Hide strings
Stack strings
Without stack strings :
#include <stdio.h>
#include <unistd.h>
int main() {
execve("/bin/sh", NULL, NULL);
return 0;
}
$ gcc main.c -o main
$ strings main | grep "/bin/sh"
/bin/sh
$ gdb ./main
gef➤ disass main
Dump of assembler code for function main:
0x0000000000001139 <+0>: push rbp
0x000000000000113a <+1>: mov rbp,rsp
0x000000000000113d <+4>: mov edx,0x0
0x0000000000001142 <+9>: mov esi,0x0
0x0000000000001147 <+14>: lea rax,[rip+0xeb6] # 0x2004
0x000000000000114e <+21>: mov rdi,rax
0x0000000000001151 <+24>: call 0x1030 <execve@plt>
0x0000000000001156 <+29>: mov eax,0x0
0x000000000000115b <+34>: pop rbp
0x000000000000115c <+35>: ret
End of assembler dump.
With stack strings :
cat main.c
#include <stdio.h>
#include <unistd.h>
int main(){
char slash = '/';
char bin_sh[] = { slash, 'b', 'i', 'n', slash, 's', 'h', 0 };
execve(bin_sh, NULL, NULL);
return 0;
}
$ gcc main.c -o main
$ strings main | grep "/bin/sh"
$ gdb ./main
gef➤ disass main
Dump of assembler code for function main:
[...]
0x0000000000001160 <+23>: mov BYTE PTR [rbp-0x11],0x2f
0x0000000000001164 <+27>: movzx eax,BYTE PTR [rbp-0x11]
0x0000000000001168 <+31>: mov BYTE PTR [rbp-0x10],al
0x000000000000116b <+34>: mov BYTE PTR [rbp-0xf],0x62
0x000000000000116f <+38>: mov BYTE PTR [rbp-0xe],0x69
0x0000000000001173 <+42>: mov BYTE PTR [rbp-0xd],0x6e
0x0000000000001177 <+46>: movzx eax,BYTE PTR [rbp-0x11]
0x000000000000117b <+50>: mov BYTE PTR [rbp-0xc],al
0x000000000000117e <+53>: mov BYTE PTR [rbp-0xb],0x73
0x0000000000001182 <+57>: mov BYTE PTR [rbp-0xa],0x68
0x0000000000001186 <+61>: mov BYTE PTR [rbp-0x9],0x0
[...]
Function Encryption
- Determine the function's size by using a linker script.
Default linker script : gcc main.c -Wl,-verbose
-Wl,option : Pass option as an option to the linker.
Use cipher
- XOR
- RC4