Added developer tools; nullhook.so and noophook.so.

Author: rsundahl

Dockerfile

@@ -1,15 +1,6 @@
-#FROM	alpine:3.7
-#RUN	apk update
-#RUN	apk del musl-dev
-#RUN	apk add bash curl gcc git libc-dev
-
 FROM	centos:7.4.1708
 RUN	yum update -y
-RUN	yum install -y bash curl gcc git libc6-dev
-
-#FROM	ubuntu:xenial-20180123
-#RUN	apt-get update -y
-#RUN	apt-get install -y curl gcc git libc6-dev
+RUN	yum install -y bash curl gcc libc6-dev
 
 WORKDIR	/readhook
 COPY	src src
@@ -26,6 +17,8 @@ RUN	ar -cvq lib/utilhook.a obj/*.o
 RUN	mkdir ./dll
 RUN	gcc -std=gnu99 -fstack-protector-all -fPIC -Fpie -pie src/basehook.c -Wl,-z,relro,-z,now -shared -lc -ldl lib/utilhook.a -o dll/basehook.so
 RUN	gcc -std=gnu99 -fstack-protector-all -fPIC -Fpie -pie src/fullhook.c -Wl,-z,relro,-z,now -shared -lc -ldl lib/utilhook.a -o dll/fullhook.so
+RUN	gcc -std=gnu99 -fstack-protector-all -fPIC -Fpie -pie src/noophook.c -Wl,-z,relro,-z,now -shared -lc -ldl lib/utilhook.a -o dll/noophook.so
+RUN	gcc -std=gnu99 -fstack-protector-all -fPIC -Fpie -pie src/nullhook.c -Wl,-z,relro,-z,now -shared -lc -ldl lib/utilhook.a -o dll/nullhook.so
 
 RUN	mkdir ./app
 RUN	gcc -std=gnu99 -fPIC -Fpie -pie -DFULLHOOK_MAIN=1 src/fullhook.c lib/utilhook.a -Wl,-z,relro,-z,now -lc -ldl -o app/fullhook

README.md

@@ -2,7 +2,7 @@
 Red-team tool to hook libc read syscall with a buffer overflow vulnerability.
 
 ## Building
-Readhook is a set of two "hook" routines that can be injected into an application to create an intentional buffer overflow vulnerability. The two "hook" routines can be injected individually or as a chain using LD_PRELOAD. Both "hooks" insert themselves in front of the libc->read() system call and watch for magic strings to pass. Basehook.so contains the overflow enpoint alone, while fullhook.so adds helpful endpoints that assist in generating valid shellcode that can then be turned around and used in basehook.so for the actual overflow (fullhook.so also contains . Use the following command line in the context of the OS in which you would like to hook the read syscall:
+Readhook consists of a set of shared libraries that can be injected into an application to create an intentional buffer overflow vulnerability. The hook routines basehook.so and fullhook.so can be injected individually or as a chain using LD_PRELOAD. Both hooks insert themselves in front of the libc->read() system call and watch for magic strings to pass. Basehook.so contains the overflow endpoint alone, while fullhook.so adds helpful endpoints that assist in generating valid shellcode that can then be turned around and used by basehook.so for the actual overflow (fullhook.so also contains an overflow endpoint for convenience). (Additionally, there are two helper hooks for developers; nullhook.so which does nothing, and noophook.so which injects itself before the libc->read() function and simply passes the request through.)
 ```
 ./build.sh
 ```

assets.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 declare -r      repository=polyverse/readhook
-declare -r -a   assets=(basehook.so fullhook.so)
+declare -r -a   assets=(dll/basehook.so dll/fullhook.so dll/noophook.so dll/nullhook.so)
 declare         tag=$1
 
 # If no tag is given, use the jenkins release assets

build.sh

@@ -1,8 +1,16 @@
 #!/bin/bash
+# Delete the old artifacts
+rm -r app dll
+
+# Build readhook
 docker build --no-cache -t readhook .
 
-# Extract the library from the container
-docker run -d --rm --name readhook readhook sleep 10
-docker cp readhook:/readhook/dll/basehook.so $PWD/basehook.so
-docker cp readhook:/readhook/dll/fullhook.so $PWD/fullhook.so
+# Run readhook and just sleep while we copy the build artifacts
+docker run -d --rm --name readhook readhook sleep 60
+
+# Extract the buld artifacts
+docker cp readhook:/readhook/dll/ $PWD/dll/
+docker cp readhook:/readhook/app/ $PWD/app/
+
+# We're done so kill it since it's just sleeping
 docker kill readhook