psyscall

Linux syscall() injection to external processes in a portable fashion using ptrace(2).

Tested on x86 (Arch Linux & Ubuntu), ARMv7 (Android 6 & 7), MIPS (Debian), PPC64 (Debian).

Requires echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope (or root privileges).

Yes, this is just a proof of concept and silly toy.

Examples

Kill emacs as vim

% ./psyscall `pidof vim` kill `pidof emacs` SIGTERM
[88] syscall(kill, 142, SIGTERM) = 0

j/k i don't have emacs installed.

Drop root privileges

% pidof wireshark
609
% sudo ./psyscall 609 getuid
[sudo] password for resilar:
[609] syscall(getuid) = 0
% sudo ./psyscall 609 setuid 1000
[609] syscall(setuid, 1000) = 0
% sudo ./psyscall 609 getuid
[609] syscall(getuid) = 1000

Make sleep speak and exit with the code 42

% sleep 60 &
[1] 123
% ./psyscall 123 write 1 \"foobar\" 6
foobar[123] syscall(write, 1, "foobar", 6) = 6
% ./psyscall 123 exit 42
[123] syscall(exit, 42) = 42
[1]  + exit 42    sleep 60
% wait 123; echo $?
42

Redirect stderr to /tmp/stderr.log and write getcwd() to it

% touch /tmp/stderr.log
% ./psyscall 666 open '"/tmp/stderr.log"' O_RDWR
[666] syscall(open, "/tmp/stderr.log", O_RDWR) = 3
% ./psyscall 666 dup2 3 2
[666] syscall(dup2, 3, 2) = 2
% ./psyscall 666 mmap 0 0x1000 'PROT_READ|PROT_WRITE' 'MAP_PRIVATE|MAP_ANONYMOUS' -1 0
[666] syscall(mmap, 0, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd2f830b000
% ./psyscall 666 getcwd 0x7fd2f830b000 0x1000
[666] syscall(getcwd, 0x7fd2f830b000, 0x1000) = 24
% ./psyscall 666 write 2 0x7fd2f830b000 24
[666] syscall(write, 2, 0x7fd2f830b000, 24) = 24
% cat /tmp/stderr.log
/home/resilar/psyscall-target

Cannot build on AArch64

[[email protected]:[PL]:/mnt/storage/home/kmeaw/psyscall]$ make
cc -g -Wall -std=c89 -pedantic -c -o psyscall.o psyscall.c
psyscall.c:21:43: error: dereferencing pointer to incomplete type ‘struct user’
 #define PT_REGS (sizeof(((struct user *)0)->regs)/sizeof(unsigned long))
                                           ^
psyscall.c:29:12: note: in expansion of macro ‘PT_REGS’
     } regs[PT_REGS];
            ^~~~~~~
psyscall.c: In function ‘init_arch’:
psyscall.c:81:16: error: ‘PTRACE_GETREGS’ undeclared (first use in this function); did you mean ‘PTRACE_GETREGSET’?
     if (ptrace(PTRACE_GETREGS, child, NULL, &regs0) == -1) {
                ^~~~~~~~~~~~~~
                PTRACE_GETREGSET
psyscall.c:81:16: note: each undeclared identifier is reported only once for each function it appears in
psyscall.c:96:20: error: ‘PTRACE_SETREGS’ undeclared (first use in this function); did you mean ‘PTRACE_GETREGS’?
             ptrace(PTRACE_SETREGS, child, NULL, regs);
                    ^~~~~~~~~~~~~~
                    PTRACE_GETREGS
psyscall.c:58:42: warning: unused variable ‘regs’ [-Wunused-variable]
     long regs0[PT_REGS], regs1[PT_REGS], regs[PT_REGS];
                                          ^~~~
psyscall.c:58:26: warning: unused variable ‘regs1’ [-Wunused-variable]
     long regs0[PT_REGS], regs1[PT_REGS], regs[PT_REGS];
                          ^~~~~
psyscall.c:58:10: warning: unused variable ‘regs0’ [-Wunused-variable]
     long regs0[PT_REGS], regs1[PT_REGS], regs[PT_REGS];
          ^~~~~
psyscall.c: In function ‘psyscall’:
psyscall.c:343:12: error: ‘PTRACE_GETREGS’ undeclared (first use in this function); did you mean ‘PTRACE_GETREGSET’?
     ptrace(PTRACE_GETREGS, child, NULL, &regs);
            ^~~~~~~~~~~~~~
            PTRACE_GETREGSET
psyscall.c:375:12: error: ‘PTRACE_SETREGS’ undeclared (first use in this function); did you mean ‘PTRACE_GETREGS’?
     ptrace(PTRACE_SETREGS, pid, NULL, &regs);
            ^~~~~~~~~~~~~~
            PTRACE_GETREGS
psyscall.c:267:34: warning: unused variable ‘saved’ [-Wunused-variable]
     long argv[6], regs[PT_REGS], saved[PT_REGS], ret;
                                  ^~~~~
psyscall.c:267:19: warning: unused variable ‘regs’ [-Wunused-variable]
     long argv[6], regs[PT_REGS], saved[PT_REGS], ret;
                   ^~~~
Makefile:10: recipe for target 'psyscall.o' failed
make: *** [psyscall.o] Error 1
[[email protected]:[PL]:/mnt/storage/home/kmeaw/psyscall]$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/aarch64-linux-gnu/7/lto-wrapper
Target: aarch64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu/Linaro 7.5.0-3ubuntu1~18.04' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=aarch64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-libquadmath --disable-libquadmath-support --enable-plugin --enable-default-pie --with-system-zlib --enable-multiarch --enable-fix-cortex-a53-843419 --disable-werror --enable-checking=release --build=aarch64-linux-gnu --host=aarch64-linux-gnu --target=aarch64-linux-gnu
Thread model: posix
gcc version 7.5.0 (Ubuntu/Linaro 7.5.0-3ubuntu1~18.04) 
[[email protected]:[PL]:/mnt/storage/home/kmeaw/psyscall]$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.5 LTS
Release:        18.04
Codename:       bionic

resilar / psyscall Goto Github PK

psyscall's Introduction

psyscall

Examples

psyscall's People

Contributors

Stargazers

Watchers

Forkers

psyscall's Issues

Error please remove it

Stack of pid = xx missing

PTRACE_POKETEXT instead of syscall from libc?

ARM Thumb mode

Cannot build on AArch64

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent