- 01
- 02
- 03
- 04
- 05
- 06
- 07
- 08
- 09
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
thread_local bool nuke_nanosleep;
#include <syscall.h>
#include <sys/mman.h>
#include <dlfcn.h>
#ifndef PAGE_SIZE
#define PAGE_SIZE 4096UL
#define PAGE_MASK (~(PAGE_SIZE-1))
#endif
#define PAGE_ALIGN(addr) ((((size_t)addr)+PAGE_SIZE-1)&PAGE_MASK)
static int fun_rewrite( void *dst, const void *src, const size_t bytes, void *srcBackup )
{
void *start_page;
size_t size_of_page;
if( !( dst && src && bytes ) )
{
return -1;
}
// At first, backup original src bytes
if( srcBackup )
{
memcpy( srcBackup, src, bytes );
}
// Calculate page for mprotect
start_page = (void*)(PAGE_ALIGN( dst ) - PAGE_SIZE);
if( (size_t)((char*)dst + bytes) > PAGE_ALIGN( dst ) )
{
// bytes are located on two pages
size_of_page = PAGE_SIZE*2;
}
else
{
// bytes are located entirely on one page.
size_of_page = PAGE_SIZE;
}
// Call mprotect, so dst memory will be writable
if( mprotect( start_page, size_of_page, PROT_READ | PROT_WRITE | PROT_EXEC ) ) // This will succeeded only if dst was allocated by mmap().
{
return -1;
}
// rewrite function
memcpy( dst, src, bytes );
// just in case
if( mprotect( start_page, size_of_page, PROT_READ | PROT_EXEC ) )
{
return -1;
}
// clear instruction caches
__clear_cache( (char*)start_page, (char*)start_page + size_of_page );
return 0;
}
static int my_nanosleep(const struct timespec *req, struct timespec *rem)
{
if(nuke_nanosleep)
return 0;
return syscall(__NR_nanosleep, req, rem);
}
static void patch_nanosleep()
{
void *libc = dlopen("libc.so", RTLD_NOW);
void *pnanosleep = dlsym(libc, "nanosleep");
uint64_t my_nanosleep_addr = (uint64_t)&my_nanosleep;
#ifdef __aarch64__
uint32_t shellcode[] =
{
0x58000042,
0x14000003,
(uint32_t)(my_nanosleep_addr & 0xFFFFFFFF),
(uint32_t)(my_nanosleep_addr >> 32),
0xD61F0040
//0xd65f03c0
};
fun_rewrite(pnanosleep, shellcode, sizeof(shellcode), NULL);
#elif defined(__x86_64__)
uint8_t shellcode[] =
{
0x48, 0x8b, 0x15, 0x02, 0x00, 0x00, 0x00, 0xff,
0xe2,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
memcpy(&shellcode[0] + 9, &my_nanosleep_addr, 8);
fun_rewrite(pnanosleep, shellcode, sizeof(shellcode), NULL);
#endif
}
...
nuke_nanosleep = 1;
xrWaitFrame(session, NULL, &frameState);
nuke_nanosleep = 0;
Исправляем принудительно блокирующий по спекам xrWaitFrame без костылей с вызовом в отдельном потоке
Follow us!
Комментарии (0) RSS
Добавить комментарий