Import upstream version 0.2+git20200110.fd2baf1
Kali Janitor
3 years ago
|
0 |
*.swp
|
|
1 |
build
|
|
2 |
tags
|
|
3 |
TAGS
|
|
4 |
TODO
|
|
5 |
todo
|
|
6 |
Debug
|
|
7 |
Release
|
|
8 |
*.tgz
|
|
9 |
*.tar.gz
|
30 | 30 |
|
31 | 31 |
option(DEBUG "In Debug mode" ON)
|
32 | 32 |
option(USE_ASM "Use Assembler" OFF)
|
|
33 |
option(BUILD_HOTPATCHER "Build hotpatcher" ON)
|
|
34 |
option(BUILD_TESTS "Build tests" ON)
|
33 | 35 |
if (NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
|
34 | 36 |
set(DEBUG OFF)
|
35 | 37 |
endif (NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
|
|
145 | 147 |
include_directories(${CMAKE_CURRENT_BINARY_DIR}/include)
|
146 | 148 |
add_subdirectory(include)
|
147 | 149 |
add_subdirectory(src)
|
148 | |
add_subdirectory(test)
|
|
150 |
if (BUILD_TESTS)
|
|
151 |
add_subdirectory(test)
|
|
152 |
endif (BUILD_TESTS)
|
28 | 28 |
###
|
29 | 29 |
CMAKE=$(shell which cmake)
|
30 | 30 |
CTEST=$(shell which ctest)
|
31 | |
PREFIX?=/usr
|
|
31 |
PREFIX?=/usr/local
|
32 | 32 |
ARCH=$(shell uname -m)
|
33 | 33 |
|
34 | 34 |
default: release
|
53 | 53 |
Another limitation is that injection for a particular .so file can happen only
|
54 | 54 |
once in the target process. Each library that is injected can be injected only
|
55 | 55 |
once into the target process.
|
|
56 |
|
|
57 |
|
|
58 |
Ubuntu Ptrace()
|
|
59 |
===============
|
|
60 |
|
|
61 |
On Ubuntu, `ptrace()` of non-child processes has been blocked as a security
|
|
62 |
feature. To get around it you will need to set
|
|
63 |
`/proc/sys/kernel/yama/ptrace_scope` to 0 as below
|
|
64 |
|
|
65 |
|
|
66 |
bash> echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
|
|
67 |
|
|
68 |
|
56 | 69 |
|
57 | 70 |
Usage: API
|
58 | 71 |
===========
|
|
127 | 140 |
various options that are supported.
|
128 | 141 |
|
129 | 142 |
A sample execution of "hotpatcher" into the current running shell can be done as
|
130 | |
below:
|
|
143 |
below.
|
131 | 144 |
|
132 | |
Let's say the library libhotpatchtest.so is in the current directory.
|
|
145 |
We can compile a fresh one to make sure we are picking up the correct library.
|
133 | 146 |
|
134 | |
bash> ./hotpatcher -l ./libhotpatchtest.so -s mysym -v1 $$
|
|
147 |
|
|
148 |
bash> make release
|
|
149 |
bash> cd Release
|
|
150 |
bash> ./src/hotpatcher -vvvv -l $PWD/test/libhotpatchtest.so -s mysym $$
|
|
151 |
|
135 | 152 |
|
136 | 153 |
On success the "/tmp/hotpatchtest.log" file can be checked if it has the
|
137 | 154 |
timestamp of the injection.
|
65 | 65 |
install(TARGETS hotpatch LIBRARY DESTINATION lib)
|
66 | 66 |
install(TARGETS hotpatch_s ARCHIVE DESTINATION lib)
|
67 | 67 |
|
68 | |
add_executable(hotpatcher main.c)
|
69 | |
target_link_libraries(hotpatcher hotpatch_s)
|
70 | |
install(TARGETS hotpatcher RUNTIME DESTINATION bin)
|
|
68 |
if (BUILD_HOTPATCHER)
|
|
69 |
add_executable(hotpatcher main.c)
|
|
70 |
target_link_libraries(hotpatcher hotpatch_s)
|
|
71 |
install(TARGETS hotpatcher RUNTIME DESTINATION bin)
|
|
72 |
endif (BUILD_HOTPATCHER)
|
668 | 668 |
A.regs.rip = FN; \
|
669 | 669 |
A.regs.rax = 0; \
|
670 | 670 |
} while (0)
|
|
671 |
#define HP_REDZONE 128
|
|
672 |
/* David Yeager pointed this out. http://en.wikipedia.org/wiki/Red_zone_(computing) */
|
671 | 673 |
#else /* __WORDSIZE == 64 */
|
672 | 674 |
#define HP_PASS_ARGS2FUNC(A,FN,ARG1,ARG2) \
|
673 | 675 |
do { \
|
|
686 | 688 |
A.regs.eip = FN; \
|
687 | 689 |
A.regs.eax = 0; \
|
688 | 690 |
} while (0)
|
|
691 |
#define HP_REDZONE 0
|
689 | 692 |
#endif /* __WORDSIZE == 64 */
|
690 | 693 |
/* Prepare the child for injection */
|
691 | 694 |
if (verbose > 1)
|
|
703 | 706 |
if ((rc = hp_get_regs(hp->pid, &oregs)) < 0)
|
704 | 707 |
break;
|
705 | 708 |
memcpy(&iregs, &oregs, sizeof(oregs));
|
|
709 |
HP_REG_SP(iregs) -= HP_REDZONE;
|
706 | 710 |
if (verbose > 1)
|
707 | 711 |
fprintf(stderr, "[%s:%d] Copying stack out.\n", __func__, __LINE__);
|
708 | 712 |
for (idx = 0; idx < sizeof(stack)/sizeof(uintptr_t); ++idx) {
|
|
795 | 799 |
fprintf(stderr, "[%s:%d] Copying stack back.\n",
|
796 | 800 |
__func__, __LINE__);
|
797 | 801 |
for (idx = 0; idx < sizeof(stack)/sizeof(uintptr_t); ++idx) {
|
798 | |
if ((rc = hp_pokedata(hp->pid, HP_REG_SP(oregs) +
|
799 | |
idx * sizeof(size_t), stack[idx], verbose)) < 0)
|
|
802 |
if ((rc = hp_pokedata(hp->pid, HP_REG_SP(oregs) - HP_REDZONE
|
|
803 |
+ idx * sizeof(size_t), stack[idx], verbose)) < 0)
|
800 | 804 |
break;
|
801 | 805 |
}
|
802 | 806 |
if (rc < 0)
|
|
827 | 831 |
#undef HP_REG_IP
|
828 | 832 |
#undef HP_REG_SP
|
829 | 833 |
#undef HP_REG_AX
|
|
834 |
#undef HP_REDZONE
|
830 | 835 |
return rc;
|
831 | 836 |
}
|