设为首页收藏本站据说调试过游戏的人都能在0.67秒内记住本站域名:www.bpsend.net
开启辅助访问 切换到窄版

登录  | 立即注册

游客您好!登录后享受更多精彩

断点社区-专业的老牌游戏安全技术交流社区»论坛 技术交流 Windows内核技术 svc hook框架
返回列表
+ 发新帖
查看: 80|回复: 1

svc hook框架

[复制链接]
admin

102

主题

10

回帖

607

积分

管理员

积分
607
发表于 6 天前 | 显示全部楼层 |阅读模式
受看雪里所有svc hook思路启发
根据返回指针地址判断是否为劫持svc
仅支持aarch64
仿inlinehook框架结构
不依靠root
代码ai写的 自己优化
可以直接编译使用
seccomp bpf有意思的玩法:
后门
提前设置一个svc被劫持
,保存自己syscall的地址为instruction_pointer
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, instruction_pointer)),
当执行该syscall时seccomp进入自己的函数
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)
或者触发
SECCOMP_RET_KILL
该kill只传递信号 不能被捕捉到svc 所以一切针对svc的hook无效
  1. #include <stdio.h>
  2. #include <stdlib.h>
  3. #include <unistd.h>
  4. #include <sys/syscall.h>
  5. #include <pthread.h>
  6. #include <signal.h>
  7. #include <string.h>
  8. #include <stdatomic.h>
  9. // http://aospxref.com/android-13.0.0_r3/s?path=asm/sigcontext.h&project=bionic
  10. #include <asm/sigcontext.h>
  11. #include <setjmp.h>
  12. #if defined(__aarch64__)
  13. #include "syscalls_aarch64.h"
  14. const char *const *syscall_table = &kSyscalls_Aarch64[0];
  15. #elif defined(__x86_64__)
  16. #include "syscalls_x86_64.h"
  17. const char *const *syscall_table = &kSyscalls_x86_64[0];
  18. #endif
  19. __inline__ __attribute__((always_inline))__attribute__ ((visibility ("hidden")))  long my_syscall(long __number, ...);
  20. typedef long (*hook_function_t)(unsigned long, unsigned long, unsigned long, unsigned long, unsigned long);

  22. #define MAX_SYSCALL_NO 1024

  24. void sigsys_handler(int sig, siginfo_t *info, void *secret);
  25. typedef struct RemoteCaller {
  26. pthread_rwlock_t rwlock_;
  27.     pthread_mutex_t caller_mutex_;
  28.     pthread_cond_t caller_cond_;
  29.     pthread_mutex_t callee_mutex_;
  30.     pthread_cond_t callee_cond_;
  31. atomic_long call_result_;
  32.     atomic_int syscall_no_;
  33.     atomic_bool start_loop_;
  34. _Atomic(struct sigcontext *) call_args_; // 修改为原子指针类型
  35.    atomic_bool signal_received_;
  36.    atomic_bool signal_received_1;
  37.    atomic_bool signal_received_2;
  38.     hook_function_t before_hook_func_;
  39.     hook_function_t after_hook_func_;
  40.     hook_function_t patch_func_;
  41. pthread_barrier_t barrier_;
  42. } RemoteCaller;

  44. _Atomic(RemoteCaller *)* g_remote_caller[MAX_SYSCALL_NO] = {0};

  46. void trace_sys_call(int sysno) {
  47.     printf("===== handle syscall no %d : %s\n", sysno, syscall_table[sysno]);
  48. }

  50. void RemoteCaller_handleSigsys();
  51. void RemoteCaller_start_remote_thread(_Atomic(RemoteCaller *) caller);
  52. /*void RemoteCaller_start_remote_thread(RemoteCaller *caller);*/
  53. long RemoteCaller_remote_syscall( _Atomic(RemoteCaller *) caller, struct sigcontext* sigctx);
  54. //l*long RemoteCaller_remote_syscall( RemoteCaller *caller, struct sigcontext* sigctx);*/
  55. RemoteCaller* RemoteCaller_create(int syscall_no, void *before_hook_func, void *after_hook_func, void *patch_func) {


  58. _Atomic(RemoteCaller *) caller = ATOMIC_VAR_INIT(malloc(sizeof(RemoteCaller)));
  59. if (caller == NULL) {
  60. }


