{"id":13452983,"url":"https://github.com/zardus/preeny","last_synced_at":"2025-05-14T10:06:21.718Z","repository":{"id":28767803,"uuid":"32290157","full_name":"zardus/preeny","owner":"zardus","description":"Some helpful preload libraries for pwning stuff.","archived":false,"fork":false,"pushed_at":"2025-01-17T00:14:06.000Z","size":103,"stargazers_count":1607,"open_issues_count":20,"forks_count":177,"subscribers_count":46,"default_branch":"master","last_synced_at":"2025-04-13T00:39:25.472Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zardus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-03-15T23:32:45.000Z","updated_at":"2025-04-09T13:13:22.000Z","dependencies_parsed_at":"2025-02-08T02:00:33.821Z","dependency_job_id":"85454de2-36fc-4e19-9448-87d0eb66fefc","html_url":"https://github.com/zardus/preeny","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zardus%2Fpreeny","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zardus%2Fpreeny/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zardus%2Fpreeny/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zardus%2Fpreeny/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zardus","download_url":"https://codeload.github.com/zardus/preeny/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254119472,"owners_count":22017951,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:30.066Z","updated_at":"2025-05-14T10:06:21.667Z","avatar_url":"https://github.com/zardus.png","language":"C","funding_links":[],"categories":["C","\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"783f861b9f822127dba99acb55687cbb\"\u003e\u003c/a\u003e工具","General","Libraries","Pentesting","Programming/Comp Sci/SE Things","others"],"sub_categories":["\u003ca id=\"80301821d0f5d8ec2dd3754ebb1b4b10\"\u003e\u003c/a\u003ePayload\u0026\u0026远控\u0026\u0026RAT","\u003ca id=\"6602e118e0245c83b13ff0db872c3723\"\u003e\u003c/a\u003e未分类-payload","Exploits","Exploitation/PWN"],"readme":"# preeny\n\nPreeny helps you pwn noobs by making it easier to interact with services locally.\nIt disables `fork()`, `rand()`, and `alarm()` and, if you want, can convert a server application to a console one using clever/hackish tricks, and can even patch binaries!\n\nPreeny has the following modules:\n\n| Name | Summary |\n|------|---------|\n| dealarm | Disables alarm() |\n| defork | Disables fork() |\n| deptrace | Disables ptrace() |\n| derand | Disables rand() and random() |\n| desigact | Disables sigaction() |\n| desock | Channels socket communication to the console |\n| desock\\_dup | Channels socket communication to the console (simpler method) |\n| ensock | The opposite of desock -- like an LD\\_PRELOAD version of socat! |\n| desrand | Does tricky things with srand() to control randomness. |\n| detime | Makes time() always return the same value. |\n| desleep | Makes sleep() and usleep() do nothing. |\n| mallocwatch | When ltrace is inconvenient, mallocwatch provides info on heap operations. |\n| writeout | Some binaries write() to fd 0, expecting it to be a two-way socket. This makes that work (by redirecting to fd 1). |\n| patch | Patches programs at load time. |\n| startstop | Sends SIGSTOP to itself on startup, to suspend the process. |\n| crazyrealloc | ensures that whatever is being reallocated is always moved to a new location in memory, thus free()ing the old. |\n| deuid | Change the UID and effective UID of a process |\n| eofkiller | Exit on EOF on several read functions |\n| getcanary | Dumps the canary on program startup (x86 and amd64 only at the moment). |\n| setcanary | Overwrites the canary with a user-provided one on program startup (amd64-only at the moment). |\n| setstdin  | Sets user defined STDIN data instead of real one, overriding `read`, `fread`, `fgetc`, `getc` and `getchar` calls. Read [here](#stdin-substitution) for more info |\n| nowrite | Forces open() to open files in readonly mode. Downgrading from readwrite or writeonly mode, and taking care of append, mktemp and other write-related flags as well |\n\n## Building\n\npreeny's patch functionality uses `libini_config` to read `.ini` files.\n\n* On debian-based distros, you can install `libini-config-dev`.\n* On Arch-based distros, you can install `ding-libs`.\n* On Fedora-based distros, you can install `libini_config-devel`.\n\nAlso deexec uses `seccomp` to setup a filter to blacklist `execve` like calls.\n\n* On debian-based distros, you can install `libseccomp-dev`.\n* On Arch-based distros, you can install `libseccomp`.\n* On Fedora-based distros, you can install `libseccomp-devel`.\n\nIf you're not running a debian, Arch, or Fedora based distro, you've brought the pain upon yourself.\n\nYou can build preeny by doing:\n\n    make\n\nIt'll create a directory named after the OS and architecture type, then put the libraries there.\n\n### Cross-compilation\n\nIf you need to build 32-bit x86 preeny libs on a 64-bit x86 host, you can do:\n\n    make ARCH=i386\n\nAlternatively, if you want to utilize a cross-compiler, pass the `CC` variable to `make`.  For example:\n\n    make -i CC=mips-malta-linux-gnu-gcc\n\nBecause some modules fail in cross-complilation, it's recommended to use `make -i`.\n\n### CMake\n\nYou can also build the project with cmake. Look at the cmake-build-*.sh scripts for example on how.\n\n## Usage\n\nLet's say that you have an application that you want to interact with on the commandline, but it a) forks, b) sets an alarm which makes it hard to take your time studying its behavior, and c) demands to be connected to even if you don't want to do that.