yasukata / zpoline Goto Github PK

View Code? Open in Web Editor NEW

393.0 15.0 31.0 252 KB

system call hook for Linux

License: Apache License 2.0

Makefile 6.89% C 93.11%

syscall syscall-hook binary-rewriting tracing syscall-hooking system-call

zpoline's Introduction

zpoline: system call hook for Linux

zpoline is a novel system call hook mechanism that offers the following advantages.

100 times faster than ptrace.
100% coverage, namely, it can exhaustively hook system calls.
No need for the source code of user-space programs.
No need for the change to the OS kernel and no kernel module is necessary.

Therefore, zpoline is a quite good option if you think...

ptrace is too slow for your project.
the LD_PRELOAD trick is not enough because it cannot exhaustively hook system calls.
you cannot anticipate the availability of the source code of your hook target.
you do not want to modify the OS kernel or install a kernel module.

zpoline is categorized into binary rewriting, but you do not need to worry that your program binary files are overwritten. The setup procedure of zpoline rewrites the code binary loaded on the memory, just before the user-space program starts its main function. Therefore, it does not overwrite your program binary files.

The cool part of zpoline is that it does not fail to hook system calls, which is difficult for existing binary rewriting techniques.

The key ideas of zpoline are to exploit the calling convention and instantiate a special trampoline code. The overview is shown in the picture below.

In a nutshell, zpoline replaces the syscall and sysenter instructions with callq *%rax, and crafts a trampoline code at virtual address 0 (zero); this is why this technique is named zpoline.

For more technical details, please check the Further Information section.

Target Platform

Currently, this implementation assumes Linux on the x86-64 architecture.

Dependency

zpoline uses the disassembler in libopcodes that is part of binutils.

sudo apt install binutils-dev

Files

This example uses two shared libraries.

apps/basic/libzphook_basic.so only implements the hook function. (we call the hook function library).
libzpoline.so is loaded by LD_PRELOAD. This configures the trampoline code, conducts binary rewriting, and loads ./apps/basic/libzphook_basic.so using dlmopen.

Build

To build apps/basic/libzphook_basic.so, please type the following command.

make -C apps/basic

For libzpoline.so, please type the following command.

make

Setup

To use zpoline, please set 0 to /proc/sys/vm/mmap_min_addr.

sudo sh -c "echo 0 > /proc/sys/vm/mmap_min_addr"

How to Use

Pleae specify apps/basic/libzphook_basic.so for the LIBZPHOOK environment variable, and libzpoline.so for LD_PRELOAD. The example command is as follows.

$ LIBZPHOOK=./apps/basic/libzphook_basic.so LD_PRELOAD=./libzpoline.so [program you wish to run]

LIBZPHOOK is defined in main.c of libzpoline.so. libzpoline.so performs dlmopen for a shared library file specified by LIBZPHOOK.

Currently, the hook function in apps/basic/libzphook_basic.so prints the system call number using printf. The following is the example output.

$ LIBZPHOOK=./apps/basic/libzphook_basic.so LD_PRELOAD=./libzpoline.so /bin/ls
output from __hook_init: we can do some init work here
output from hook_function: syscall number 257
output from hook_function: syscall number 262
output from hook_function: syscall number 9
output from hook_function: syscall number 3
output from hook_function: syscall number 16
output from hook_function: syscall number 16
output from hook_function: syscall number 257
output from hook_function: syscall number 262
output from hook_function: syscall number 217
output from hook_function: syscall number 217
output from hook_function: syscall number 3
output from hook_function: syscall number 262
output from hook_function: syscall number 1
apps  Documentation  libzpoline.so  LICENSE  main.c  main.o  Makefile  README.md
output from hook_function: syscall number 3

How to implement my own system call hook

Currently, libzpoline.so is independent of the hook function library. So, you can build your own hook function library, and to activate it, you only need to specify it to the LIBZPHOOK environment variable.

In the hook function library, you should implement __hook_init. It will have the pointer to the hook function address as the argument, and by overwriting it, the hook function library can apply an arbitrary hook function.

For details, please check apps/basic/main.c.

Further Information

The following materials provide more information.

Paper

A paper about zpoline appears at USENIX ATC 2023 ( https://www.usenix.org/conference/atc23/presentation/yasukata ).

This paper includes a technical overview (Section 2) and comparison with other existing hook mechanisms (Section 1 and 3); for busy readers, the abstract of the paper summarises 1) advantages over the previous mechanisms, 2) the challenge that this work addresses, 3) the overview of the solution, and 4) rough numbers of the experiment results.

