0~^KTPR!Iv3i{&nIh=rV_xe}(vI#P>0Ol=$hy?`Qs>
ziKpPo>|*{OiKn2-#F&4EcnYRW1M^Q3PeGK~!2I74Pr;K3F#kj1DQGg4;1_?gHg)<z
zE%l++_0h<Ny0xbUH(V7E+Nop1Gl-m;<ilN_zIm!&d|5Jkl@Lc3;h9&jEu0Ucb&dM8
z)bF-ka|GTvP$q8~Ai>yhbII&I1d1)kDNdRz6yHzsdTsZo?BLiXFC1v85$#y|POadi
zcKVVr-SRe3c`KO>KX8fmcilb*{TIo}^)O7g;|6RwInD>D;0tbPplB9#>`sv!ckVIR
zS<XHqgR!A4nH{j9I%3?P+Idk+B}cSWeOl|O8PR%n9YmkC-VLM7ruH+-5?NiB?y0$$
zIypcg%D&TQzaAUIBIzu?a-aoMmtKHb-T&Hg)r6MXneL|rG0;KMUeZq0jA~swM@8}q
z?bILz)w!u!4|icyOTDY5PNl2hMEcl$zI3_}sh2OFCCe8_i1c(b=^Df;6{LR>Zc{ZE
zwcY~()X>F#v?w45U~Qmt^Rb#goZ^S>v7_@KF?+O^di1X_7$EKR)6}=#1OAJq2kJCD
zT*7LT9{QvQidNIZ^W>q^@}Q%Z{_0QY%Q3CDTcDz)USZADTj>|Gj_#3;C@f7!$H-Bo
z<!A<KGz!%R><~2Xr_xtr;xT<Rd!6$J&XCnn*<bjg{=N;}0kTV<h9Emtr8HH&2gEt*
z6i@PL>L0qv$f<NAv0Z}&xIKsje7XjwpiYsIraAtQhf_0*TQ@9{^9DYq#&35vUT-yC
z$BowvAEl+=UrNgbKHAAg4}A1$Q*g^itmaQ@n4t|UJ)mLm=r`R-4Waf4+A%|I_$!;>
z80^uv<Zw^TC_EdmP1T&~+IdEFmJD2=zC8^nb1SBzr{)a&d~NwT2tNZ?l|f}Qw^4)b
zedmx!mJHlLU@O_tI}ds~L_MeiYWCnkvj==<d+LX@>tE4QP^ozps;`pjdP{XFt8z54
zuz>W2l*<N7ZzAdS9vDHy;}&bF(?|J6o*bY(*=%*M>56uIt+&_Gd=tZ7%F}$HERU$n
zy!||lU4tGi)y)ogOx>nIo>pn+H(Q;8R&6V3hleL*m~P{Q{~{4h`#V5c-CFUbSn;Fh
zmZcx#P9y4SMoSJ0t)zcYE5QGul9xouOM~U~rJ;K;If0GOP1m|=Mhm3wp26g?BNV}w
zPe1J<*r|pGet>yPKQ~H|p*E3CM|cY{U_DZDI56c~g~<Tb5x-NZvmuD_5WmrmJ%IsW
zjrP<J1BK^zQ*Vt8L1_ZFdk)(Lyu<cQvnBZ2IU<rjR`7Pf_EGOXUy1&vUOtbTh&^hU
z$$|IjmL6cNx0~)-e>Zv$x90rLMISU%Ku!JnkM=>`Zw~7FXi*Jn4b|149)-KE(Sqa>
zJ2;4L(Wtm(tRS-=Ze#o0Y*3Ev2{_^*|2<&)*!VGVo+cj}!?=}u292ton)ClcVX9)4
zp8w{k&XCvMbr+$*LM=sM`Z3UR%W|#gEy1+<X<n;CmvyBSPps6)Ui7rLew2c9-_!tY
zdfPA^+2;k{i;Fz_bk(rOAqM&%v(Nss+@dK!3}<i4w;`|skJ>XgUgLuOvBp8pk4~Dk
z-q^J?d$qlRGM>fW4i0;4azzL+^I3{F%FXLi$JVAs`}^$ucnW^;a#^Y#nY+*LM|V;$
z@8g~6#a&Debb$06V63<M5XRJh-0tK(av}w%O+orG!mLH2neo&lcN!?~XV3f~_$%5y
zdU~l5$XU?SZMOWTmU_>=GUoDtWH{58HwxX3Kfn-+`I(%!QL7e{GR$4UB%KNr($c1R
z>Y)ulLoJP{F759y??U?Qm+Z}`ARVX!W_7J6fazS9KI-RY(X&(OS!mf@viF)EX-z1X
z*Y>|7=i-lM2md0Mze4k-%W*lwN$otJN@BC9$0H|gJ|xXy_12FdwEIs?=UBXn0<Y%F
z?B+I(=l(UkpRE$2`kv~|)v2-S`s%vc-tzGi{CFGeT}X7(+SG-$so&IIPp@W0+Oe;_
z>Fr<8RD5Fi7yr9@fvioPtxa861rKA>&S+i73$$B4NS>vyCl73?{%-Y_>IbX!<NLEO
zoL?Nr?2$kI0z==oDcX@!=X{4Ai#{9<1&yFBC&Oa#z``y54H2Y7{LRt0KhYA7M4F<Z
zu)jTO07<ro=HOceDb*qmk_U}81tWgSkvL_PgVAGg<XvQTraaQI5Fa>`nUx0?Z1Hch
