2009-03-29 07:30:54 +00:00
|
|
|
#!/usr/bin/ruby
|
|
|
|
|
|
|
|
# This file is part of Metasm, the Ruby assembly manipulation suite
|
2010-09-09 18:19:35 +00:00
|
|
|
# Copyright (C) 2006-2009 Yoann GUILLOT
|
2009-03-29 07:30:54 +00:00
|
|
|
#
|
|
|
|
# Licence is LGPL, see LICENCE in the top-level directory
|
|
|
|
|
|
|
|
#
|
2010-09-09 18:19:35 +00:00
|
|
|
# this exemple illustrates the use of the PTrace class to hijack a syscall in a running process
|
2009-03-29 07:30:54 +00:00
|
|
|
# the next syscall made is patched to run the syscall with the arguments of our choice, then
|
|
|
|
# run the original intended syscall
|
|
|
|
# Works on linux/x86
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
require 'metasm'
|
|
|
|
|
2010-09-09 18:19:35 +00:00
|
|
|
class SyscallHooker < Metasm::PTrace
|
2009-03-29 07:30:54 +00:00
|
|
|
CTX = ['EBX', 'ECX', 'EDX', 'ESI', 'EDI', 'EAX', 'ESP', 'EBP', 'EIP', 'ORIG_EAX']
|
|
|
|
|
|
|
|
def inject(sysnr, *args)
|
|
|
|
sysnr = SYSCALLNR[sysnr] || sysnr
|
|
|
|
|
|
|
|
syscall
|
|
|
|
puts '[*] waiting syscall'
|
|
|
|
Process.waitpid(@pid)
|
|
|
|
|
|
|
|
savedctx = CTX.inject({}) { |ctx, reg| ctx.update reg => peekusr(REGS_I386[reg]) }
|
|
|
|
|
2010-09-09 18:19:35 +00:00
|
|
|
eip = (savedctx['EIP'] - 2) & 0xffffffff
|
|
|
|
fu = readmem(eip, 2)
|
|
|
|
if fu == "\xcd\x80"
|
|
|
|
mode = :int80
|
|
|
|
elsif fu == "\xeb\xf3" and readmem(eip-14, 7).unpack('H*').first == "51525589e50f34" # aoenthuasn
|
|
|
|
mode = :sysenter
|
|
|
|
elsif fu == "\x0f\x05"
|
|
|
|
mode = :syscall
|
|
|
|
else
|
|
|
|
puts 'unhandled syscall convention, aborting, code = ' + readmem(eip-4, 8).unpack('H*').first
|
|
|
|
cont
|
|
|
|
return self
|
|
|
|
end
|
|
|
|
|
|
|
|
if args.length > 5
|
2009-03-29 07:30:54 +00:00
|
|
|
puts 'too may arguments, unsupported, aborting'
|
|
|
|
else
|
|
|
|
puts "[*] hooking #{SYSCALLNR.index(savedctx['ORIG_EAX'])}"
|
|
|
|
|
|
|
|
# stack pointer to store buffers to
|
|
|
|
esp_ptr = savedctx['ESP']
|
2010-09-09 18:19:35 +00:00
|
|
|
write_string = lambda { |s|
|
|
|
|
esp_ptr -= s.length
|
|
|
|
esp_ptr &= 0xffff_fff0
|
|
|
|
writemem(esp_ptr, s)
|
|
|
|
[esp_ptr].pack('L').unpack('l').first
|
|
|
|
}
|
|
|
|
set_arg = lambda { |a|
|
|
|
|
case a
|
|
|
|
when String; write_string[a + 0.chr]
|
|
|
|
when Array; write_string[a.map { |aa| set_arg[aa] }.pack('L*')]
|
|
|
|
else a
|
|
|
|
end
|
|
|
|
}
|
2009-03-29 07:30:54 +00:00
|
|
|
args.zip(CTX).map { |arg, reg|
|
|
|
|
# set syscall args, put buffers on the stack as needed
|
2010-09-09 18:19:35 +00:00
|
|
|
pokeusr(REGS_I386[reg], set_arg[arg])
|
2009-03-29 07:30:54 +00:00
|
|
|
}
|
|
|
|
# patch syscall number
|
|
|
|
pokeusr(REGS_I386['ORIG_EAX'], sysnr)
|
2010-09-09 18:19:35 +00:00
|
|
|
|
|
|
|
|
2009-03-29 07:30:54 +00:00
|
|
|
# run hooked syscall
|
|
|
|
syscall
|
|
|
|
Process.waitpid(@pid)
|
2010-09-09 18:19:35 +00:00
|
|
|
retval = peekusr(REGS_I386['EAX'])
|
|
|
|
puts "[*] retval: #{'%X' % retval}#{" (Errno::#{ERRNO.index(-retval)})" if retval < 0}"
|
|
|
|
|
|
|
|
if SYSCALLNR.index(sysnr) == 'execve' and retval >= 0
|
|
|
|
cont
|
|
|
|
return self
|
|
|
|
end
|
2009-03-29 07:30:54 +00:00
|
|
|
|
|
|
|
# restore eax & eip to run the orig syscall
|
|
|
|
savedctx['EIP'] -= 2
|
|
|
|
savedctx['EAX'] = savedctx['ORIG_EAX']
|
|
|
|
savedctx.each { |reg, val| pokeusr(REGS_I386[reg], val) }
|
|
|
|
end
|
2010-09-09 18:19:35 +00:00
|
|
|
|
|
|
|
self
|
2009-03-29 07:30:54 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if $0 == __FILE__
|
2010-09-09 18:19:35 +00:00
|
|
|
SyscallHooker.new(ARGV.shift.to_i).inject('write', 2, "testic\n", 7).detach
|
2009-03-29 07:30:54 +00:00
|
|
|
end
|