We would appreciate it if you cite this paper when you refer to zpoline in your work.

Supplemental documentation in this repository

Documentation/README.md is supplemental documentation.

Comments in the source code

The source code contains comments that explain how actually the system is implemented; these comments are the most detailed documentation currently we have.

The starting point of the program (main.c) is __zpoline_init, that is triggered by LD_PRELOAD, and this executes the following functions:

setup_trampoline instantiates the trampoline code.
rewrite_code performs binary rewriting.
load_hook_lib loads the core library function using dlmopen.

zpoline's People

Contributors

Stargazers

Watchers

zpoline's Issues

does this support arm64?

does this support arm64?thank you

Problems with SUD hooking

Hello, can I get the code of the Simple HTTP server mentioned in the paper? Because I encountered some problems in the process of reproducing the paper.
SUD can encounter problems when hooking multi-threaded programs, possibly because signals are modified when creating threads. I see that you handle this in your code, but it triggers a crash when I use it, so I'd like to get the procedure you evaluated to fix the problem.

why binary rewriting do not support clone3?

Why doesn't zpoline support clone3? Is it because of some special features of clone3?

I tried to call the clone3 syscall, but the call didn't happen (The print logs in hook_function() and strace logs are not displayed.), I observed that the code will directly return when encountering the clone3 syscall. The comment mentions that it will fall back to the clone system call. Why does the fallback solve the problem? Will it continue to evolve?

The code is in zpoline/main.c, line 240:

if (rax_on_stack == __NR_clone3)
		return -ENOSYS; /* workaround to trigger the fallback to clone */

Some bugs when using apps/basic hook

Environment

KERNEL: 5.4.0-148-generic (Ubuntu 20.04)
CPU: Intel(R) Xeon(R) CPU E7- 4807 @ 1.87GHz
LIBC: glibc 2.31
CC: gcc 9.4.0
LIBOPCODES: libopcodes 2.34

NO.1

Outputs of the hook does not match that of strace.
Here, a.out is a simple "hello, world" program:

#include <stdio.h>

int main() {
	printf("Hello, world!\n");
	return 0;
}

NO.2

Core dumped when running gcc.
Here, hello.c is the same "hello, world" program:

# LIBZPHOOK=./apps/basic/libzphook_basic.so LD_PRELOAD=./libzpoline.so gcc hello.c -o hello
output from __hook_init: we can do some init work here
output from hook_function: syscall number 16
output from hook_function: syscall number 16
output from hook_function: syscall number 12
output from hook_function: syscall number 257
output from hook_function: syscall number 5
output from hook_function: syscall number 9
output from hook_function: syscall number 3
output from hook_function: syscall number 257
output from hook_function: syscall number 5
output from hook_function: syscall number 0
output from hook_function: syscall number 0
output from hook_function: syscall number 3
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 16
output from hook_function: syscall number 16
output from hook_function: syscall number 16
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 13
output from hook_function: syscall number 302
output from hook_function: syscall number 302
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 4
output from hook_function: syscall number 6
output from hook_function: syscall number 6
output from hook_function: syscall number 6
output from hook_function: syscall number 89
output from hook_function: syscall number 6
output from hook_function: syscall number 89
output from hook_function: syscall number 6
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 4
output from hook_function: syscall number 6
output from hook_function: syscall number 6
output from hook_function: syscall number 6
output from hook_function: syscall number 89
output from hook_function: syscall number 6
output from hook_function: syscall number 89
output from hook_function: syscall number 6
output from hook_function: syscall number 21
output from hook_function: syscall number 79
output from hook_function: syscall number 6
output from hook_function: syscall number 79
output from hook_function: syscall number 6
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 4
output from hook_function: syscall number 21
output from hook_function: syscall number 21
output from hook_function: syscall number 39
output from hook_function: syscall number 257
output from hook_function: syscall number 3
output from hook_function: syscall number 4
output from hook_function: syscall number 21
output from hook_function: syscall number 293
output from hook_function: syscall number 58
output from hook_function: syscall number 3
output from hook_function: syscall number 59
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 257
output from hook_function: syscall number 1
gcc: main.c:108: is_replaced_instruction_addr: Assertion `addr < (1UL << 48)' failed.
output from hook_function: syscall number 9
output from hook_function: syscall number 14
output from hook_function: syscall number 14
output from hook_function: syscall number 39
output from hook_function: syscall number 186
output from hook_function: syscall number 234
output from hook_function: syscall number 14
[1]    2580381 abort (core dumped)  LIBZPHOOK=./apps/basic/libzphook_basic.so LD_PRELOAD=./libzpoline.so gcc  -o

NO.3

I compiled a.out (the same as above), libzphook_basic.so and libzpoline.so in the above envirionment (with glibc 2.38, however).

