sighook 0.10.0

An Apple/Linux/Android runtime instrumentation and inline hooking crate for aarch64 and x86_64.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! Out-of-line execution stubs used when a displaced instruction cannot be replayed
//! directly from saved context.
//!
//! A trampoline copies the original bytes into fresh executable memory and then
//! transfers control back to the sequential original PC. This is the generic
//! execute-original fallback used when no direct replay plan is available.

#[cfg(target_arch = "aarch64")]
use crate::constants::{BR_X16, LDR_X16_LITERAL_8};
use crate::error::SigHookError;
use crate::memory::{flush_instruction_cache, last_errno};
use libc::c_void;
use std::ptr::null_mut;

pub(crate) fn create_original_trampoline(
    address: u64,
    original_bytes: &[u8],
    step_len: u8,
) -> Result<u64, SigHookError> {
    let page_size = unsafe { libc::sysconf(libc::_SC_PAGESIZE) };
    if page_size <= 0 {
        return Err(SigHookError::PageSizeUnavailable);
    }

    let page_size = page_size as usize;

    let memory = unsafe {
        libc::mmap(
            null_mut(),
            page_size,
            libc::PROT_READ | libc::PROT_WRITE,
            libc::MAP_PRIVATE | libc::MAP_ANON,
            -1,
            0,
        )
    };

    if memory == libc::MAP_FAILED {
        return Err(SigHookError::MmapFailed {
            errno: last_errno(),
        });
    }

    let base = memory as usize;
    let next_pc = address.wrapping_add(step_len as u64);

    #[cfg(target_arch = "aarch64")]
    {
        if original_bytes.len() != 4 {
            return Err(SigHookError::InvalidAddress);
        }

        // Layout:
        //   [0x00] original displaced instruction
        //   [0x04] ldr x16, #8
        //   [0x08] br  x16
        //   [0x0C] absolute 64-bit return address
        //
        // This is intentionally tiny and avoids any dependence on branch reach.
        let mut insn = [0u8; 4];
        insn.copy_from_slice(original_bytes);
        let original_opcode = u32::from_le_bytes(insn);

        unsafe {
            std::ptr::write_unaligned(base as *mut u32, original_opcode.to_le());
            std::ptr::write_unaligned((base + 4) as *mut u32, LDR_X16_LITERAL_8.to_le());
            std::ptr::write_unaligned((base + 8) as *mut u32, BR_X16.to_le());
            std::ptr::write_unaligned((base + 12) as *mut u64, next_pc.to_le());
        }

        flush_instruction_cache(memory, 20);
    }

    #[cfg(all(target_arch = "x86_64", any(target_os = "linux", target_os = "macos")))]
    {
        if original_bytes.is_empty() {
            return Err(SigHookError::InvalidAddress);
        }

        // Copy the displaced instruction bytes verbatim, then append whichever jump
        // form can reach `next_pc`.
        unsafe {
            std::ptr::copy_nonoverlapping(
                original_bytes.as_ptr(),
                base as *mut u8,
                original_bytes.len(),
            );
        }

        let jmp_site = base + original_bytes.len();
        if let Ok(rel_jmp) = crate::memory::encode_jmp_rel32(jmp_site as u64, next_pc) {
            unsafe {
                std::ptr::copy_nonoverlapping(rel_jmp.as_ptr(), jmp_site as *mut u8, rel_jmp.len());
            }
            flush_instruction_cache(memory, original_bytes.len() + rel_jmp.len());
        } else {
            let abs = encode_abs_jmp_indirect(next_pc);
            unsafe {
                std::ptr::copy_nonoverlapping(abs.as_ptr(), jmp_site as *mut u8, abs.len());
            }
            flush_instruction_cache(memory, original_bytes.len() + abs.len());
        }
    }

    unsafe {
        if libc::mprotect(memory, page_size, libc::PROT_READ | libc::PROT_EXEC) != 0 {
            return Err(SigHookError::TrampolineProtectFailed {
                errno: last_errno(),
            });
        }
    }

    Ok(base as u64)
}

pub(crate) unsafe fn free_original_trampoline(trampoline_pc: u64) {
    if trampoline_pc == 0 {
        return;
    }

    let page_size = unsafe { libc::sysconf(libc::_SC_PAGESIZE) };
    if page_size <= 0 {
        return;
    }

    unsafe {
        let _ = libc::munmap(trampoline_pc as *mut c_void, page_size as usize);
    }
}

#[cfg(all(target_arch = "x86_64", any(target_os = "linux", target_os = "macos")))]
fn encode_abs_jmp_indirect(to_address: u64) -> [u8; 14] {
    let mut bytes = [0u8; 14];
    // `jmp qword ptr [rip+0]` followed by the absolute destination literal.
    bytes[0] = 0xFF;
    bytes[1] = 0x25;
    bytes[2] = 0x00;
    bytes[3] = 0x00;
    bytes[4] = 0x00;
    bytes[5] = 0x00;
    bytes[6..14].copy_from_slice(&to_address.to_le_bytes());
    bytes
}