znxkxs5pMUFhoB*oE@l=<Z$oz|3)Gx!Z$biz@;aQ8v5Ebr=V)_tB5X*;99}%!7B#|t
zSCd8DN4_p94=pl+iHC*7A-^PKzy0M2e|hEdkiYzf$|a#&`HDKggiSvfONe+Q&+$UE
zUvQ20wu7MbYINeWv9XUpAIGhJ0rZCmzex!2^Po3^Rw8t3L4S+AJp#G}PmO(`?|?oJ
zdI*o%H$ZR0OUrrC2GB{k#lHZ(5%f4{E$D2#4MafGp!+~y!eW0Ov=Gty2B-l#4PQ*@
z-Ihwhj*X(AqqN|fNfV0p7fdK6oW4@O|M}S10#cAAzrGOHLC*RkV`D?;m++OY_LbdL
zGI4v+E^+6~+iqBT-CS}(I#?EB8^+&AK((**5zorv@t!Sc*_4L>AAy|oEcp*u%=UW#
zpMm_J=!><o_x{{V8sz_3d>+EKUI%K)J$GCFPXPW0$e(e@e{9J=0`ABBpK-|Fv*fg+
zoq@c^A%Db@UkCXb+^=%Gyn)5$_#v-_{M&Z9XSHP?f_yvVWp??dto<IyqmX~sF8ADH
z**^>UFCc%-AwOZsPe5LWIHLS^c79&B<R3xqMI31k`AU|r0#=Clsf0XC@)f?)M?EWi
zWk2%P`24+vD}3|!jnjOUkBrxR%eyA5^9AC*<<-8*YTx`7K0oxJzrt6<aaRjJ_redz
z|Cj%xGY}{a@W}m=s%bz7a>=FhB~IU#sO&AiGQbs;XRX86J}N4&sD5Nsc|+_mTxLot
zkU*hA8wV97|HGxRDDek90V389zk}mUUL}+VJtogdH-WNHcA0W+RCpDGPG>HAq0Nhn
zzk!Kb1%0xjc3R5*QBjH2^n?KO3h$G=>bS;IfnUkZqT0uX&jYHI`gjRsUbTyjoB2=2
z2c+fyE>XX3=eBxS-Qkm}@~*0UtST2&W&A|5^D`v<rleJpu9kGOq|K6Ulk^cupOEyY
zk{*`yq@?dk`mv-JBpol0F3gbho03*Zx?0lBk~T}4J7~pgi!Yoj(zUUZW50gjcpA^V
zvHfdSuDsPhAHQ8+@2{#@TCv!_q;m1il}jtDl#Ltp;$?8TCvcgVeq5@{i+hEU7caC{
zh25DKYh*C5{&=BQjZ=Su$QNv0tU(o|PW>x{3U()swWn5vQ!p{RKR5-GM4t*7r=Zw6
zed5G@LTxNgyhJp}4abR>TBj$R_+-&>b-)gB-HUfawNcrHUV+TH+@PHJG(nl)+~UP9
zlW!e)#SEc-&9mEhX;+c^j}ynPF{i-}aoubC71%EH3Tr#HVA=)?#b;v{AS<*_<-;*j
z1nA}C@&osXV$qkgROU*2I0wH;;<-;0dfO^M|1~)-^<=r9@yq9VxAdc)P++<A;#!dB
zemxI7-?$FD;4i!2Zu3KLtp)fUzUbNjYT5EOs`=)PH1hT5w`_{<B02H%pX}%I_!*V@
zx$!xXC-Cw(p9Q=iPh2enJ_YxYesH0po;#};XUK8cEcJgfEx<Ux?V=WxcyqCdH?mZS
z^>FB?r>(rd5*81+`2TC*rO=<3qu=eK|0LtZ!Z*ci_Zis$y=~LDUX}f!H)JYzFn;;I
zamd9#y_J)nqmu({&);59d&@;XjTZ>|Mwwgw!$tps3qA?+me0=u7yJ&!iv^`WsJz8j
ze4_zQ^O-yU_ep(9-BIChO`uVU|4H88*H|h<Cvd;4+sR(wlRagkXikG276;gm17haq
zF8D9WkI3%Zh0^p_F8aeR_?L_q3;N}d3V#~{Ep)jrWiI$x*py;l+Aya9wQSia{j1ZE
z3#4eNi=Q>XCu9EUw-+k3pHle_aPprU=UZI-e2?*BK|h63;cwZX+a&%idB12srLs%n
zhvd58Z_U8>x%hv^1%KKFf58QRmGNTnn4Ew0-uoLD{olLb7hP~40wdqLm<ycZaDLAH
zs&LV-X1rKjCFiZ2XHAGpe1G%2p{#dt)aZhLA9%jwS&zzw|3)^9rD>Md_Ew{!Ni@Zc
zgpq7+Mpf7ETDeiLUAw7{&TfU{;jOI+BOKR_HXWy-+QSKGgrfS^NVG8+(L+Wwp3sBI
z4$%~Ci$%glI8;$}OI2llCA}H#>A`qB*r|uxjd&-HP6gY-dMMe})(I0Er&G@ys)?2*
zk!Uc4E>eOHWLsM>#vNY0v3gyNUbB7`dTe%I)g4YkLSJ>?`s#ISS3=7s;e%>`@E)z#
zXu9c5TeVT>YijRaQC+Lwy?XVgnmWC%dPQvwwZOT?rbLp5!>7Lj0sHYU>X;r2#uH%?