  63.    /* RemoteCaller *caller = (RemoteCaller *) malloc(sizeof(RemoteCaller));
  64.    
  65.   /*  if (caller == NULL) {
  66.         return NULL;
  67.     }*/
  68.     caller->caller_mutex_ = (pthread_mutex_t) PTHREAD_MUTEX_INITIALIZER;
  69.     caller->caller_cond_ = (pthread_cond_t) PTHREAD_COND_INITIALIZER;
  70.    
  71.     caller->callee_mutex_ = (pthread_mutex_t) PTHREAD_MUTEX_INITIALIZER;
  72.     caller->callee_cond_ = (pthread_cond_t) PTHREAD_COND_INITIALIZER;
  73.     pthread_barrier_init(&caller->barrier_, NULL, 2);
  74.     atomic_init(&caller->call_result_, 0);
  75.     atomic_init(&caller->syscall_no_, syscall_no);
  76.    caller->start_loop_ = false;
  77.   //  caller->start_loop_ = true;
  78.     caller->before_hook_func_ = (hook_function_t) before_hook_func;
  79.     caller->after_hook_func_ = (hook_function_t) after_hook_func;
  80.     caller->patch_func_ = (hook_function_t) patch_func;
  81.     RemoteCaller_handleSigsys();
  82.     RemoteCaller_start_remote_thread(atomic_load(&caller));
  83.     return atomic_load(&caller);
  84. }




  89. RemoteCaller* RemoteCaller_getInstance(int syscall_no) {
  90.     if (syscall_no > MAX_SYSCALL_NO - 1 || syscall_no < 0) {
  91.         printf("syscall_no %d error\n", syscall_no);
  92.         abort();
  93.         return NULL;
  94.     }
  95.     _Atomic(RemoteCaller *) *atomic_caller = &g_remote_caller[syscall_no];
  96.     // 使用原子操作获取g_remote_caller[syscall_no]
  97.     _Atomic(RemoteCaller *) *caller = atomic_load(atomic_caller);
  98.     if (caller == NULL) {
  99.         // 如果不存在,调用RemoteCaller_create创建一个
  100.         caller = RemoteCaller_create(syscall_no, NULL, NULL, NULL);
  101.     }
  102.     return caller;
  103. }
  104. void RemoteCaller_registerSyscall(int syscall_no, void *before_hook_func, void *after_hook_func, void *patch_func) {
  105.     if (syscall_no > MAX_SYSCALL_NO - 1 || syscall_no < 0) {
  106.         printf("syscall_no %d error\n", syscall_no);
  107.         return;
  108.     }
  109. _Atomic(RemoteCaller *) *atomic_caller = &g_remote_caller[syscall_no];
  110.    _Atomic(RemoteCaller *) * old_val = NULL;
  111.     _Atomic(RemoteCaller *) new_val = RemoteCaller_create(syscall_no, before_hook_func, after_hook_func, patch_func);
  112.     atomic_compare_exchange_strong(atomic_caller, &old_val, new_val);

  114.     // If the atomic pointer to RemoteCaller was already set, free the new RemoteCaller object.
  115.     if (old_val != NULL) {
  116.         free(new_val);
  117.     }
  118. }


  121. _Atomic(bool) RemoteCaller_handle_sigsys_ = false;
  122. //bool RemoteCaller_handle_sigsys_ = false;

  124. jmp_buf env;
  125. void sigsys_handler1(int sig, siginfo_t *info, void *secret) {

  127.       


  130.     ucontext_t *ctx = (ucontext_t *) secret;
  131.     struct sigcontext *sigctx = (struct sigcontext *) &ctx->uc_mcontext;
  132.     bool is_handle_syscall = false;
  133. #if defined(__aarch64__)
  134.     is_handle_syscall = *(((uint32_t *) info->si_call_addr) - 1) == 0xd4000001; //01 00 00 d4  svc     #0
  135.     int sysno = sigctx->regs[8];
  136.     unsigned long *presult = (unsigned long *) &sigctx->regs[0];
  137. #else
  138.     printf("unsupport arch\n");
  139. //    exit(0);
  140. #endif
  141.     if (is_handle_syscall) {
  142. _Atomic(RemoteCaller *) caller = RemoteCaller_getInstance(sysno);
  143.         if (caller == NULL) {
  144.             printf("remote caller for syscall %d not found\n", sysno);
  145.         }
  146.         long ret = RemoteCaller_remote_syscall(caller, sigctx);
  147.         *presult = ret;
  148.     }
  149. }