Then I made a try on another environment using QEMU:
KERNEL: Linux 6.6.4
GLIBC: glibc 2.38
LIBOPCODES: libopcodes 2.34

A segment fault occurs and the syscall numbers are wrong:

# LIBZPHOOK=./libzphook_basic.so LD_PRELOAD=./libzpoline.so ./a.out
output from __hook_init: we can do some init work here
output from hook_function: syscall number 262
output from hook_function: syscall number 16
[   56.789620] a.out[144]: segfault at 1400b7f02814 ip 00007fe99b26d913 sp 00007ffeb7f02808 error 6 in libc.so.6[7fe99b1ce000+105000] likely on CPU 0 (core 0, socket 0)
[   56.791876] Code: d0 48 3d 00 f0 ff ff 76 11 48 8b 15 0f 85 0b 00 f7 d8 64 89 02 83 ca ff eb 4c 89 c2 85 c0 75 46 48 8b 44 24 d4 0f 10 44 24 e5 <49> 89 00 48 8b 44 24 dc 41 0f 11 40 11 49 89 40 08 8a 44 24 e4 41
Segmentation fault

syscall trampoline without root access

readme says

Setup

To use zpoline, please set 0 to /proc/sys/vm/mmap_min_addr.
sudo sh -c "echo 0 > /proc/sys/vm/mmap_min_addr"

so zpoline fails when i have no root access to the machine

would be nice to remove this limitation
but then the name zpoline would be wrong
as the trampoline would no longer be at address zero

the challenge is to find a "code cave" for the trampoline ...

possible solution: shiva can insert instructions into binaries
maybe we can use shiva to insert the trampoline?
(but currently, shiva is limited to arm64, x86_64 is wip)

to improve performance for hot code
we can use relative jumps to multiple jump tables
to avoid adding a base address on every call

can i get a copy of your paper

hi, i'm interested in this hook and want to know the principle . But i can not find the paper in the site given. Can i get a copy of the your paper?
my email address is [email protected]

Red-zone Integrity

It was a pleasure chatting with the authors at OSDI/ATC! We are currently considering integrating zpoline into Gramine (formerly known as Graphene): https://github.com/gramineproject/gramine

Just wondering if you have any thought on replacing the syscall instruction with call when the red zone (128-byte region below the RSP) is used, likely in the leaf functions. Does this ever occur in your experiment? If so, how did you handle this case?

Thank you!

How are you hooking statically linked binaries?

Hey there, I've read the paper and see mentions to a zpoline_loader but can't find any code with that name, how does the loader work for statically linked binaries? Are you patching the ld.so loader itself to have this functionality?

2.3 Implementation
Our current prototype focuses on Linux.
...
We implement these in a shared library called libzpoline.so and a special loader named zpoline_loader; we assume a user uses either. They perform the setup procedure of zpoline (§ 2.3.1) before the main function of a user-space program starts.

relocation R_X86_64_PC32 against symbol `syscall_hook' can not be used when making a shared object; recompile with -fPIC

When I type make, the error is as follows:

gcc -O3 -pipe -Werror -Wall -Wunused-function -Wextra -shared -fPIC   -c -o main.o main.c
gcc -O3 -pipe -Werror -Wall -Wunused-function -Wextra -shared -fPIC -o libzpoline.so main.o -lopcodes -ldl
/usr/bin/ld: main.o: relocation R_X86_64_PC32 against symbol `syscall_hook' can not be used when making a shared object; recompile with -fPIC
/usr/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
Makefile:30: recipe for target 'libzpoline.so' failed
make: *** [libzpoline.so] Error 1

The version of gcc I use is gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04), May I know your operating system and software configuration?

Some questions about the code

This is a great job, I have some problems reading the code in main.c, can you help me:

In the initialization function, rewrite_code() is first executed; and then load_hook_lib() is executed; load_hook_lib will call many system calls. Have these system calls been hooked at this time? If so, will this cause any problems?
I am using libopcodes for the first time, can you provide some reference materials? In addition, what is the role of macro NEW_DIS_ASM?

