PS4 kernel hooking library / payload.

Overview

PS4 KHook

API Version Compatibility

PS4 KHook is a minimalist kernel hooking payload. It targets 5.05 but it can be used with any firmware (or even non-PS4 systems) with modifications. It's primary intent is for exploit development / debugging though it can be used anywhere hooking is needed (though Mira is recommended for long-term hooks for things like homebrew). It doesn't require a daemon to run for state tracking as it uses a code cave and a dispatch table.

Warning: the implementation is pretty hacky and it's not yet complete. Feel free to fork and pull request any improvements or TODO items.

Building and running

To build this payload you'll need the PS4 Payload SDK from Scene Collective. Once installed, simply build this payload like so:

$ make clean
$ make
$ cat PS4-KHook.bin | nc [ps4ip:payloadport]

Important caveats

This hooking payload does have some caveats you need to be aware of before writing and installing hooks.

  • Hooks must only have one return path, and it must return 0x1337. Additionally, the payload must be compiled without optimization (-O0). The reason for this is due to the runtime function size calculation for the hooks.
  • Trampolines must be a minimum size of 10 bytes (0xA bytes).
  • Trampolines cannot contain any instructions that use RIP-relative addressing (including calls, jumps, or RIP-relative data reads/writes).
  • Kernel offsets and the code cave are for 5.05 firmware. To use this on other firmwares you'll need to port these offsets.

Adding your own hooks

Hooks should be defined in hooks.c with prototypes in hooks.h. These files already have two example hooks I wrote for debugging stuff with the IP6_EXTHDR_CHECK UAF from theflow. Use the following template for hook functions:

int my_hook()
{
    SAVE_REGISTERS;
    
    // [hook code]

    RESTORE_REGISTERS;
    return 0x1337;
}

For installing hooks, reference main.c. Here's an example for installing my_hook on the sys_dynlib_prepare_dlclose syscall with hook ID 1:

#define HOOK_DYNLIB_PREPARE_DLCLOSE     0x239380

// ...

char *kexecArgsBuffer = mmap(KEXEC_ARGS_BUFFER, 0x4000, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);

if(kexecArgsBuffer != KEXEC_ARGS_BUFFER)
    return -1;

struct install_hook_args *installHookArgs = (struct install_hook_args *)kexecArgsBuffer;

installHookArgs->id = 1;
installHookArgs->targetOffset = (uint64_t *)HOOK_DYNLIB_PREPARE_DLCLOSE;
installHookArgs->trampolineSize = 0xA;
installHookArgs->hookFunctionAddr = (uint64_t *)&my_hook;
installHookArgs->hookFunctionSize = get_function_size((uint8_t *)&my_hook);

The argument that will require some manual work to figure out and ensure you set properly is the trampoline size, since it cannot be automatically calculated, it's dependent on where you hook. This is because x86 has variable sized instructions, so if your trampoline size is incorrect, a crash will occur due to executing invalid instructions (or valid instructions that have unintended behavior).

Again, keep in mind it has to be at least 0xA size and possibly larger depending on the instructions at the hook location.

TODO

  • Rework dispatch table to allow for a smaller code cave by pivoting to a heap-allocated dispatch table
  • Fix up RIP-relative instructions to allow them inside trampolines
  • Possibly do more robust function size calculation (size directives?)

License

Specter (Cryptogenic) - @SpecterDev

This project is licensed under the WTFPL license - see the LICENSE.md file for details.

Thanks

You might also like...
PS4 Internal PKG Installer

ps4-ipi PS4 IPI, short for Internal PKG Installer, is a PlayStation 4 utility homebrew app which will install PKG files from the HDD, making it possib

PKG/PFS unpacker for PS4

PS4 PKG/PFS tool (c) 2017-2021 by flatz Dependencies: mbedtls uthash zlib For ubuntu-ish: sudo apt install libmbedtls-dev uthash-dev zlib To produce w

Linux 4.19 + PS4 patches + Latest security patches

Linux kernel ============ There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML an

A single file, single function, header to make notifications on the PS4 easier

Notifi Synopsis Adds a single function notifi(). It functions like printf however the first arg is the image to use (NULL and any invalid input should

Linux v4.14 with the latest security patches and PS4 patches.

Patches are from https://github.com/Ps3itaTeam/ps4-linux Linux kernel ============ This file was moved to Documentation/admin-guide/README.rst Plea

ps4 & ps5 emulator

Kyty ps4 & ps5 emulator The project is in its early stage. Vladimir M Licensed under the MIT license. Building Supported platforms: Windows 10 x64 Too

Project to check which Nt/Zw functions your local EDR is hooking

Probatorum EDR Userland Hook Checker Probatorum will check which Nt/Zw functions your local EDR is hooking. Most credit for this code goes to SolomonS

POC Hooking PG3D v16.6.1

PG3D-Hook POC Hooking PG3D v16.6.1 Info This code was written by me for PG3D v16.6.1 back in 2019. My main code is in jbro.cpp You can compare the off

hooking the execve syscall, to randomly sabotage typed bash commands.

Syscall hooks A small project of hooking the execve() syscall, to randomly sabotage typed bash commands. This project was tested on 5.11.0-38-generic.

Owner
Specter
Security researcher.
Specter
It includes our specialized binary payload DSL (parser and schemas), clients and sdks.

Symbol Monorepo In Q1 2021, we consolidated a number of projects into this repository. It includes our specialized binary payload DSL (parser and sche

Symbol 23 Dec 15, 2022
A simple "do it all" logging library (PRX) designed for the PS4

libLog About A simple "do it all" logging library (PRX) designed for use on the PS4 using the OpenOrbis Toolchain. It should be easy enough to follow

Al Azif 8 Aug 9, 2022
First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template

Android-ML First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template Installation Download this githu

BlackTea ML 21 Jul 17, 2022
very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

null 5 Jul 25, 2022
SafetyHook - simple procedure hooking library for Windows x86 and x86_64 systems

SafetyHook SafetyHook is simple procedure hooking library for Windows x86 and x86_64 systems. It aims to make runtime procedure hooking as safe as pos

null 44 Dec 25, 2022
A Windows API hooking library

Mhook - a Windows API hooking library Introduction How to use License Version history Acknowledgements Introduction This library was created as a free

Apriorit Inc. 167 Dec 26, 2022
It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Packages

ARM_hook It's a static library that's provide a way to do hooking (intercepting software components) in native shared object from some Android Package

Gabriel Correia 1 Feb 17, 2022
A different way of calling the notify function on the ps4 for homebrew development.

PS4-Notify A different way of calling the notify function on the ps4 for homebrew development. Calling the new Notify void Notify(char* IconURI, char*

Greg 24 Dec 20, 2022
Enables Permanent UART output across boots. Supports PS4 version 6.72 only for now

Enables Permanent UART for PS4. Requires a 5.05/6.72/7.02 Jailbroken PS4. To build, you require ps4-sdk from Scene-Collective/ps4-payload-sdk In the t

Alexander Boulton 15 May 12, 2022
Firmware-agnostic PS4 sandbox escape

libjbc This a firmware-agnostic implementation of the sandbox escape for PS4 homebrew apps. It operates by traversing the process list up to PID 1 (in

null 27 Dec 4, 2022