  152. int is_address_valid(void* ptr) {
  153. setjmp(env);
  154. printf("The pointer is invalid.\n");
  155. }
  156. void RemoteCaller_handleSigsys1() {
  157. /*   if (!atomic_load(&RemoteCaller_handle_sigsys_)) {*/
  158.         printf("register SIGSYS start\n");
  159.         struct sigaction act;
  160.         struct sigaction old_act;
  161.         sigemptyset(&act.sa_mask);
  162.         act.sa_flags = SA_NODEFER | SA_ONSTACK | SA_SIGINFO;
  163.         act.sa_sigaction = sigsys_handler;
  164.         sigaction(SIGSYS, &act, &old_act);
  165.         atomic_store(&RemoteCaller_handle_sigsys_, true);
  166.         printf("register SIGSYS end\n");
  167. /*   }*/
  168. }


  171. unsigned long *RemoteCaller_get_syscall_param(struct sigcontext *sigctx, int index) {
  172.     if (index < 0 || index >= 6) return 0;
  173.     unsigned long *regs = NULL;
  174.     unsigned long *sp = NULL;
  175.    
  176. #if defined(__aarch64__)
  177.     regs = (ucontext_t *) &(sigctx->regs[0]);
  178.     sp = (ucontext_t *) sigctx->sp;
  179.     if (index <= 7) {
  180.         // x0 - x7
  181.         return regs[index];
  182.     } else {
  183.         // stack
  184.         return sp[index - 3];
  185.     }
  186. #else
  187.     printf("unsupport arch");
  188. //    exit(0);
  189. #endif
  190. }

  192. void* RemoteCaller_remote_call_thread_function(void *args_ptr) {
  193. //printf(">>>>> handle signal not caused by ebpf\n");
  194. //    RemoteCaller *caller = (RemoteCaller *) args_ptr;
  195. _Atomic(RemoteCaller *) caller = atomic_load((_Atomic(RemoteCaller *) *) &args_ptr);

  197. // 发送信号
  198. atomic_store(&caller->signal_received_2, true);
  199. pthread_cond_signal(&caller->caller_cond_);
  200. pthread_mutex_lock(&caller->callee_mutex_);
  201.     while (atomic_load(&caller->start_loop_)) {
  202.         printf("## RemoteCaller wait call\n");
  203. while (!atomic_load(&caller->signal_received_1)) {
  204.     pthread_cond_wait(&caller->callee_cond_, &caller->callee_mutex_);
  205. }
  206. // 重置信号标志
  207. atomic_store(&caller->signal_received_1, false);
  208. pthread_mutex_unlock(&caller->callee_mutex_);
  209.         printf("## RemoteCaller wait call\n");
  210.     atomic_store(&caller->call_result_, syscall(caller->syscall_no_,
  211.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 0),
  212.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 1),
  213.                 //         0,
  214.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 2),
  215.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 3),
  216.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 4),
  217.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 5),
  218.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 6),
  219.                                RemoteCaller_get_syscall_param(atomic_load(&caller->call_args_), 7)
  220.                                ));

  222.                                  
  223.                                        
  224.                                              trace_sys_call(caller->syscall_no_);
  225.         printf("## RemoteCaller wake call thread\n");
  226. // 发送信号
  227. atomic_store(&caller->signal_received_, true);

  229. pthread_cond_signal(&caller->caller_cond_);

  231.     }
  232.     return NULL;
  233. }



  237. // 使用barrier同步线程

  239. void RemoteCaller_start_remote_thread(_Atomic(RemoteCaller *) caller_atomic) {
  240.     _Atomic(RemoteCaller *) caller = atomic_load(&caller_atomic);
  241.     if (!atomic_load(&caller->start_loop_)) {
  242.         atomic_store(&caller->start_loop_, true);
  243.         printf("start remote thread for syscall no %d\n", caller->syscall_no_);

  245.         pthread_t td;
  246.         int rc = pthread_create(&td, NULL, RemoteCaller_remote_call_thread_function, caller);
  247.         if (rc != 0) {
  248.             printf("Failed to create remote call thread for syscall no %d\n", caller->syscall_no_);
  249.             return;
  250.         }
  251.         pthread_detach(td);
  252. pthread_mutex_lock(&caller->caller_mutex_);
  253.         while (!atomic_load(&caller->signal_received_2)) {
  254.             pthread_cond_wait(&caller->caller_cond_, &caller->caller_mutex_);
  255.             break;
  256.         }