\nYou can do:\n\n```bash\nLD_PRELOAD=x86_64-linux-gnu/desock.so:x86_64-linux-gnu/defork.so:x86_64-linux-gnu/dealarm.so \\\n  ~/code/security/codegate/2015/rodent/rodent\n```\n\nPretty awesome stuff!  Of course, you can pick and choose which preloads you want:\n\n```bash\necho 'No fork or alarm for you, but I still want to netcat!'\nLD_PRELOAD=x86_64-linux-gnu/defork.so:x86_64-linux-gnu/dealarm.so ~/code/security/codegate/2015/rodent/rodent\n\necho 'Ok, go ahead and fork, but no alarm. Time to brute force that canary.'\nLD_PRELOAD=x86_64-linux-gnu/dealarm.so ~/code/security/codegate/2015/rodent/rodent\n```\n\nHave fun!\n\n## Simple Things\n\nThe simple functionality in preeny is disabling of fork and alarm.\n\nCTF services frequently use alarm to help mitigate hung connections from players, but this has the effect of being frustrating when you're debugging the service.\n\nFork is sometimes frustrating because some tools are unable to follow fork on some platforms and, when they do follow fork, the parent is oftentimes abandoned in the background, needing to be terminated manually afterwards.\n\n`dealarm.so` replaces `alarm()` with a function that just does a `return 0`.\n`defork.so` does the same thing to `fork()`, means that the program will think that the fork has succeeded and that it's the child.\n\n## Derandomization\n\nIt's often easiest to test your exploits without extra randomness, and then ease up on the cheating little by little.\nPreeny ships with two modules to help: `derand` and `desrand`.\n\n`derand.so` replaces `rand()` and `random()` and returns a configurable value. Just specify it in the RAND environment (or go with the default of 42):\n\n```bash\n# this will return 42 on each rand() call\nLD_PRELOAD=x86_64-linux-gnu/derand.so tests/rand\n\n# this will return 1337 on each rand() call\nRAND=1337 LD_PRELOAD=x86_64-linux-gnu/derand.so tests/rand\n```\n\nFor slightly more complex things, `desrand.so` lets you override the `srand` function to your liking.\n\n```bash\n# this simply sets the seed to 42\nLD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand\n\n# this sets the seed to 1337\nSEED=1337 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand\n\n# this sets the seed to such that the first \"rand() % 128\" will be 10\nWANT=10 MOD=128 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand\n\n# finally, this makes the *third* \"rand() % 128\" be 10\nSKIP=2 WANT=10 MOD=128 LD_PRELOAD=x86_64-linux-gnu/desrand.so tests/rand\n```\n\n`desrand` does all this by brute-forcing the seed value, so keep in mind that startup speed will get considerably slower as `MOD` increases.\n\n## De-socketing\n\nCertain tools (such as American Fuzzy Lop, for example) are unable to handle network binaries.\nPreeny includes two \"de-socketing\" modules.\n`desock.so` neuters `socket()`, `bind()`, `listen()`, and `accept()`, making it return sockets that are, through hackish ways, synchronized to `stdin` and `stdout`.\n`desock_dup.so` is a simpler version for programs that dup accepted sockets over file descriptors 0, 1, and 2.\n\nA discussion of the different ways to de-socket program, and why Preeny does it the way it does, can be found [here](https://github.com/zardus/preeny/issues/10).\n\n## En-socketing\n\nYou can also use preeny to turn a normal binary into a socket binary! Just set the `PORT` environment variable (default is 1337) and preload `ensock.so`!\n\n## Preload patching\n\n`patch.so` patches binaries!\nThis is done before program start, by triggering the patcher from a constructor function in `patch.so`.\nPatches are specified in a `.ini` format, and applied by including `patch.so` in `LD_PRELOAD` and providing a patch file specified by the `PATCH` environment variable.\nFor example:\n\n```ShellSession\n# tests/hello\nHello world!\n# cat hello.p\n[hello]\naddress=0x4005c4\ncontent='4141414141'\n\n[world]\naddress=0x4005ca\ncontent='6161616161'\n# PATCH=\"hello.p\" LD_PRELOAD=x86_64-linux-gnu/patch.so tests/hello\n--- section hello in file hello.p specifies 5-byte patch at 0x4005c4\n--- section world in file hello.p specifies 5-byte patch at 0x4005ca\nAAAAA aaaaa!\n\n```\n\nHaving different patch files and just enabling/disabling them via preload is oftentimes easier than modifying the underlying binary.\n\n## STDIN substitution\n\n`setstdin.so` allows to replace `STDIN` with user defined data. It overrides `read`, `fread`, `fgetc`, `getc` and `getchar` calls, and\nreturn user defined data when binary asks for some `STDIN`.\n\n`setstdin` first tries to get user defined data form `PREENY_STDIN` environment variabe, if this variable is not defined, it tries to read data\nfrom file, defined in `PREENY_STDIN_FILENAME` environment variable. If both are not defined, `setstdin` uses some default value.\n\n```ShellSession\n$ PREENY_STDIN=New_message LD_PRELOAD=src/setstdin.so test/setstdin_read\nN|ew|_me|ssag|e|\n\n$ echo \"Some other message\" \u003e tmp_file\n$ PREENY_STDIN_FILENAME=tmp_file LD_PRELOAD=src/setstdin.so test/setstdin_getc\nS|o|m|e| |o|t|h|e|r| |m|e|s|s|a|g|e|\n\n$ LD_PRELOAD=src/setstdin.so test/setstdin_fread\nD|ef|aul|t se|tstdi|n valu|e. Plea|se set P|REENY_STD|IN or PREE|NY_STDIN_FI|LENAME envir|onment variab|les to set you|r own value\n\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzardus%2Fpreeny","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzardus%2Fpreeny","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzardus%2Fpreeny/lists"}