An efficient and versatile system call hook mechanism

Overview

Zpoline: hooking system calls without pain

Zpoline is a novel system call hook mechanism that offers the following advantages.

  • 100 times faster than ptrace.
  • 100% coverage, namely, it can exhaustively hook system calls.
  • No need for the source code of user-space programs.
  • No need for the change to the OS kernel and no kernel module is necessary.

Therefore, Zpoline is a quite good option if you think...

  • ptrace is too slow for your project.
  • the LD_PRELOAD trick is not enough because it cannot exhaustively hook system calls.
  • you cannot anticipate the availability of the source code of your hook target.
  • you do not want to modify the OS kernel or install a kernel module.

Zpoline is categorized into binary rewriting, but you do not need to worry that your program binary files are overwritten. The setup procedure of Zpoline rewrites the code binary loaded on the memory, just before the user-space program starts its main function. Therefore, it does not overwrite your program binary files.

The cool part of Zpoline is that it does not fail to hook system calls, which is difficult for existing binary rewriting techniques.

The key ideas of Zpoline are to exploit the calling convention and instantiate a special trampoline code. The overview is shown in the picture below.

In a nutshell, Zpoline replaces the syscall and sysenter instructions with callq *%rax, and crafts a trampoline code at virtual address 0 (Zero). That is why this technique is named Zpoline.

For more technical details, please check Documentation/README.md.

Target Platform

Currently, this implementation assumes Linux on the x86-64 architecture.

Dependency

Zpoline uses the disassembler in libopcodes that is part of binutils.

$ sudo apt install binutils-dev

Build

Please simply type make in this directory, and it will generate a file named libzpoline.so.

Setup

To use Zpoline, please set 0 to /proc/sys/vm/mmap_min_addr.

$ sudo sh -c "echo 0 > /proc/sys/vm/mmap_min_addr"

How to Use

Please specify libzpoline.so for the LD_PRELOAD variable so that Zpoline's initialization procedure can perform binary rewriting before the main function of your program starts.

$ LD_PRELOAD=./libzpoline.so [program you wish to run]

The following is the example output.

$ LD_PRELOAD=./libzpoline.so ls
Initializing Zpoline ...
-- Setting up trampoline code
-- Rewriting the code
syscall hook: read system call
syscall hook: read system call
syscall hook: read system call
syscall hook: read system call
syscall hook: close system call
syscall hook: write system call
Zpoline initialization OK
syscall hook: write system call
Start main program
syscall hook: close system call
syscall hook: close system call
syscall hook: close system call
syscall hook: write system call
.  ..  .git  libzpoline.so  LICENSE  main.c  main.o  Makefile  _moge  README.md
syscall hook: close system call

The messages syscall hook: XXX system call are printed by the Zpoline-based system call hook.

How to Develop A Zpoline-based System Call Hook

In this repository, the function named syscall_hook in main.c is the system call hook. So, it is the part that you should change for implementing your own hook function.

Firstable, if you remove the line #define DEMO 1 or the corresponding ifdef part in main.c, you can eliminate the output of the demo.

Note

Similar to other system call hook mechanisms such as the existing binary rewriting techniques and Syscall User Dispatch (SUD), users of the Zpoline technique should pay attention to the use of functions called by the primary user-space program, otherwise, the system call hook may cause a deadlock.

Let's say, we have a function named function_A which first acquires a lock, then invokes a system call, and finally releases the lock. When a user-space program calls function_A, the system call in it will be hooked by Zpoline. The problem occurs when the system call hook also calls function_A. It will result in a deadlock because the lock is not released in the first call of function_A.

Therefore, users of the Zpoline technique should assign dedicated in-memory assets to Zpoline-based system call hooks. For example, the demo program uses a self-implemented function enter_syscall rather than the syscall wrapper function in libc.

Further Information

You may be able to have a better understanding by checking the comments in the source code and Documentation/README.md.