zZcFO1WTHi$S##>?X8u(kPIJn(2O|%g*;0F+(>(0v)ND=Y?a8)qyp;~L(Lpt*n2)gK
zfp8qoiOO-A$M)!4n^VlE?VJ$zk;Y1SSj-D$lg)E+B9TnckvkrNj(l*WG1&Al-!Yx6
zpzJs!2-`$dZwa=CB4O*)UbeBN@?2jQ!Ff7;?cHcB)Y`5maV$_BCCsYOK|C`d?8I#M
zkAgsEqjPl}M-Q{Yn`QPqi%>IGjvV7^OeEwSm|1P7CZ89~X2N*}jTSlvsm>fa_4z=g
z6EaUnIx&v8c=&taWWwMRj83sUUg-qs0HzZ$Pe3{`U9VfWQm!pN$>|i^@3TCE=~Qr>
zxXg-{%EOmggyxZB)r@*kfm5SKuo2XVo3usMa8xuLkBJKWAQ7&pUa@we5!@=dt?kK*
z#$+qbgX4f`1#vAwtiFm+XFHujWr|~>EZG*0Ct9QJ4n~J89*zV_QPyG+LsW32R2bn7
z)M*ogEXqHgRD@gPw$*~)AuP_cF!wLhLe(E?f*QOB+pu6OwnpI)mkMsh^oR%&71&PO
zutlnU`hQ3%<ArxV>qUFHCjc({XAdgl#UL)EYcKP_P?8DHDK2%MfTT<=dr8CN#!(i7
zv)db<0Lu;O@H*zQmt6Z*5aCBndQaqX&=Zi93IF6kwQ(kEW$q*^)}t~JA7wx234jyG
zQ7|$81^`vc<k8saix(C3oZO5$-VL($;{xDdFB?>eJ_d2goxcZxQIbtHr*a*i%G6;%
z8mj&)Jw+deoRW5mS2>YNnfZ%JdvZrQs{axeJ5ZrHRrV@((kJcJ3zKSJ*{kvIk@hR3
zLzQAlOZz_QnCvMznQQ+eU^FKxQ);DZQ2~siQko`b_Ey!2rtq<QuyQu2n0owElUd~}
z9ZaC2=;Nr{J*b!In9Lu4s2s7C%~0`A<~UGUpgP(2E0m(7xk20~?bS_C*`fw%zauAV
z)Fdjm&*j*wzr|61qw|zflr*>f!#VaU`_v)x<BzM3N&DRP2Z8(Wp@l$2WdYRR?Bwbz
zUePyTQ-Y7Ox3Uhi$XhmOOfJhS`}ZNBDN^<->s9n;?3KR{P@w=+_9{E3{-$bJ&c6y$
z)vgMlk6~+XUuDro<N<f3r`l8Yik{1{x3X=1(_&N^N~-J>{Svsnee2ux9MfQ4j(u)_
zzJi>5sqqKqG_b`yX`id_XKD6A={st_G7E7{+0V?uNtcS9=7bo_1G0U;T7dL4q9=wL
oxY~tifvL{3rMxsOFe^{yM7(NP=}tx^pZ!;hOpT%(gB(`;H-}{~Qvd(}

literal 0
HcmV?d00001

diff --git a/sh2load.c b/sh2load.c
new file mode 100644
index 0000000..b8b69f7
--- /dev/null
+++ b/sh2load.c
@@ -0,0 +1,162 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <malloc.h>
+#include <limits.h>
+#include <sys/ptrace.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <dlfcn.h>
+#include "proc.h"
+#include "vmap.h"
+
+#ifdef __i386__
+
+char shellcode[] = {
+	0x6A,0x01,0xEB,0x07,0xFF,0xD3,0x83,0xC4,
+	0x08,0x5B,0xC3,0xE8,0xF4,0xFF,0xFF,0xFF,
+	0x90
+};
+
+#define STR_OFFSET 0x10
+#define SHELL_SIZE 0x10
+
+#elif __x86_64__
+
+char shellcode[] = {
+	0x48,0x31,0xF6,0xEB,0x08,0x5F,0x48,0xFF,
+	0xC6,0xFF,0xD3,0x5B,0xC3,0xE8,0xF3,0xFF,
+	0xFF,0xFF,0x90
+};
+
+#define STR_OFFSET 0x12
+#define SHELL_SIZE 0x12
+
+#endif
+
+void emu_push(pid_t pid,struct user_regs_struct *regs,
+	unsigned long value)
+{
+#ifdef __i386__
+	regs->esp -= sizeof(unsigned long);
+	if(ptrace(PTRACE_POKEDATA,pid,regs->esp,value) < 0)
+		perror("ptrace_pokedata");
+#elif __x86_64__
+	regs->rsp -= sizeof(unsigned long);
+	if(ptrace(PTRACE_POKEDATA,pid,regs->rsp,value) < 0)
+		perror("ptrace_pokedata");
+#endif
+}
+
+unsigned long getfuncaddr(const char* name)
+{
+	void* mod;
+	if(!(mod = dlopen("libc.so.6",RTLD_LAZY)))
+		return -1;
+	return (unsigned long)dlsym(mod,name);
+}
+
+int main(int argc,char** argv)
+{
+	pid_t pid = atoi(argv[1]);
+	struct user_regs_struct regs;
+	struct stat st;
+	vmap_t shell,libc,local_libc;
+	unsigned long dlpn_off,dlpn_addr;
+	char* local_shell;
+	size_t path_size,total_size;
+	int pd,wr;
+	char filename[PATH_MAX];
+	
+	
+	if(vmap_reqeust(pid,VMAP_WALK_SHELL,&shell) < 0)
+	{
+		fputs("[-] Place for shellcode not found!\n",stderr);
+		exit(0);
+	}
+	
+	if(vmap_reqeust(pid,VMAP_WALK_LIBC,&libc) < 0)
+	{
+		fputs("[-] Libc not found!\n",stderr);
+		exit(0);
+	}
+	
+	if(vmap_reqeust(getpid(),VMAP_WALK_LIBC,&local_libc) < 0)
+	{
+		fputs("[-] Local libc not found!\n",stderr);
+		exit(0);
+	}
+	
+	suspend_proc(pid,true);
+	
+	if((pd = open_proc(pid)) < 0)
+	{
+		perror("open_proc");
+		suspend_proc(pid,false);
+		exit(1);
+	}
+	
+	realpath(argv[2],filename);
+	path_size = strlen(filename) + 1;
+	total_size = path_size + SHELL_SIZE;
+	
+	local_shell = (char*)malloc(total_size);
+	if(!local_shell)
+	{
+		perror("malloc");
+		suspend_proc(pid,false);
+		exit(1);
+	}
+	
+	memcpy((void*)local_shell,shellcode,SHELL_SIZE);
+	memcpy((void*)(local_shell+STR_OFFSET),filename,path_size);
+	
+	printf("%lx-%lx\n",shell.vm_start,shell.vm_end);
+	
+	if((wr = pwrite(pd,(void*)local_shell,
+		total_size,(off_t)shell.vm_start)) < 0)
+	{
+		perror("pwrite");
+		goto ex;
+	}
+	else
+		printf("[+] Shellcode written %d\n",wr);
+	
+	if(!(dlpn_addr = getfuncaddr("__libc_dlopen_mode")))
+	{
+		perror("getfuncaddr");
+		goto ex;
+	}
+	
+	printf("__libc_dlopen_mode %lx\n",dlpn_addr);
+	dlpn_off = dlpn_addr - local_libc.vm_start;
+	printf("offset %lx\n",dlpn_off);
+	dlpn_addr = dlpn_off + libc.vm_start;
+	printf("remote __libc_dlopen_mode %lx\n",dlpn_addr);
+	
+	ptrace(PTRACE_GETREGS,pid,0,&regs);
+#ifdef __i386__
+	emu_push(pid,&regs,regs.eip);
+	emu_push(pid,&regs,regs.ebx);
+	
+	regs.eip = (unsigned long)shell.vm_start+2;
+	regs.ebx = (unsigned long)dlpn_addr;
+#elif __x86_64__
+	emu_push(pid,&regs,regs.rip);
+	emu_push(pid,&regs,regs.rbx);
+	
+	regs.rip = (unsigned long)shell.vm_start+2;
+	regs.rbx = (unsigned long)dlpn_addr;
+#endif
+
+	ptrace(PTRACE_SETREGS,pid,0,&regs);
+ex:
+	suspend_proc(pid,false);
+	
+	free((void*)local_shell);
+	close_proc(pd);
+	return 0;
+}
diff --git a/sh2load32 b/sh2load32
new file mode 100644
index 0000000000000000000000000000000000000000..b858dfa08cc2b743033e8eca70650d70ea4a1838
GIT binary patch
literal 12870
