Home

64 Hijacked ARMs

19 August, 2017 - 16:37 — lattera

As discussed in A Hijack Revival, libhijack is under active development again. Today, I'm announcing version 0.8.0, which breaks both API and ABI from 0.7.0. The breakage is worth it, though. With version 0.8.0, libhijack now works on arm64. This marks a milestone achievement in libhijack: the first port to a non-x86 architecture.

It's interesting to note that during development, a local kernel DoS for arm64 was found, reported upstream, and subsequently fixed..

Download the source from GitHub here.

Here's the highlights of libhijack 0.8.0:

  • New architecture supported: arm64
  • Add ERROR_NOTSUPPORTED error code
  • Make the memory mapping code architecture-dependent
  • Add API for getting/setting various registers in an architecture-agnostic fashion
  • Add API for querying instruction alignment
  • Detect the base address better
  • Switching from ptrace(PT_READ_D) to ptrace(PT_IO) for reading data
  • Add sample exit(55) shellcode for arm64
  • Add various sanity checks and clean up a bit of code

Next item to knock off the TODO list: anonymous injection of shared objects.


Makefile.inc | 1 +
README.md | 17 +++++++---
hijack/Makefile | 6 ++--
hijack/hijack.c | 18 +++++++++--
include/hijack.h | 24 +++++++-------
libhijack/Makefile | 13 +++++---
libhijack/arch/aarch64/hijack_machdep.h | 37 ++++++++++++++++++++++
libhijack/arch/aarch64/inst.c | 46 +++++++++++++++++++++++++++
libhijack/arch/aarch64/md_map.c | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
libhijack/arch/aarch64/regs.c | 135 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
libhijack/arch/amd64/hijack_machdep.h | 37 ++++++++++++++++++++++
libhijack/arch/amd64/inst.c | 46 +++++++++++++++++++++++++++
libhijack/arch/amd64/md_map.c | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
libhijack/arch/amd64/regs.c | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
libhijack/elf.c | 61 +++++++++++++++++++++++++++++++-----
libhijack/libhijack.c | 49 +++++++++++++++++++++++------
libhijack/map.c | 87 +++------------------------------------------------
libhijack/ptrace.c | 56 ++++++++++++++++-----------------
shellcode/{ => aarch64}/.gitignore | 0
shellcode/aarch64/exit.asm | 36 +++++++++++++++++++++
shellcode/amd64/.gitignore | 3 ++
shellcode/{ => amd64}/dlopen_base_hijack.asm | 0
shellcode/{ => amd64}/exit.asm | 0
23 files changed, 892 insertions(+), 153 deletions(-)

Here's libhijack on arm64 in action: