New upstream snapshot.
Kali Janitor
2 years ago
|
0 |
*.swp
|
|
1 |
build
|
|
2 |
tags
|
|
3 |
TAGS
|
|
4 |
TODO
|
|
5 |
todo
|
|
6 |
Debug
|
|
7 |
Release
|
|
8 |
*.tgz
|
|
9 |
*.tar.gz
|
| 30 | 30 |
|
| 31 | 31 |
option(DEBUG "In Debug mode" ON)
|
| 32 | 32 |
option(USE_ASM "Use Assembler" OFF)
|
|
33 |
option(BUILD_HOTPATCHER "Build hotpatcher" ON)
|
|
34 |
option(BUILD_TESTS "Build tests" ON)
|
| 33 | 35 |
if (NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
|
| 34 | 36 |
set(DEBUG OFF)
|
| 35 | 37 |
endif (NOT CMAKE_BUILD_TYPE STREQUAL "Debug")
|
|
| 145 | 147 |
include_directories(${CMAKE_CURRENT_BINARY_DIR}/include)
|
| 146 | 148 |
add_subdirectory(include)
|
| 147 | 149 |
add_subdirectory(src)
|
| 148 | |
add_subdirectory(test)
|
|
150 |
if (BUILD_TESTS)
|
|
151 |
add_subdirectory(test)
|
|
152 |
endif (BUILD_TESTS)
|
| 28 | 28 |
###
|
| 29 | 29 |
CMAKE=$(shell which cmake)
|
| 30 | 30 |
CTEST=$(shell which ctest)
|
| 31 | |
PREFIX?=/usr
|
|
31 |
PREFIX?=/usr/local
|
| 32 | 32 |
ARCH=$(shell uname -m)
|
| 33 | 33 |
|
| 34 | 34 |
default: release
|
| 53 | 53 |
Another limitation is that injection for a particular .so file can happen only
|
| 54 | 54 |
once in the target process. Each library that is injected can be injected only
|
| 55 | 55 |
once into the target process.
|
|
56 |
|
|
57 |
|
|
58 |
Ubuntu Ptrace()
|
|
59 |
===============
|
|
60 |
|
|
61 |
On Ubuntu, `ptrace()` of non-child processes has been blocked as a security
|
|
62 |
feature. To get around it you will need to set
|
|
63 |
`/proc/sys/kernel/yama/ptrace_scope` to 0 as below
|
|
64 |
|
|
65 |
|
|
66 |
bash> echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
|
|
67 |
|
|
68 |
|
| 56 | 69 |
|
| 57 | 70 |
Usage: API
|
| 58 | 71 |
===========
|
|
| 127 | 140 |
various options that are supported.
|
| 128 | 141 |
|
| 129 | 142 |
A sample execution of "hotpatcher" into the current running shell can be done as
|
| 130 | |
below:
|
|
143 |
below.
|
| 131 | 144 |
|
| 132 | |
Let's say the library libhotpatchtest.so is in the current directory.
|
|
145 |
We can compile a fresh one to make sure we are picking up the correct library.
|
| 133 | 146 |
|
| 134 | |
bash> ./hotpatcher -l ./libhotpatchtest.so -s mysym -v1 $$
|
|
147 |
|
|
148 |
bash> make release
|
|
149 |
bash> cd Release
|
|
150 |
bash> ./src/hotpatcher -vvvv -l $PWD/test/libhotpatchtest.so -s mysym $$
|
|
151 |
|
| 135 | 152 |
|
| 136 | 153 |
On success the "/tmp/hotpatchtest.log" file can be checked if it has the
|
| 137 | 154 |
timestamp of the injection.
|
|
0 |
hotpatch (0.2+git20200110.1.fd2baf1-0kali1) UNRELEASED; urgency=low
|
|
1 |
|
|
2 |
* New upstream snapshot.