zcmeHOe{@t;e!r8Mz^EZVFuDk+vq}^dLIQ}Oc1=hIaE&-Zh;9*|LuSI8FqxU1c>@Ut
zPGQF&ahx_Hy6e%iW<7RGTdJN@tEq0+Xb|;iPbs<{cbB$l7q`O_cT>$;*0N4NpL^e%
zd3j=c`e)DKhCAQ;`F_9md++_;AMf7xE`Q{2Tjg@OgcZt!TM$j`^LUqn-nURmmI|LZ
zPs|sWi_63`uqa!)8#;(SWMC`@&x7bjYzJ=N<MA?H2+T+s*fN3$fxL`uUlW3n`9-xU
zzZ~i3AV+*0nGPbdT*}KpDj=_bjBx^(k#d&7s6$^z*^I5gjFv3$krA3(E5zIb9xvmQ
zkTF{FJ0S=BQlNblFV<0RtDn^<=4bmBMI)ORMMDdtkyyI7J{7NDtZXwc<*V0jz^`ft
zZTb+I7gdtJqx|Nl53Om;-k{I=eE-Jb%2$u=931+9?PjsGA${d5y8=ncTmDIQ?qA*Z
zixFab7_@<zNZ;YW6*OiB%D-y?P~waO-{Zi?9QdCd_)`bo>A>H2;0hb|A>C}ltk0i1
z@Ldi(?!W^M{J8^52bw(E?{vsJ9C(!juXW&`I`A9^e#e1->A)!me%66sbl}6lL(hA>
z96vQ;wpa{$XupLq;xHCNQ8frPZA(u)rlpKv($F*!ipCS+7)YwGhiaYFS|+qx?|@1u
z64TPDa7cuEBZf$ZgP~9)DN>1KBxZDpE}1hCPA20?p=ps+ymQ40EtTpF#=1mjG>(kW
z-V!zvk&x&DO^K9|jG{CU{1ZLlp3X#{=m|!n@lKkLCW3}8XqGuOt<&gBgtg5Y#i$KR
z5(y(2><o*p?a7D{7C|E(5!-_iS%fT-wmWs`DFsbqo6Oes1S2ugl?;c)>b6@~wrGp%
z8;hxiV(NxsY6;z3=J<0<OunZmDaWd#_+?^xkxRJ?fBaQzMgwR~Br-!ls|HN21=SLl
zi#g^TbiwX?Qy)ZpP0FW<I#d5bi9KSGiIqLK!(Lg@-WjZo(=eepKFYaXf=*{%QY<F5
zq*$zHkzxSNCB?$xBgMirk94{a^GUrzEFe8khz8Ob=i>pu#05eumkc3pCan~riL?rf
zE-6~NhO`EYJSk>bfD})Jc2cZ*cavTu#66@J<Do-}2SSK+78Y{SOE8v6XA6-a#mq8D
z=L*qFdZ`dQNiP#(eP-O7Z$S(9j9z(-5ZTO`LZQ$<VwC59jpk<#dpC~KzcLiA_aIlH
z&Wm3%3Uzdo&g984WGmFsT{>kak4j9p>FmFgBNEenI%+9SJ})udsQZYAB&Iv{`NV?~
z)2%wk!^zze)4lp~;)KL>v))8}pTu;xzJ@p;F}<z_h?^v)_w~Dp8zg2g==Tx(BxY~u
zY|zPSiP<Z9f>=n*-qCxBC%yoqj=iMsCLWWRy`}FXJ}NPLO&=s4k(j-we~<WiiP?+#
z5b==2>`nb3@u0-)RsDJ5-4e5R^<m<K#O!5#g!n#*+1vVC!~u!f>-tgRCW+bm`iH~~
z5_1&jW5hm*ISsm4Ul|%dzIWhXGbbhj?d$YGER=c!e(vnhw?63c<_pL$*)?eY%g&uQ
zYRAJ*!TiD}@sl|{ZQE?tTVQC_Y#8_`GhVAxP&k@7T>bW^qk}o)Dltrs)PL=C*}&_s
z{pxbp(SJN`%z0U6JZ8+48LI;-=P{L&8FN3nnku{h;29VY=?kTvH@_2Ibfla-7mDZ_
z9QLAl+3Nmd>GD&L<hBXR?kB23fr2!7GL3A?Le^iAZMr#=_YAy_<UrtN#VDk!1BJA=
zyF9-GPCzyKNBXKW;}!bz@K1i(?<H^W?NMoD7A9D?OCO==CZ#^$pUmu<6zS>198{-j
zpaFA*^kn{JmG|w@T-!VkJYV?s85miA=bmxycn03dws<llo~%G&f&4!yWm+5e<of5s
zc%WO*j2|nJs@B(kFofm@y01hP-enaIVtzve1KlEjihy}*VJgt=V&3z<l(!anCzv;C
z&-)xe{z3c<ye>@$Bw=D*{w*wrQwyIB1Lcpvz;$*5F#`IArS8I-s;WhFK%oKuL}u57
z=)0D__0ho3{>!YrS2c81F<ZAQe<=(~2YKlrZ|+esUMQ>!<S#0gn(HSkkY8eQMqC5_
z@vMJ5Gg3X^&!dz=I-ftH${6sU$m}{H(z5VtS@<SL;cw%4V7k(kAA+!|x_lqJo%Nrn
zsuB3j1>k2-Aw6!EyDtCv=d%9UM;D;8va-vdu`ZxDvVb3%Qq`5HOCf!tke<lbS~VKW
z>>3k&7ttLzGQ&G6!^txk{BjVD>CNP)6rXw<CALP&@yxE{A}tNXD0t8`@QP*NxW0q@
z#a2z&tJw|5uX%mo=z#x2S;mL@eyUWNDvxsPWc?qypm1C&9M^}a@ax~nw&wf?)Tr#P
z$ls<KlJy@(s{@p<w+B^kWc>&1+#M!YIccP9z<)UFKR)0;P%=2f@+XQ_<6#*dWY#b`
zk>9CmAp3P9->YPD70QKAe{18WT=0yVqux{X`QM;D+3Kv{TlJ!-`tgWs#C5dlB~kU#
zNS*L<*}`n)8guHxjNj{0YWI(%-x|hKQk158h5jnrzF#@Vn&|CnqHoXoC#qg-nsNTk