You might also like...
Investigate kernel error call stacks

retsnoop retsnoop is BPF-based tool that is meant to help debugging kernel issues. It allows to capture call stacks of kernel functions that return er

A fork of Wraith Cyborg, the Call of Duty: Online Asset Exporter

NOTE: No support is provided for this, it was updated for a friend who works on a CoD OL Mod and it working for him was all that mattered, it is provi

Xmodelconverter - A converter for xmodel & xanim files for Call of Duty

xmodelconverter A converter for xmodel & xanim files for Call of Duty. It converts xmodel & xanim files back into xmodel_export and xanim_export text

Macro magic for declaring/calling Objective-C APIs from C11 or C++. Preloads selectors, chooses the correct objc_msgSend to call per method/platform.

OC - Easily Declare/Invoke Objective-C APIs from C11 or C++11 Usage // Call class and instance methods: NSWindow* const nswindow = oc_cls(NSWindow,new

🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

A demo of the relevant blog post: Hook Heaps and Live Free
A demo of the relevant blog post: Hook Heaps and Live Free

LockdExeDemo A demo of the relevant blog post: Hook Heaps and Live Free DEMO Explanation There are 2 compile types. The first is an EXE. The EXE requi

BokutachiHook - Hook for Lunatic Rave 2 to parse score data and send it to an HTTP server, made specifically for Bokutachi IR.

BokutachiHook Hook for Lunatic Rave 2 to parse score data and send it to an HTTP server, made specifically for Bokutachi IR (https://bokutachi.xyz). T

MiniDumpWriteDump behavior modification hook

MiniDumpWriteDumpPoC MiniDumpWriteDump behavior modification hook Read the full article in our blog: Adepts Of 0xCC: Hooks On Hoot Off This is a funct

External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil

external_warzone_cheat External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil Offsests are N

Owner
null
Take Damage hook hook made to increase weapon damage, the game I made is Free Fire in version 1.65

Take-Damage Simple Take Damage hook hook made to increase weapon damage, the game I made is Free Fire in version 1.65 Bool bool isTakeDemageBool = fal

Master Games 3 Jan 1, 2022
android analysis tools, jni trace by native hook, libc hook, write log with caller's addr in file or AndroidLog

编译方法 unix like mkdir "build" cd build cmake .. -DNDK=your_ndk_path/Android/sdk/ndk/22.0.7026061 -DANDROID_ABI=armeabi-v7a make -j8 或者使用andriod studio编

pony 63 Dec 1, 2022
Vireo is a lightweight and versatile video processing library written in C++11

Overview Vireo is a lightweight and versatile video processing library that powers our video transcoding service, deep learning recognition systems an

Twitter 874 Dec 27, 2022
Arbitrary Precision provides C++ long integer types that behave as basic integer types. This library aims to be intuitive and versatile in usage, rather than fast.

Arbitrary Precision (AP) Cross-platform and cross-standard header-only arbitrary precision arithmetic library. Currently it offers integer types that

null 17 Sep 28, 2022
Code accompanying our SIGGRAPH 2021 Technical Communications paper "Transition Motion Tensor: A Data-Driven Approach for Versatile and Controllable Agents in Physically Simulated Environments"

SIGGRAPH ASIA 2021 Technical Communications Transition Motion Tensor: A Data-Driven Framework for Versatile and Controllable Agents in Physically Simu

null 10 Apr 21, 2022
An unidentifiable mechanism that helps you bypass GFW.

trojan An unidentifiable mechanism that helps you bypass GFW. Trojan features multiple protocols over TLS to avoid both active/passive detections and

Trojan-GFW 17k Dec 30, 2022
Implementation of mmap system call in xv6

NOTE: we have stopped maintaining the x86 version of xv6, and switched our efforts to the RISC-V version (https://github.com/mit-pdos/xv6-riscv.git)

Rohit Chaudhari 6 May 18, 2021
Phantom Attack: Evading System Call Monitoring

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations.

Rex Guo 62 Dec 7, 2022
Add a new system call.

Linux kernel ============ There are several guides for kernel developers and users. These guides can be rendered in a number of formats, like HTML an

SamFu1113 2 Nov 19, 2022
A tool to convert Call of Duty XBIN/EXPORT files to and from each other.

exportxbin exportxbin is an enhanced version of export2bin included in the Call of Duty: Black Ops III Mod Tools. Its main goal is to provide users wi

Philip 3 Jan 22, 2022