/* discard pushed 0x90 for 0xeb 0x6a 0x90 if rax is n * 3 + 1 */
	"pushq %rdi \n\t"
	"pushq %rax \n\t"
	"movabs $0xaaaaaaaaaaaaaaab, %rdi \n\t"
	"imul %rdi, %rax \n\t"
	"cmp %rdi, %rax \n\t"
	"popq %rax \n\t"
	"popq %rdi \n\t"
	"jb skip_pop \n\t"
	"addq $8, %rsp \n\t"
	"skip_pop: \n\t"

	"cmpq $15, %rax \n\t" // rt_sigreturn
	"je do_rt_sigreturn \n\t"
	"pushq %rbp \n\t"
	"movq %rsp, %rbp \n\t"

What is the principle of distinguishing whether rax is 3n+1 in the above code? I don't understand the meaning of this code. In addition, why is the rt_sigreturn function filtered in the above code? Did I miss something?

if (rax_on_stack == __NR_clone3)
		return -ENOSYS; /* workaround to trigger the fallback to clone */

	if (rax_on_stack == __NR_clone) {
		if (rdi & CLONE_VM) { // pthread creation
			/* push return address to the stack */
			rsi -= sizeof(uint64_t);
			*((uint64_t *) rsi) = retptr;
		}
	}

Why should we distinguish clone system calls in the above code and make subsequent settings?
Thanks for your help!!

How to use ld_preload and ptrace to hook the program so that the program can use lwip API

Hello, I used the code of glue-lwip-dpdk-zpoline and successfully used zpoline to improve the efficiency of a program.
Then I want to test the efficiency improvement of the program after applying lwip API compared with other hook mechanisms.
I can test SUD and int3 signaling successfully, but when I tested ld_preload, it crashed. Can I know the source code of your program using ld_preload to use lwip API?

This is the hook code I wrote for LD_PRELOAD, it is compiled into libpreload.so and then loaded via LD_PRELOAD.

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif

#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <assert.h>
#include <signal.h>
#include <sched.h>
#include <sys/syscall.h>
#include <sys/prctl.h>
#include <errno.h>
#include <dlfcn.h>
#include <elf.h>
#include <unistd.h>
#include <stdbool.h>
#include <string.h>
#include <sys/mman.h>
#include <inttypes.h>

#include <fcntl.h>
#include <syscall.h>
#include <sys/epoll.h>
#include <linux/net.h>
#include <arpa/inet.h>

#include <sys/types.h>
#include <sys/ioctl.h>
#include <stdarg.h>

typedef long (*syscall_fn_t)(long, long, long, long, long, long, long);

static syscall_fn_t hook_function = NULL;

int socket(int domain, int type, int protocol)
{
    return hook_function(__NR_socket,(long)domain, (long)type, (long)protocol,0,0,0);
}
int close(int fd)
{
	return hook_function(__NR_close,(long)fd, 0, 0,0,0,0);
}
int fcntl(int fd, int cmd, ...  )
{
	va_list args;
	va_start(args, cmd);
	switch (cmd) {
	case F_DUPFD:
	case F_DUPFD_CLOEXEC:
	case F_SETFD:
	case F_SETFL:
	case F_SETOWN:
	case F_SETSIG:
	case F_SETLEASE:
	case F_NOTIFY:
		return hook_function(__NR_fcntl,(long)fd, (long)cmd, (long)(va_arg(args, int)),0,0,0);	
	case F_GETLK:
	case F_SETLK:
	case F_SETLKW:
	case F_GETOWN_EX:
	case F_SETOWN_EX:
	case F_GETSIG:
	case F_GETLEASE:
		return hook_function(__NR_fcntl,(long)fd, (long)cmd, (long)(va_arg(args, void *)),0,0,0);
		
	default:
		 return hook_function(__NR_fcntl,(long)fd, (long)cmd, 0,0,0,0);	
	}
	va_end(args);