zp7ctjGb0zEZh?FsRslI<j0HAs!Kyu0hKc}6lxro{&*`$vQyiFd-%Co*oGj@lO}0=~
zkd>D8+cQ3kPjn7Qul@#Vnd_h6l9AtQ6;xqy-nUGub!vmEelIF#Rlmhn(O1-}mO1T8
z+w0$CnMM7pQU8jssQ>BHvh`N|pD^p+tg@HtpBbM8Bj}y`M~thx1v}i^U7i1(%8qt*
zi=2Ow3v>P_|0zwLs<YH;^2g4i_N-EK7O_t)sIaB?{RtjXF!*EDMAMJnk{{obempJx
zc#Bnpx4SIYuXul{iZBO=SGLWY-=H+rBcfwH`ZkxS<?r1bfVnkTLcF<v2ft`m$ND?5
zK#ZXvjD!4NNQ1sXjNpy;ZsPFWGp=)FtA2IkjGpU%LDuIvRW>GvUSnhTDz-H?n}+2>
z=pLx$`X`w&*FVI^L7rPGIhojjCiBbPc%>|PQs?&FG?1_R%pB0^KX*D8#b*7JZ#H>2
zZ;;AzYGE{aGb3oMx4Soxf56IZT&Gky@2J{Dcj&dqi9QMBpZl#WMa_l{(iX?yDru~i
z&8|hW1Npm@9%jz}Y)`Y>EB|uE$FqJsCgj7`KOWFmJgmk>pBfvO5T!+;TsjrKepko(
z{J*0;dq&^HrW@U#jn4Ds{@MfA<};IpLN3FN<uylM`=YG>Go!AtkdvoY`qY@WfN?|N
zz$?_ryy-$`toS1Ri_GDQjrVGsMzMqW6q|FogU`q^I#~v{?07QCBb7P_YKi#Pa42X5
zZAVujHZI)c3q)~D^mWCPzLXx0Mmyu7urC%jz)8nKU&pzHN^LkBo`oCl3`TuCH%^uD
zT&g9KIE$Jm*1Bl#LPQudPn#RB+vHncERH8oBOLS9g`i;`MAdOy>p^vRGVV&pI&rAx
zSy!G@ZDOCY9PjE%g$)x39FlwDM%ee2>WgIk<nN-o&>|z4+A4|&=WSuu*;kkH)io>+
z`RcB1SRA@h{vr)#%BCMoq(pMF^ex{2y5_iV`W`4>k(~IXP<R3KFuM9f(0{-X<7<~%
zbQfPI-2u7)bQp_Wh~pace$ek@@qPxBTaLq^BcLZhKLYh&wqJ&a<2=yoL0du7pi$6E
zF>xOP{Q&e3Xf4L(yPyW>EDQ?1He+z@SSMUNy{<VG9?w45^?`@Op_q^Qjsc5G@2bj*
zZ&qDkczVSxvv0a~@w_Xl!EQo4@oAxeC!!3@(~kIaw9ijYbEUVxY~_sdvgS8nTG}+o
zN4syb%ePChd^LIi{5g<EIA~kpmDSbdWogk`<xclbt9F;Ace>l%uYun@+WbZft*W}d
z3)+T-bTw$H+?Haw^m7XGr>4lCD9Y*oPauDFiu{$Loc;1J`lEA-Tr0}kAm@X!&Mps1
zv21q~@}EM!!Y)sj<PWiY$Z>ct)qlN`&jafa<R>9-vddTQb!R-iqs>Q3{(T>ME{qo*
z8%ut8rdZEO$Oj<*+bQzDDavaxKCZyH`i5P;L)BvqcuOH~f_zg^-dtJnfV;V}datLs
zvNlt`w$c}=oYz`8zqN8fb7jNrmA=)LwaufI)y+pLE1KV|^ftdyiB9AA*$rFmumy51
zob$jr51jMBIS-ukz&Q{6Kl8xIfX6$8$ZBJIQH=AEu0VW$ug8n;H{t+Z8{%Vx{5;Li
zd)&L>qlEC_MJ)G@#J~Nb5I=-Z&-j`m#xnQ}19}vgUrodcSjSfrxp}}>4;i>m6nM|Z
zO++4%n_7G^5!^_P_j|ld9|z?IoSP1OJ>e@Hfjw~i9`JFPiZky7=xksl|IdNn(ydGv
zKj86Rg}4lH6=DZs7veU=y@-z?{t)p+#3P6wApR2ZGsJ1QJ8&`LRfx+FS0Q#Fb|G#<
z+>7`a;tvsDL_C7{0isoQx9imO!h0E>`SRF<7Y0|iwA|>MkI&-Q_?Fc#sc-ZxZfLxr
zp|N3wIJ;y?!!pa3lkz?SdFqyfx+9>l+P>{8%4LrTcA}EATU942%&t|Pt1!D51HtsY
z8{hdD*f*qZ*;}d)6+Vwd_N~HlXsA)97#t!9a43mejzJV?I?63L7S%-!Qn$c|Hw2DO
zQn$bdID~^m%weN0J&@wFA&D5q>jYA_Jli2*4g$9vVro<?Ifo<$T~V%vt~F@f0w3-W
z__c-9Er%`=7}N^SA`!cbSk58&aZ<@Shf2XM=ExanaXjKbiYGMkh~*?O%X5i~gb(}%
za|V~eA6Ee1XT#S6TQi*U+koYl6i^rD@E?M57J~rSianrQ6^N;yW1=X(P#hvQ1M4GS
zbJ+0TSwhgW)&DT~YrbohH&Yw~w*1TX*aP$Pa)nhtE&;y*w*2pc|4%c6SwG4zz(T_d
zE@X2#xeVCq50{uFmICt|7>E8$w6B$NGjO5l0KRk3<84Bk@*waj_=Bfn;%;CcFsH`M
zGGG|8`qw8e5kFUR2vX`p2K^!QKlOQ8VLz}HD1X|4UvS_zfFC!<Pc`hn3q0qKJzk!M
zS)UJp8}J>Er*h(N09*56Cg#Jx0l%N~czL>}{9|A%u>67p*Qhl?s!-0i6ILMRn|Uh`