|
|
3 |
|
|
4 |
-- Kali Janitor <[email protected]> Fri, 04 Jun 2021 17:20:21 -0000
|
|
5 |
|
| 0 | 6 |
hotpatch (0.2-1kali2) kali-dev; urgency=medium
|
| 1 | 7 |
|
| 2 | 8 |
[ Raphaƫl Hertzog ]
|
| 65 | 65 |
install(TARGETS hotpatch LIBRARY DESTINATION lib)
|
| 66 | 66 |
install(TARGETS hotpatch_s ARCHIVE DESTINATION lib)
|
| 67 | 67 |
|
| 68 | |
add_executable(hotpatcher main.c)
|
| 69 | |
target_link_libraries(hotpatcher hotpatch_s)
|
| 70 | |
install(TARGETS hotpatcher RUNTIME DESTINATION bin)
|
|
68 |
if (BUILD_HOTPATCHER)
|
|
69 |
add_executable(hotpatcher main.c)
|
|
70 |
target_link_libraries(hotpatcher hotpatch_s)
|
|
71 |
install(TARGETS hotpatcher RUNTIME DESTINATION bin)
|
|
72 |
endif (BUILD_HOTPATCHER)
|
| 668 | 668 |
A.regs.rip = FN; \
|
| 669 | 669 |
A.regs.rax = 0; \
|
| 670 | 670 |
} while (0)
|
|
671 |
#define HP_REDZONE 128
|
|
672 |
/* David Yeager pointed this out. http://en.wikipedia.org/wiki/Red_zone_(computing) */
|
| 671 | 673 |
#else /* __WORDSIZE == 64 */
|
| 672 | 674 |
#define HP_PASS_ARGS2FUNC(A,FN,ARG1,ARG2) \
|
| 673 | 675 |
do { \
|
|
| 686 | 688 |
A.regs.eip = FN; \
|
| 687 | 689 |
A.regs.eax = 0; \
|
| 688 | 690 |
} while (0)
|
|
691 |
#define HP_REDZONE 0
|
| 689 | 692 |
#endif /* __WORDSIZE == 64 */
|
| 690 | 693 |
/* Prepare the child for injection */
|
| 691 | 694 |
if (verbose > 1)
|
|
| 703 | 706 |
if ((rc = hp_get_regs(hp->pid, &oregs)) < 0)
|
| 704 | 707 |
break;
|
| 705 | 708 |
memcpy(&iregs, &oregs, sizeof(oregs));
|
|
709 |
HP_REG_SP(iregs) -= HP_REDZONE;
|
| 706 | 710 |
if (verbose > 1)
|
| 707 | 711 |
fprintf(stderr, "[%s:%d] Copying stack out.\n", __func__, __LINE__);
|
| 708 | 712 |
for (idx = 0; idx < sizeof(stack)/sizeof(uintptr_t); ++idx) {
|
|
| 795 | 799 |
fprintf(stderr, "[%s:%d] Copying stack back.\n",
|
| 796 | 800 |
__func__, __LINE__);
|
| 797 | 801 |
for (idx = 0; idx < sizeof(stack)/sizeof(uintptr_t); ++idx) {
|
| 798 | |
if ((rc = hp_pokedata(hp->pid, HP_REG_SP(oregs) +
|
| 799 | |
idx * sizeof(size_t), stack[idx], verbose)) < 0)
|
|
802 |
if ((rc = hp_pokedata(hp->pid, HP_REG_SP(oregs) - HP_REDZONE
|
|
803 |
+ idx * sizeof(size_t), stack[idx], verbose)) < 0)
|
| 800 | 804 |
break;
|
| 801 | 805 |
}
|
| 802 | 806 |
if (rc < 0)
|
|
| 827 | 831 |
#undef HP_REG_IP
|
| 828 | 832 |
#undef HP_REG_SP
|
| 829 | 833 |
#undef HP_REG_AX
|
|
834 |
#undef HP_REDZONE
|
| 830 | 835 |
return rc;
|
| 831 | 836 |
}
|