arm svc

作者：酷酷是懒虫 | 2024-08-21 20:27:16

踩

arm svc #0x0

隐藏exit,ptrace etc.

C示例


#include <sys/ptrace.h>
#include <stdio.h>
 
int main()
{
  int r;
  asm volatile (
    "mov r0, #0\n\t" /* PTRACE_TRACEME */
    "mov r1, #0\n\t"
    "mov r2, #0\n\t"
    "mov r3, #0\n\t"
    "mov r7, #26\n\t"
    "svc #0x00000000\n\t"
    "mov %[result], r0"
    : [result] "=r" (r) 
    :   
    :   
  );  
  printf ("Ptrace result : %d\n", r); 
  test();
 
  while (1);
  return 0;
}
 
void test()
{
  int r = ptrace (PTRACE_TRACEME, 0, 0, 0); 
  printf ("ptrace ret : %d\n", r); 
}

运行结果


root@hammerhead:/data/local/tmp # ./a.out
Ptrace result : 0       #asm执行成功
ptrace ret : -1         #ptrace失败，因为已经被attach


root@hammerhead:/ # ps |grep a.out
ps |grep a.out
groot      17282 17273 732    72    00000000 000083cc R ./a.out
 
 
root@hammerhead:/ # cat /proc/17282/status
cat /proc/17282/status
Name:   a.out
State:  R (running)
Tgid:   17282
Pid:    17282
PPid:   17273
TracerPid:      17273   # PTRACE_TRACEME，被父进程跟踪，17282 <- 17273
Uid:    0       0       0       0
Gid:    0       0       0       0

汇编代码比对


.text:0000838C        EXPORT test
.text:0000838C test
.text:0000838C
.text:0000838C var_8           = -8
.text:0000838C
.text:0000838C        STMFD   SP!, {R11,LR}
.text:00008390        ADD     R11, SP, #4
.text:00008394        SUB     SP, SP, #8
.text:00008398        MOV     R0, #0          ; request
.text:0000839C        MOV     R1, #0
.text:000083A0        MOV     R2, #0
.text:000083A4        MOV     R3, #0
.text:000083A8        BL      ptrace   @ 可进行elf GOT Hook
.text:000083AC        STR     R0, [R11,#var_8]
.text:000083B0        LDR     R3, =(aPtraceRetD - 0x83BC)
.text:000083B4        ADD     R3, PC, R3      ; "ptrace ret : %d\n"
.text:000083B8        MOV     R0, R3          ; format
.text:000083BC        LDR     R1, [R11,#var_8]
.text:000083C0        BL      printf
.text:000083C4        SUB     SP, R11, #4
.text:000083C8        LDMFD   SP!, {R11,PC}
.text:000083C8 ; End of function test

没有ptrace调用, anti - GOT hook


.text:00008344 main         ; DATA XREF: _start+50
.text:00008344              ; .got:main_ptr
.text:00008344
.text:00008344 var_8           = -8
.text:00008344
.text:00008344        STMFD   SP!, {R11,LR}
.text:00008348        ADD     R11, SP, #4
.text:0000834C        SUB     SP, SP, #8
.text:00008350        MOV     R0, #0
.text:00008354        MOV     R1, #0
.text:00008358        MOV     R2, #0
.text:0000835C        MOV     R3, #0
.text:00008360        MOV     R7, #0x1A
.text:00008364        SVC     0       @ 通过svc中断调用，无法Hook
.text:00008368        MOV     R3, R0
.text:0000836C        STR     R3, [R11,#var_8]
.text:00008370        LDR     R3, =(aPtraceResultD - 0x837C)
.text:00008374        ADD     R3, PC, R3   ; "Ptrace result : %d\n"
.text:00008378        MOV     R0, R3     ; format
.text:0000837C        LDR     R1, [R11,#var_8]
.text:00008380        BL      printf
.text:00008384
.text:00008384 loc_8384              ; CODE XREF: main:loc_8384
.text:00008384        B       loc_8384
.text:00008384 ; End of function main

转载于:https://www.cnblogs.com/gm-201705/p/9863954.html

声明：本文内容由网友自发贡献，不代表【wpsshop博客】立场，版权归原作者所有，本站不承担相应法律责任。如您发现有侵权的内容，请联系我们。转载请注明出处：https://www.wpsshop.cn/w/酷酷是懒虫/article/detail/1013225