zuL0&8G@eRnzr!KtJ59?!tbZDqZ)15Hr+yarVfg!?i66D)_ks6}4YRx#fbTc`QB!t_
zc+DaIi35KGY`+{b>5xxz^cUZ*Sb^nT56sV{JT<eveuuonfxqp*ze2u)#r~TuVkn;%
z%~%HQeFyqnuhjUc76ZWi_{5c}2L5^kxYYl%#Z$oiZp*hU%>N9i3;tVS+ItrGWsDEL
z4WayHU@Ndae-Hc#`ipM~DF2y5{;>o9-hr!7QGVW~P5OTh@Nx7f-=5IkEzsw#f%2Jn
z<j-fr%)s(*bl}?@SaaZ{180G6M0>eOV0j`Eix~BtqBCivjC5BQlA89-mUUX&t?S!)
z<0qU9Z;7Oga8fgRG+dgAg;UT7#kDQb_~u|#3mNfbN(-iYMQ6Mx5e*yRQ2nyyD{eTu
zlGcUtv|utB?9;+ABiV-=Ho=~-7E1T@^dXB4X{^~4)s((C8V`n0MZUKL+13+G$O^Ao
z*L=HQ^RI11jaBun^b{i@p|yT%ZS(E7wm{1!k=L8R!gfLPuhEpXHLdG}wz}<(mCbG1
z9jjKY_qS{9%`4mdEJ410?M$U*bIc1$O-<H4p$1toEfGwn!Xn(0))MKIj$FOVm(}An
zu9oQ33_Ts&TEDs1yr^W)%PU8AtnNM8Ir4UtouR3>+S`NCt?HGt{bg|^rNz=c;ba7E
zlee$zIn~W5JIA~qWoN1P)g?}&c}=UtX~4BAl#TAt_>$Uu<!zT^$l%4hx>_Yt=@f5m
z$+~KIeIDH$?A)rHMmuoTlv`)KPv)?difei>7K(<87r{yjOXQuf5^iwbPg9q^><ZxE
zrkR~%_OZJ7#;agw5pn=<6sh}gQx&G%Z!3vzQ1{?Uj7Fh#B{Y4zD1LZA>o=!Trl;g3
zw9=;p>19Lb-8$=nUCER=?2_Schtny;x_D=o^8%b5s}Bez4l1Ly-`-+QBzrHJH|a{M
z4eHL`ml(K;XXlx>^X#lC7xhYlCCZ>0zoH%&42|GsP$Q|RZl!RWFq}+?dVHS=*Eg@c
zb)ga5Vxldvbp7UZ1ovohhp?VV4`Sxkhx%f?uqY{R5=zOoa55E%$EE-cvSc_)J(WmA
z4N)(<xE{&+Epb32+>2kXW6+7q&q?)R-CVhJe4QyGl~pZaDu<Qs?t~gj3HD%C(k#t`
z!*5gd=zUR-#k2<tq_y<_uau`sZbkTbmY1jjxYxCUwN1Ga3?4J6Coelg;6vI9*5jfP
z3`>s(9DW^{XDNYNdaX#~<BdE>^5Da__0&^G9i>OzwTL{Ouw0&Mk3z2+fJY!Cr9GZD
zIuQBDq#jSfV*ot-TER-*3x;)o<pF9o3S0@ERW9>0ZbjsQmuViX?t#K?q**R`tQ*4)
zL>{lm<DvOD^jIIu9`*Q8&LC26B_a>m<50*WO+B7gEWL-2W?fkhpXcu*LEl@!D)#{}
zEIoN{gVV>XMnc9qP<OvgkLS5DR7P$Rz-O@1PatjC<34Euf~VEFQR=A^oe)2;>2be%
z0GkVST9ax;zx<i0N562Nbr5<<Tm7tdJZICBm*ipWNo7j@T6#R+Fgxw>961cV0|aKU
z^xg#K>6BwZo=+|>^%YsvV|)*hr&j9moa6Zly?=q6<x-F5CGT1EAQC4K*=N+_If?&i
zV8Y~q$TI2c#}F-hJinefi#^uwW1F7fzRxGbZt$!?9mdZPEqmPW@Ae7oUQ2;G3}+Bo
zKI=CGy~ll}z6Yx~4*35wXs>}x1nMo7DfL5{6>aVpN1-<X2V4sIVnmk9F~cFmGOaLj
cHGE)I3QXE!;J(|g*Reo|8RuJ42(9FQ16~O}hX4Qo

literal 0
HcmV?d00001

diff --git a/vm_shell32.bin b/vm_shell32.bin
new file mode 100644
index 0000000000000000000000000000000000000000..03a0c4e7e1535e5ff5fa11a010a33902758108fd
GIT binary patch
literal 40
wcmc~|e9iv<a`O?6=)*6*{Qv)7zc@cPwIm}mFI_(;GpQ)Cs8YWmu_S{50J)13a{vGU

literal 0
HcmV?d00001

diff --git a/vm_shell32.s b/vm_shell32.s
new file mode 100644
index 0000000..08c4b8b
--- /dev/null
+++ b/vm_shell32.s
@@ -0,0 +1,14 @@
+use32
+
+push 1
+jmp _text
+_code:
+
+call ebx
+add esp,8
+pop ebx
+ret
+
+_text:
+call _code
+db "/something/library/path",0 ;offset 0x10
diff --git a/vm_shell64.bin b/vm_shell64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..36f69da85de3ecfbc08361859335ecd869f50ead
GIT binary patch
