Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ARM BE testing #7

Open
thedeadliestcatch opened this issue Nov 18, 2024 · 6 comments
Open

ARM BE testing #7

thedeadliestcatch opened this issue Nov 18, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@thedeadliestcatch
Copy link

After reviewing many projects here on Github, I came across your crate. Pretty clean.

Currently testing for ARM BE (tier 3 target, sadly):

rustup +nightly component add rust-src
cargo +nightly build -Z build-std --target aarch64-apple-ios-sim
cargo +nightly build -Z build-std --target=armeb-unknown-linux-gnueabi --verbose --example get_pid

Still figuring out the issues with linking executables.
@ohchase
Copy link
Owner

ohchase commented Nov 18, 2024
edited
Loading

don't think aarch64-apple-ios-sim target will ever work because we need the ptrace syscall, so it has to be a linux target. Unless I am misunderstanding what the simulator target is?

For armeb-unknown-linux-gnueabi Think the issue is with this function. Unconditionally writing as little endian bytes, will need to check endianess
https://github.com/ohchase/ptrace-do/blob/0f57db54aeb0adb8c68148f3794a6274bf1db013/src/lib.rs#L7C1-L14C2

@ohchase ohchase added the bug Something isn't working label Nov 18, 2024
@thedeadliestcatch
Copy link
Author

My bad, I copied the wrong line :-)

armeb-unknown-linux-gnueabi is the target.

@thedeadliestcatch
Copy link
Author

BTW, have a look at https://github.com/vfsfitvnm/intruducer (which also has issues on ARM BE for the actual injection)

The bootstrapping payloads might serve as inspiration for you, there aren't so many ways to map+dlopen after all.

I was able to successfully call functions from the target with ptrace-do, so, for now the codebase can work on ARM BE but I have not ported or written any injection capabilities yet,

You can also add some helper functions to directly call into mprotect(), and mmap() via ptrace single stepping, BTW, which eliminates the need for shellcode for those specific stages (allocation and mapping). TL;DR you getreg/setreg/single step/setreg (restore), directly calling system calls.

@ohchase
Copy link
Owner

ohchase commented Nov 19, 2024
edited
Loading

re the injection capabilities, my other project might work out of the box for injecting a shared object on the arm be target.
But, i think you're gonna run into issues with the le byte writing i linked above
https://github.com/ohchase/yaui

@ohchase
Copy link
Owner

ohchase commented Nov 23, 2024

@thedeadliestcatch I yolo'd a change #8 if you got to the point of invoking functions with a parameter count over the stack limit this should fix those invocations

@thedeadliestcatch
Copy link
Author

YOLO is how Fortune 10 IT vendors roll, son, Will test and report. I did write a remote injection working test case with my BE changes. There are some quirks with the mmap size parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ohchase @thedeadliestcatch