{"id":13480604,"url":"https://github.com/ixty/mandibule","last_synced_at":"2025-03-27T11:30:39.384Z","repository":{"id":41557043,"uuid":"135158831","full_name":"ixty/mandibule","owner":"ixty","description":"linux elf injector for x86 x86_64 arm arm64","archived":false,"fork":false,"pushed_at":"2018-05-31T13:39:29.000Z","size":25,"stargazers_count":317,"open_issues_count":5,"forks_count":70,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-10-30T14:42:18.404Z","etag":null,"topics":["aarch64","arm","arm64","elf","injection","injector","manual-mapping","process","syscall","x86","x86-64"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ixty.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-28T12:36:03.000Z","updated_at":"2024-10-30T11:23:25.000Z","dependencies_parsed_at":"2022-08-19T06:22:27.382Z","dependency_job_id":null,"html_url":"https://github.com/ixty/mandibule","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixty%2Fmandibule","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixty%2Fmandibule/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixty%2Fmandibule/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ixty%2Fmandibule/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ixty","download_url":"https://codeload.github.com/ixty/mandibule/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245835893,"owners_count":20680288,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aarch64","arm","arm64","elf","injection","injector","manual-mapping","process","syscall","x86","x86-64"],"created_at":"2024-07-31T17:00:42.301Z","updated_at":"2025-03-27T11:30:38.959Z","avatar_url":"https://github.com/ixty.png","language":"C","readme":"# mandibule: linux elf injector\n\n## intro\nMandibule is a program that allows to inject an ELF file into a remote process.\n\nBoth static \u0026 dynamically linked programs can be targetted.\nSupported archs:\n\n- x86\n- x86_64\n- arm\n- aarch64\n\nExample usage: https://asciinema.org/a/KkOHP2Jef0E6wViPCglkXLRcV\n\n@ixty 2018\n\n\n## installation\n```shell\ngit clone https://github.com/ixty/mandibule\nmake\n```\n\n\n## usage\n```shell\nusage: ./mandibule \u003celf\u003e [-a arg]* [-e env]* [-m addr] \u003cpid\u003e\n\nloads an ELF binary into a remote process.\n\narguments:\n    - elf: path of binary to inject into \u003cpid\u003e\n    - pid: pid of process to inject into\n\noptions:\n    -a arg: argument to send to injected program - can be repeated\n    -e env: environment value sent to injected program - can be repeated\n    -m mem: base address at which program is loaded in remote process, default=AUTO\n\nNote: order of arguments must be respected (no getopt sry)\n```\n\n\n## example run\n```shell\n$ make x86_64\n\n# in shell 1\n$ ./target\n\u003e started.\n......\n\n# in shell 2\n$ ./mandibule ./toinject `pidof target`\n\u003e target pid: 6266\n\u003e arg[0]: ./toinject\n\u003e args size: 51\n\u003e shellcode injection addr: 0x7f0f4719c000 size: 0x5000 (available: 0x195000)\n\u003e success attaching to pid 6266\n\u003e backed up mem \u0026 registers\n\u003e injected shellcode at 0x7f0f4719c000\n\u003e running shellcode..\n\u003e shellcode executed!\n\u003e restored memory \u0026 registers\n\u003e successfully injected shellcode into pid 6266\n\n# back to shell 1\n...\n\u003e target pid: 6266\n\u003e arg[0]: ./toinject\n\u003e args size: 51\n\u003e auxv len: 304\n\u003e auto-detected manual mapping address 0x55f6e1000000\n\u003e mapping './toinject' into memory at 0x55f6e1000000\n\u003e reading elf file './toinject'\n\u003e loading elf at: 0x55f6e1000000\n\u003e load segment addr 0x55f6e1000000 len 0x1000 =\u003e 0x55f6e1000000\n\u003e load segment addr 0x55f6e1200dd8 len 0x1000 =\u003e 0x55f6e1200000\n\u003e max vaddr 0x55f6e1212000\n\u003e loading interp '/lib64/ld-linux-x86-64.so.2'\n\u003e reading elf file '/lib64/ld-linux-x86-64.so.2'\n\u003e loading elf at: 0x55f6e1212000\n\u003e load segment addr 0x55f6e1212000 len 0x23000 =\u003e 0x55f6e1212000\n\u003e load segment addr 0x55f6e1435bc0 len 0x2000 =\u003e 0x55f6e1435000\n\u003e max vaddr 0x55f6e1448000\n\u003e eop 0x55f6e1212c20\n\u003e setting auxv\n\u003e set auxv[3] to 0x55f6e1000040\n\u003e set auxv[5] to 0x9\n\u003e set auxv[9] to 0x55f6e10006e0\n\u003e set auxv[7] to 0x55f6e1000000\n\u003e eop 0x55f6e1212c20\n\u003e starting ...\n\n# oh hai from pid 6266\n# arg[0]: ./toinject\n# :)\n# :)\n# :)\n# bye!\n...........\n\n\n```\n\n\n## injection proces\nmandibule has no dependency (not even libc) and is compiled with pie and fpie in order to make it fully relocatable.\n\nThis way we can copy mandibule's code into any process and it will be able to run as if it were a totally independant shellcode.\n\nHere is how mandibule works:\n\n- find an executable section in target process with enough space (~5Kb)\n- attach to process with ptrace\n- backup register state\n- backup executable section\n- inject mandibule code into executable section\n- let the execution resume on our own injected code\n- wait until exit() is called by the remote process\n- restore registers \u0026 memory\n- detach from process\n\nIn the remote process, mandibule does the following:\n\n- read arguments, environment variables and other options from its own memory\n- find a suitable memory address to load the target elf file if needed\n- manually load \u0026 map the elf file into memory using only syscalls\n- load the ld-linux interpreter if needed\n- call the main function of the manually loaded binary\n\n\n## tested on\n\n- __x86__:      Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux\n- __x86_64__:   Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux\n- __arm64__:    Linux buildroot 4.13.6 #1 SMP Sat Mar 3 16:40:18 UTC 2018 aarch64 GNU/Linux\n- __arm__:      Linux buildroot 4.11.3 #1 SMP Sun Mar 4 02:36:56 UTC 2018 armv7l GNU/Linux\n\narm \u0026 arm64 where tested using [arm_now](https://github.com/nongiach/arm_now) by [@chaignc](https://twitter.com/chaignc) to easily spawn qemu vms with the desired arch.\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fixty%2Fmandibule","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fixty%2Fmandibule","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fixty%2Fmandibule/lists"}