literal 42
ycmeY;{Pvn7-sAtV|Cgf=zxe$B|9}1B{M^)%jLf`r{hZ9CqQs&~{er}j3<dxP-W8Mp

literal 0
HcmV?d00001

diff --git a/vm_shell64.s b/vm_shell64.s
new file mode 100644
index 0000000..af76d65
--- /dev/null
+++ b/vm_shell64.s
@@ -0,0 +1,16 @@
+use64
+
+xor rsi,rsi
+jmp _text
+_code:
+
+pop rdi
+inc rsi
+call rbx
+
+pop rbx
+ret
+
+_text:
+call _code
+db "/something/library/path",0
diff --git a/vmap.c b/vmap.c
new file mode 100644
index 0000000..2fb085c
--- /dev/null
+++ b/vmap.c
@@ -0,0 +1,60 @@
+#include "vmap.h"
+
+void vmap_parse(vmap_t* map,const char* str)
+{
+	sscanf(str,"%lx-%lx %s %08d %*02d:%*02d %*s %s",
+		&map->vm_start,&map->vm_end,map->perms,
+		&map->magic_num,map->path);
+}
+
+int vmap_walk(pid_t pid,walk_map_callback func,void *arg)
+{
+	char buf[256];
+	char path[64];
+	vmap_t map;
+	FILE* fmap;
+	
+	sprintf(path,"/proc/%d/maps",pid);
+	if(!(fmap = fopen(path,"rb")))
+		return -1;
+		
+	while(fgets(buf,256,fmap) != NULL)
+	{
+		vmap_parse(&map,buf);
+		if(func(&map,arg))
+			return 1;
+	}
+	return 0;
+}
+
+int walk_map_func(vmap_t *map,void *arg)
+{
+	vmap_request_t *vreq = (vmap_request_t*)arg;
+	vreq->status = VMAP_NOTFOUND;
+	if(vreq->type == VMAP_WALK_SHELL && strchr(map->perms,'x'))
+	{
+		vreq->status = VMAP_OK;
+		memcpy(vreq->map,map,sizeof(vmap_t));
+		return 1;
+	}
+	else if(vreq->type == VMAP_WALK_LIBC && strstr(map->path,"libc-"))
+	{
+		vreq->status = VMAP_OK;
+		memcpy(vreq->map,map,sizeof(vmap_t));
+		return 1;
+	}
+	return 0;
+}
+
+int vmap_reqeust(pid_t pid,request_t what,vmap_t *map)
+{
+	vmap_request_t vreq;
+	
+	vreq.type = what;
+	vreq.map = map;
+	vmap_walk(pid,&walk_map_func,(void*)&vreq);
+	if(vreq.status == VMAP_OK)
+		return 0;
+	
+	return -1;
+}
diff --git a/vmap.h b/vmap.h
new file mode 100644
index 0000000..f6e89f6
--- /dev/null
+++ b/vmap.h
@@ -0,0 +1,41 @@
+#ifndef __VMAP_H
+#define __VMAP_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+typedef enum {
+	VMAP_WALK_SHELL,
+	VMAP_WALK_LIBC,
+} request_t;
+
+typedef enum {
+	VMAP_OK,
+	VMAP_NOTFOUND,
+} status_t;
+
+typedef struct {
+	uintptr_t vm_start;
+	uintptr_t vm_end;
+	char perms[5];
+	uint32_t magic_num;
+	char path[256];
+} vmap_t;
+
+typedef struct {
+	request_t type;
+	status_t status;
+	vmap_t *map;
+} vmap_request_t;
+
+typedef int (*walk_map_callback)(vmap_t *map,void *arg);
+
+void vmap_parse(vmap_t* map,const char* str);
+int vmap_walk(pid_t pid,walk_map_callback func,void *arg);
+int vmap_reqeust(pid_t pid,request_t what,vmap_t *map);
+
+#endif