Change to use ptrace for memory writes to prevent SELinux

sterrasec · Jan 6, 2021 · e55d6f1 · e55d6f1
1 parent f7774af
commit e55d6f1
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 4 deletions.
diff --git a/cmd/cmd.go b/cmd/cmd.go
@@ -276,7 +276,7 @@ func Filter(pid string, targetVal string, prevFounds []Found) ([]Found, error) {
 	return founds, nil
 }
 
-func Patch(pid string, targetVal string, targetAddrs []Found) error {
+func PatchWithoutPtrace(pid string, targetVal string, targetAddrs []Found) error {
 	memPath := fmt.Sprintf("/proc/%s/mem", pid)
 	f, err := os.OpenFile(memPath, os.O_WRONLY, 0600)
 	if err != nil {
@@ -297,6 +297,27 @@ func Patch(pid string, targetVal string, targetAddrs []Found) error {
 	return nil
 }
 
+func PatchWithPtrace(pid string, targetVal string, targetAddrs []Found) error {
+	if !isAttached {
+		if err := Attach(pid); err != nil {
+			fmt.Println(err)
+		}
+	}
+	for _, found := range targetAddrs {
+		targetBytes, _ := found.converter(targetVal)
+		for _, targetAddr := range found.addrs {
+			tid_int, _ := strconv.Atoi(pid)
+			_, err := sys.PtracePokeData(tid_int, uintptr(targetAddr), targetBytes)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	Detach()
+	fmt.Println("Successfully patched!")
+	return nil
+}
+
 func Detach() error {
 	if !isAttached {
 		fmt.Println("Already detached.")

diff --git a/main.go b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"flag"
 	"fmt"
 	"log"
 	"os"
@@ -15,6 +16,7 @@ import (
 
 var appPID string
 var addrCache []cmd.Found
+var withoutPtrace bool
 
 func executor(in string) {
 	if in == "ps" {
@@ -74,9 +76,16 @@ func executor(in string) {
 			fmt.Println("Target value cannot be specified.")
 			return
 		}
-		err := cmd.Patch(appPID, slice[1], addrCache)
-		if err != nil {
-			fmt.Println(err)
+		if withoutPtrace {
+			err := cmd.PatchWithoutPtrace(appPID, slice[1], addrCache)
+			if err != nil {
+				fmt.Println(err)
+			}
+		} else {
+			err := cmd.PatchWithPtrace(appPID, slice[1], addrCache)
+			if err != nil {
+				fmt.Println(err)
+			}
 		}
 
 	} else if in == "detach" {
@@ -143,6 +152,9 @@ func completer(t prompt.Document) []prompt.Suggest {
 }
 
 func main() {
+	flag.BoolVar(&withoutPtrace, "without-ptrace", false, "Memory modification without ptrace, which is not available in Android 10 and later")
+	flag.Parse()
+
 	// for ptrace attach
 	runtime.LockOSThread()
 	defer runtime.UnlockOSThread()