}
ssize_t read(int fd, void *buf, size_t count)
{
	return  hook_function(__NR_read,(long)fd, (long)buf, (long)count,0,0,0);
}
ssize_t write(int fd, const void *buf, size_t count)
{
	return hook_function(__NR_write,(long)fd, (long)buf, (long)count,0,0,0);
}
int ioctl(int fd, unsigned long request, ...)
{
    va_list args;
    va_start(args, request);
    void *arg = va_arg(args, void *);
    va_end(args);
    return hook_function(__NR_ioctl,(long)fd, (long)request, (long)arg,0,0,0);
}
int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
{
    return hook_function(__NR_bind,(long)sockfd, (long)addr, (long)addrlen,0,0,0);
}
int listen(int sockfd, int backlog)
{	
    return hook_function(__NR_listen,(long)sockfd, (long)backlog, 0,0,0,0);
}
int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
{
    return hook_function(__NR_accept4,(long)sockfd, (long)addr, (long)addrlen,0,0,0);
}
int getsockopt(int sockfd, int level, int optname, void *optval, socklen_t *optlen)
{
	return hook_function(__NR_getsockopt,(long)sockfd, (long)level, (long)optname, (long)optval, (long)optlen,0);
}
int setsockopt(int sockfd, int level, int optname,const void *optval, socklen_t optlen)
{
	return hook_function(__NR_setsockopt,(long)sockfd, (long)level, (long)optname, (long)optval, (long)optlen,0);
}
int epoll_create(int size)
{
	return hook_function(__NR_epoll_create,(long)size, 0, 0, 0, 0,0);		
}
int epoll_create1(int flags)
{
	return hook_function(__NR_epoll_create1,(long)flags, 0, 0, 0, 0,0);
}
int epoll_wait(int epfd, struct epoll_event *events,int maxevents, int timeout)
{
	return hook_function(__NR_epoll_wait,(long)epfd, (long)events, (long)maxevents,(long)timeout, 0,0);
}
int epoll_ctl(int epfd, int op, int fd, struct epoll_event *event)
{
	return hook_function(__NR_epoll_ctl,(long)epfd, (long)op, (long)fd,(long)event, 0,0);
}
__attribute__((constructor(0xffff))) static void __preload_init(void)
{
	void *handle;
	{
		const char *filename;
		filename = getenv("LIBZPHOOK");
		if (!filename) {
			printf("env LIBZPHOOK is empty, so skip to load a hook library\n");
			return;
		}

		handle = dlmopen(LM_ID_NEWLM, filename, RTLD_NOW | RTLD_LOCAL);
		if (!handle) {
			printf("\n");
			printf("dlmopen failed: %s\n", dlerror());
			printf("\n");
			printf("NOTE: this may occur when the compilation of your hook function library misses some specifications in LDFLAGS. or if you are using a C++ compiler, dlmopen may fail to find a symbol, and adding 'extern \"C\"' to the definition may resolve the issue.\n");
			exit(1);
		}
	}
	{
		int (*hook_init)(void);
		hook_init = dlsym(handle, "__hook_init");
		assert(hook_init);
		assert(hook_init() == 0);
	}

	if(!hook_function)
	{
		hook_function = dlsym(handle, "__hook_function");
		assert(hook_function);
	}
}

I basically did not modify main.c in glue-lwip-dpdk-zpoline
, but replaced the places where next_sys_call appeared with the corresponding original system call name.

This is the source code of main.c after I modified it: main.c

This is the command I use to start the program:

sudo NET_ADDR=10.100.0.20 NET_MASK=255.255.255.0 NET_GATE=10.100.0.1 DPDK_ARGS="-l 0 --vdev=net_tap,iface=tap001 --no-pci" LD_LIBRARY_PATH=./dpdk/install/lib/x86_64-linux-gnu LIBZPHOOK=./libzphook_lwip.so LD_PRELOAD=./ld_preload/libpreload.so PATH_TO/redis-server --protected-mode no

When the hooked object is redis-server, the following error occurs:
Accepting client connection: accept: Socket operation on non-socket

When the hooked object is a simple server program, the program crashes after connecting. After debugging it, I found that the accept return value is often 0xfffffff5.
The source code of the simple server program is at server program

In addition, I would like to know how you use ptrace to let the program apply lwip's API.
As we discussed before, ptrace cannot jump over the original system call #10(comment). How do you avoid this problem?

Looking forward to your reply.

question: handling arbitrary %rax values

One question I have after reading your very interesting atc23_slides_yasukata.pdf slide deck: do you have any safeguards in place / planned for detecting syscall() invocations with invalid (arbitrarily large) system call numbers in %rax? If I understand correctly a zpoline-patched program could call into any arbitrary 64-bit address, where (prior to patching) syscall() would have simply returned an error.

dereferencing pointer to incomplete type ‘struct clone_args’

For libzpoline.so, i type the following command.
make
I get the following error: main.c:242:9: error: dereferencing pointer to incomplete type ‘struct clone_args’
if (ca->flags & CLONE_VM)

segmentfault

kernel: traps: ls[6598] general protection ip:7fc701007c85 sp:7ffc7f0f5248 error:0 in libc-2.17.so[7fc700f1a000+1b6000]

