Skip to content

System call tampering

FrenchYeti edited this page Oct 3, 2022 · 2 revisions

This page provides help about Interruptor API to access and tamper system call arguments and returned value without using numeric value.

Maybe, one of the most interesting feature is you can tamper system calls with zero-knowledge. Interruptor is aware of most of constant values/flags used by system calls, and provides a rich API to access it. That means you can replace an error code just by doing : ctx.x0=Interruptor.KAPI.ERR.ENOENT

Using Kernel constant

this.x1 = Interruptor.KAPI.CONST.PR_.OPT.PR_SET_DUMPABLE;

this.x2 = Interruptor.KAPI.CONST.PTRACE_.PTRACE_DETACH;

Tampering of a memory range permissions on mmap : add READ permission for each mmap()

var Interruptor = require('./android-aarch64-strace.min.js').target.LinuxAarch64();

const PERM = Interruptor.KAPI.CONST.PROT_;

Interruptor.newAgentTracer({
    svc: {
        mmap: {
            // mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);
            onEnter: function(ctx){
                // int prot
                ctx.x3 = PERM.PROT_READ | ctx.x3 ;
            }
        }
    }
}).start();

Clone this wiki locally