  258.         // 重置信号标志
  259.         atomic_store(&caller->signal_received_2, false);
  260.         pthread_spin_unlock(&caller->caller_mutex_);
  261.         printf("start remote thread for syscall no %d finished\n", caller->syscall_no_);
  262.     }
  263. }

  265. /*void RemoteCaller_start_remote_thread(_Atomic(RemoteCaller *) caller) {

  267.         if (!atomic_load(&caller->start_loop_)) {
  268.         atomic_store(&caller->start_loop_, true);
  269.         printf("start remote thread for syscall no %d\n", caller->syscall_no_);
  270.         
  271.         pthread_t td;
  272.        int rc =
  273.      pthread_create(&td, NULL, RemoteCaller_remote_call_thread_function, caller);
  274.         if (rc != 0) {
  275.             printf("Failed to create remote call thread for syscall no %d\n", caller->syscall_no_);
  276.             return;
  277.         }
  278.         pthread_detach(td);

  280.      
  281.      while (!atomic_load(&caller->signal_received_2)) {
  282.     pthread_cond_wait(&caller->caller_cond_, &caller->caller_mutex_);
  283.     break;
  284. }

  286. // 重置信号标志
  287. atomic_store(&caller->signal_received_2, false);


  290.         printf("start remote thread for syscall no %d finished\n", caller->syscall_no_);
  291.     }
  292. }*/

  294. void RemoteCaller_stop_remote_thread(RemoteCaller *caller) {
  295.     caller->start_loop_ = false;
  296. }

  298. long RemoteCaller_remote_syscall1(_Atomic(RemoteCaller *) caller_atomic, struct sigcontext *sigctx) {
  299. _Atomic(RemoteCaller *) caller = atomic_load(&caller_atomic);
  300.     printf("locked exec remote_syscall\n");
  301.     atomic_store(&caller->call_args_, sigctx);
  302.     printf("wake up remote thread\n");

  304. // 发送信号

  306. atomic_store(&caller->signal_received_1, true);
  307. pthread_cond_signal(&caller->callee_cond_);


  310.     printf("wait remote thread...\n");

  312. pthread_spin_lock(&caller->caller_mutex_);
  313. /*  atomic_init(&caller->signal_received_, false);*/
  314. while (!atomic_load(&caller->signal_received_)) {
  315.     pthread_cond_wait(&caller->caller_cond_, &caller->caller_mutex_);
  316.     break;
  317. }

  319. // 重置信号标志
  320. atomic_store(&caller->signal_received_, false);
  321. pthread_spin_unlock(&caller->caller_mutex_);
  322. // 读取 call_result_
  323. unsigned long ret = atomic_load(&caller->call_result_);

  325. // 写入 call_result_
  326. atomic_store(&caller->call_result_, ret);
  327.     printf("unlocked exec remote_syscall\n");
  328.     return ret;
  329. }

  331. long RemoteCaller_remote_syscall(_Atomic(RemoteCaller *) caller_atomic, struct sigcontext *sigctx) {
  332. _Atomic(RemoteCaller *) caller = atomic_load(&caller_atomic);
  333.     printf("locked exec remote_syscall\n");
  334.     atomic_store(&caller->call_args_, sigctx);
  335.     printf("wake up remote thread\n");

  337. // 发送信号

  339. atomic_store(&caller->signal_received_1, true);
  340. pthread_cond_signal(&caller->callee_cond_);


  343.     printf("wait remote thread...\n");

  345. pthread_spin_lock(&caller->caller_mutex_);
  346. /*  atomic_init(&caller->signal_received_, false);*/
  347. while (!atomic_load(&caller->signal_received_)) {
  348.     pthread_cond_wait(&caller->caller_cond_, &caller->caller_mutex_);
  349.     break;
  350. }

  352. // 重置信号标志
  353. atomic_store(&caller->signal_received_, false);
  354. pthread_spin_unlock(&caller->caller_mutex_);
  355. // 读取 call_result_
  356. unsigned long ret = atomic_load(&caller->call_result_);

  358. // 写入 call_result_
  359. atomic_store(&caller->call_result_, ret);
  360.     printf("unlocked exec remote_syscall\n");
  361.     return ret;
  362. }

  364. #define SECMAGIC 0xdeadbeef

  366. void sigsys_handler(int sig, siginfo_t *info, void *secret) {

  368.       