(gdb) bt
#0 0x00007f7b40633c85 in tcgetattr () from /lib64/libc.so.6
#1 0x00007f7b406301fc in isatty () from /lib64/libc.so.6
#2 0x0000000000402a8f in ?? ()
#3 0x00007f7b4118a8f0 in __frame_dummy_init_array_entry () from ./libzpoline.so
#4 0x00007f7b40f680fe in asm_syscall_hook () from ./libzpoline.so
#5 0x0000000000000000 in ?? ()
(gdb) f 3
#3 0x00007f7b4118a8f0 in __frame_dummy_init_array_entry () from ./libzpoline.so
(gdb) disas
Dump of assembler code for function __frame_dummy_init_array_entry:
0x00007f7b4118a8e8: (bad)
0x00007f7b4118a8e9: jg 0x7f7b4118a8e1
0x00007f7b4118a8eb: rex jnp 0x7f7b4118a96d <rexes.11457+77>
0x00007f7b4118a8ee: add %al,(%rax)
=> 0x00007f7b4118a8f0: mov $0x7b,%al
0x00007f7b4118a8f2: testb $0x7f,0x7b(%rax)
0x00007f7b4118a8f6: add %al,(%rax)
End of assembler dump.
(gdb) f 4
#4 0x00007f7b40f680fe in asm_syscall_hook () from ./libzpoline.so
(gdb) disas
Dump of assembler code for function asm_syscall_hook:
0x00007f7b40f680da <+0>: pop %rax
0x00007f7b40f680db <+1>: cmp $0xf,%rax
0x00007f7b40f680df <+5>: je 0x7f7b40f68110 <do_rt_sigreturn>
0x00007f7b40f680e1 <+7>: push %rbp
0x00007f7b40f680e2 <+8>: mov %rsp,%rbp
0x00007f7b40f680e5 <+11>: and $0xfffffffffffffff0,%rsp
0x00007f7b40f680e9 <+15>: push %r11
0x00007f7b40f680eb <+17>: push %r9
0x00007f7b40f680ed <+19>: push %r8
0x00007f7b40f680ef <+21>: push %rdi
0x00007f7b40f680f0 <+22>: push %rsi
0x00007f7b40f680f1 <+23>: push %rdx
0x00007f7b40f680f2 <+24>: push %rcx
0x00007f7b40f680f3 <+25>: pushq 0x8(%rbp)
0x00007f7b40f680f6 <+28>: push %rax
0x00007f7b40f680f7 <+29>: push %r10
0x00007f7b40f680f9 <+31>: callq 0x7f7b40f67620 syscall_hook@plt
=> 0x00007f7b40f680fe <+36>: pop %r10
0x00007f7b40f68100 <+38>: add $0x10,%rsp
0x00007f7b40f68104 <+42>: pop %rcx
0x00007f7b40f68105 <+43>: pop %rdx
0x00007f7b40f68106 <+44>: pop %rsi
0x00007f7b40f68107 <+45>: pop %rdi
0x00007f7b40f68108 <+46>: pop %r8
0x00007f7b40f6810a <+48>: pop %r9
0x00007f7b40f6810c <+50>: pop %r11
0x00007f7b40f6810e <+52>: leaveq
0x00007f7b40f6810f <+53>: retq
End of assembler dump.
(gdb) info registers
rax 0x0 0
rbx 0x0 0
rcx 0x8a3b 35387
rdx 0x500 1280
rsi 0x10004157f1c03 281492517231619
rdi 0x500000500 21474837760
rbp 0x2 0x2
rsp 0x7ffd658780e0 0x7ffd658780e0
r8 0x8a3b000000bf 151986007703743
r9 0x10004157f1c0300 72062084411294464
r10 0x0 0
r11 0x170f12001a131100 1661566579169759488
r12 0x7ffd65878248 140726306832968
r13 0x7ffd65878240 140726306832960
r14 0x0 0
r15 0x0 0
rip 0x7f7b40f680fe 0x7f7b40f680fe <asm_syscall_hook+36>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

yasukata / zpoline Goto Github PK

zpoline's Introduction

zpoline: system call hook for Linux

Target Platform

Dependency

Files

Build

Setup

How to Use

How to implement my own system call hook

Further Information

Paper

Supplemental documentation in this repository

Comments in the source code

zpoline's People

Contributors

Stargazers

Watchers

Forkers

zpoline's Issues

Environment

NO.1

NO.2

NO.3

Setup

Recommend Projects

Recommend Topics

Recommend Org