zoukankan      html  css  js  c++  java

  • arm svc

    隐藏exit,ptrace etc.

    C示例

    #include <sys/ptrace.h>
#include <stdio.h>

int main()
{
  int r;
  asm volatile (
    "mov r0, #0
	" /* PTRACE_TRACEME */
    "mov r1, #0
	"
    "mov r2, #0
	"
    "mov r3, #0
	"
    "mov r7, #26
	"
    "svc #0x00000000
	"
    "mov %[result], r0"
    : [result] "=r" (r) 
    :   
    :   
  );  
  printf ("Ptrace result : %d
", r); 
  test();

  while (1);
  return 0;
}

void test()
{
  int r = ptrace (PTRACE_TRACEME, 0, 0, 0); 
  printf ("ptrace ret : %d
", r); 
}

    运行结果

    root@hammerhead:/data/local/tmp # ./a.out
Ptrace result : 0       #asm执行成功
ptrace ret : -1         #ptrace失败,因为已经被attach

    root@hammerhead:/ # ps |grep a.out
ps |grep a.out
groot      17282 17273 732    72    00000000 000083cc R ./a.out


root@hammerhead:/ # cat /proc/17282/status
cat /proc/17282/status
Name:   a.out
State:  R (running)
Tgid:   17282
Pid:    17282
PPid:   17273
TracerPid:      17273   # PTRACE_TRACEME,被父进程跟踪,17282 <- 17273
Uid:    0       0       0       0
Gid:    0       0       0       0

    汇编代码比对

    .text:0000838C        EXPORT test
.text:0000838C test
.text:0000838C
.text:0000838C var_8           = -8
.text:0000838C
.text:0000838C        STMFD   SP!, {R11,LR}
.text:00008390        ADD     R11, SP, #4
.text:00008394        SUB     SP, SP, #8
.text:00008398        MOV     R0, #0          ; request
.text:0000839C        MOV     R1, #0
.text:000083A0        MOV     R2, #0
.text:000083A4        MOV     R3, #0
.text:000083A8        BL      ptrace   @ 可进行elf GOT Hook
.text:000083AC        STR     R0, [R11,#var_8]
.text:000083B0        LDR     R3, =(aPtraceRetD - 0x83BC)
.text:000083B4        ADD     R3, PC, R3      ; "ptrace ret : %d
"
.text:000083B8        MOV     R0, R3          ; format
.text:000083BC        LDR     R1, [R11,#var_8]
.text:000083C0        BL      printf
.text:000083C4        SUB     SP, R11, #4
.text:000083C8        LDMFD   SP!, {R11,PC}
.text:000083C8 ; End of function test

    没有ptrace调用, anti - GOT hook

    .text:00008344 main         ; DATA XREF: _start+50
.text:00008344              ; .got:main_ptr
.text:00008344
.text:00008344 var_8           = -8
.text:00008344
.text:00008344        STMFD   SP!, {R11,LR}
.text:00008348        ADD     R11, SP, #4
.text:0000834C        SUB     SP, SP, #8
.text:00008350        MOV     R0, #0
.text:00008354        MOV     R1, #0
.text:00008358        MOV     R2, #0
.text:0000835C        MOV     R3, #0
.text:00008360        MOV     R7, #0x1A
.text:00008364        SVC     0       @ 通过svc中断调用,无法Hook
.text:00008368        MOV     R3, R0
.text:0000836C        STR     R3, [R11,#var_8]
.text:00008370        LDR     R3, =(aPtraceResultD - 0x837C)
.text:00008374        ADD     R3, PC, R3   ; "Ptrace result : %d
"
.text:00008378        MOV     R0, R3     ; format
.text:0000837C        LDR     R1, [R11,#var_8]
.text:00008380        BL      printf
.text:00008384
.text:00008384 loc_8384              ; CODE XREF: main:loc_8384
.text:00008384        B       loc_8384
.text:00008384 ; End of function main
  • 相关阅读:
    js表单提交回调函数
    sublime text3下BracketHighlighter的配置方法
    不同版本的jquery的复选框checkbox的相关问题
    jquery键盘常见事件
    jQuery学习笔记(一)
    sublime text按esc经常进入command mode(不能输入任何东西)
    sublime text光标移入移出括号的快捷键设置
    sublime text3 自己定义的不同浏览器的预览快捷键
    grains和pillar的联合使用
    自定义模块和grains
  • 原文地址:https://www.cnblogs.com/gm-201705/p/9863954.html
Copyright © 2011-2022 走看看