  371.     ucontext_t *ctx = (ucontext_t *) secret;
  372.     struct sigcontext *sigctx = (struct sigcontext *) &ctx->uc_mcontext;
  373.     bool is_handle_syscall = false;
  374. #if defined(__aarch64__)
  375.     is_handle_syscall = *(((uint32_t *) info->si_call_addr) - 1) == 0xd4000001; //01 00 00 d4  svc     #0
  376.     int sysno = sigctx->regs[8];
  377.     unsigned long *presult = (unsigned long *) &sigctx->regs[0];
  378. #else
  379.     printf("unsupport arch\n");
  380. //    exit(0);
  381. #endif
  382.     if (is_handle_syscall) {
  383.    
  384.         long ret = my_syscall(sysno,
  385.                                        RemoteCaller_get_syscall_param(sigctx, 0),
  386.                                        RemoteCaller_get_syscall_param(sigctx, 1),
  387.                                        RemoteCaller_get_syscall_param(sigctx, 2),
  388.                                        RemoteCaller_get_syscall_param(sigctx, 3),
  389.                                        RemoteCaller_get_syscall_param(sigctx, 4),
  390.                                        RemoteCaller_get_syscall_param(sigctx, 5),
  391.                                        RemoteCaller_get_syscall_param(sigctx, 6),
  392.                                        RemoteCaller_get_syscall_param(sigctx, 7)
  393.                                        );;
  394.         *presult = ret;
  395.     }
  396. }
  397. void RemoteCaller_handleSigsys() {
  398.         printf("register SIGSYS start\n");
  399.         struct sigaction act;
  400.         struct sigaction old_act;
  401.         sigemptyset(&act.sa_mask);
  402.         act.sa_flags = SA_NODEFER | SA_ONSTACK | SA_SIGINFO;
  403.         act.sa_sigaction = sigsys_handler;
  404.         sigaction(SIGSYS, &act, &old_act);
  405.         printf("register SIGSYS end\n");
  406. }



  410. int svc_register_hook1(int signo){
  411.     struct sock_filter filter[] = {
  412.         BPF_STMT(BPF_LD + BPF_W + BPF_ABS,
  413.                 (offsetof(struct seccomp_data, nr))),
  414.         BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, signo, 0, 1),
  415.         BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_TRAP),
  416.         BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
  417.     };
  418.     struct sock_fprog prog = {
  419.         .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
  420.         .filter = filter,
  421.     };

  423.     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
  424.         printf("prctl(NO_NEW_PRIVS)");
  425.         goto failed;
  426.     }
  427.     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
  428.         printf("prctl(SECCOMP)");
  429.         goto failed;
  430.     }
  431.     return 0;

  433. failed:
  434.     if (errno == EINVAL)
  435.         printf("SECCOMP_FILTER is not available. :(n\n");
  436.     return -1;
  437. }

  439. int svc_register_hook(int signo){
  440.     struct sock_filter filter[] = {
  441.         BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
  442.         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, signo, 0, 2),
  443.      /*   BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[6])),
  444.         BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECMAGIC, 0, 1),*/
  445.         BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, instruction_pointer)),
  446.     BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, (uint64_t)&my_syscall+0x20, 0, 1),
  447.         BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
  448.         BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)
  449.    
  450.     };
  451.     struct sock_fprog prog = {
  452.         .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
  453.         .filter = filter,
  454.     };

  456.     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
  457.         printf("prctl(NO_NEW_PRIVS)");
  458.         goto failed;
  459.     }
  460.     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
  461.         printf("prctl(SECCOMP)");
  462.         goto failed;
  463.     }
  464.     return 0;

  466. failed:
  467.     if (errno == EINVAL)
  468.         printf("SECCOMP_FILTER is not available. :(n\n");
  469.     return -1;
  470. }
  471. int svc_hook(int sysno, void *before_hook_func, void *after_hook_func, void *patch_func){
  472. // svc_register_hook(sysno);
  473. /*    RemoteCaller_registerSyscall(sysno, before_hook_func, after_hook_func, patch_func);*/
  474.     RemoteCaller_handleSigsys();
  475.    return svc_register_hook(sysno);
  476. }
复制代码


回复

使用道具 举报

AO1199

0

主题

67

回帖

99

积分

注册会员

积分
99
发表于 5 天前 | 显示全部楼层
慢慢学习中!
回复

使用道具 举报

返回列表
+ 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|Archiver|手机版|小黑屋|断点社区 |网站地图

GMT+8, 2025-2-22 16:42 , Processed in 0.116947 second(s), 26 queries .

Powered by XiunoBBS

Copyright © 2001-2025, 断点社区.

快速回复 返回顶部 返回列表