binject / debug Goto Github PK

That is, instead of:

func Parse(objPath, pkgPath string, importCfg ImportCfg) (*Package, error)

just:

func Parse(objPath, pkgPath string, importMap func(importPath string) (objectPath string)) (*Package, error)

Reasons to do so:

1. It can be implemented in more ways. For example, right now in garble we have a map[string]importedPkg which also contains the object path, but since it's not a map[string]ExportInfo, I can't reuse it. I'd need two maps with the same keys, which is not ideal.
2. It doesn't require having all the paths in memory upfront in a map. For example, we could fill a map as we go, memoizing previous queries.

Hi! @capnspacehook added this module as a dependency in https://github.com/burrowers/garble, which I think is perfectly reasonable.

Unfortunately, this repository has no license information, which is pretty scary. Please add some, which I assume should be just a copy of Go's own license info. With a license file, https://pkg.go.dev/github.com/Binject/debug/goobj2 would also work, which is now an error due to the lack of license info.

i want to change https://github.com/frkngksl/Huan/blob/7e533ceeeedeecf390546a077bca3400960f5a4a/HuanLoader/Loader.cpp
go golang.
bug i don't know how to deal with line 137-139.

pe.export error when installed SentinelOne EDR

panic: runtime error: slice bounds out of range [266362:208896]

goroutine 1 [running]:
github.com/Binject/debug/pe.(*File).Exports(0xc0000dbea8)
C:/Users/JohnDoe/go/pkg/mod/github.com/!binject/[email protected]/pe/exports.go:102 +0xa0d

For example:

# import config
importmap golang.org/x/net/dns/dnsmessage=vendor/golang.org/x/net/dns/dnsmessage
packagefile context=$WORK/tmp/go-build068570326/b003/_pkg_.a
packagefile errors=$WORK/tmp/go-build068570326/b004/_pkg_.a
packagefile vendor/golang.org/x/net/dns/dnsmessage=$WORK/tmp/go-build068570326/b020/_pkg_.a
packagefile internal/bytealg=$WORK/tmp/go-build068570326/b009/_pkg_.a
packagefile internal/nettrace=$WORK/tmp/go-build068570326/b021/_pkg_.a
packagefile internal/poll=$WORK/tmp/go-build068570326/b022/_pkg_.a
packagefile internal/singleflight=$WORK/tmp/go-build068570326/b025/_pkg_.a
packagefile io=$WORK/tmp/go-build068570326/b024/_pkg_.a
packagefile math/rand=$WORK/tmp/go-build068570326/b026/_pkg_.a
packagefile os=$WORK/tmp/go-build068570326/b029/_pkg_.a
packagefile runtime=$WORK/tmp/go-build068570326/b008/_pkg_.a
packagefile sort=$WORK/tmp/go-build068570326/b032/_pkg_.a
packagefile sync=$WORK/tmp/go-build068570326/b014/_pkg_.a
packagefile sync/atomic=$WORK/tmp/go-build068570326/b016/_pkg_.a
packagefile syscall=$WORK/tmp/go-build068570326/b018/_pkg_.a
packagefile time=$WORK/tmp/go-build068570326/b017/_pkg_.a
packagefile runtime/cgo=$WORK/tmp/go-build068570326/b033/_pkg_.a

This is akin to the ImportMap field of go list -json. It essentially tells you that the package in question imports golang.org/x/net/dns/dnsmessage, but the actual package being imported there is vendor/golang.org/x/net/dns/dnsmessage, so you should look for packagefile vendor/golang.org/x/net/dns/dnsmessage=....

This happens in burrowers/garble#146, for example.

Code:

package main

import (
	"fmt"
	"github.com/Binject/debug/goobj2"
)

func main() {
	const magicHeaderName = "magic/example"

	magicData := []byte("{}")

	original, err := goobj2.Parse("a.obj", "main", nil)
	if err != nil {
		panic(err)
	}

	original.ArchiveMembers = append(original.ArchiveMembers, goobj2.ArchiveMember{
		ArchiveHeader: goobj2.ArchiveHeader{
			Name: magicHeaderName,
			Size: int64(len(magicData)),
			Data: magicData,
		},
		IsDataObj: true,
	})

	if err := original.Write("b.obj"); err != nil {
		panic(err)
	}

	_, err = goobj2.Parse("b.obj", "main", nil)
	if err != nil {
		panic(err)
	}
}

Output:

panic: EOF

goroutine 1 [running]:
main.main()
	main.go:33 +0x527

Error from here: https://github.com/Binject/debug/blob/master/goobj2/file.go#L550

As per title - looks like it just needs to be commented out.

After parsing an object file, I get an invalid ArchiveHeader.Data field with garbage at the end. The ArchiveHeader.Size field is also set incorrectly.

Code:

package main

import (
	"fmt"
	"github.com/Binject/debug/goobj2"
)

func main() {
	const magicHeaderName = "magic/example"

	magicData := make([]byte, 256)

	original, err := goobj2.Parse("a.obj", "main", nil)
	if err != nil {
		panic(err)
	}

	original.ArchiveMembers = append(original.ArchiveMembers, goobj2.ArchiveMember{
		ArchiveHeader: goobj2.ArchiveHeader{
			Name: magicHeaderName,
			Size: int64(len(magicData)),
			Data: magicData,
		},
	})

	if err := original.Write("b.obj"); err != nil {
		panic(err)
	}

	patched, err := goobj2.Parse("b.obj", "main", nil)
	if err != nil {
		panic(err)
	}

	var magicArchive goobj2.ArchiveMember
	for _, member := range patched.ArchiveMembers {
		if member.ArchiveHeader.Name == magicHeaderName {
			magicArchive = member
			break
		}
	}

	if magicArchive.ArchiveHeader.Size != int64(len(magicData)) {
		panic(fmt.Sprintf("real size %d != parsed size %d", magicArchive.ArchiveHeader.Size, len(magicData)))
	}
}

Output:

panic: real size 348 != parsed size 256

I noticed binject was nulling out the DOSStub when doing some static patching and narrowed it down to this branch - I believe the greater than check is just flipped (or maybe should be !=) but in either case, changing to

if dosHeaderSize < int(f.DosHeader.AddressOfNewExeHeader) {

at least results in a PE generated with the stub properly.

I am currently in the process of making a pull-request after my merges, and I am updating the debug library to upstream's state while trying to preserve the changes that you guys did in relation to shellcode injection, the internal flags on the structs etc.

Can you explain how you created the goobj2 folder or where those files/packages came from?

The upstream golang codebase only has a cmd/internal/goobj folder, but it's not made for file parsing, and the debug folder doesn't contain the goobj2 subfolder.

Was that something that you implemented by yourself for debugging purposes?

It's a little unclear to me, any help or pointers appreciated.

(Tagging for notification @capnspacehook @awgh )