├── Makefile ├── Syscall_arm64.h ├── arm_seccomp.h └── arm_seccomp_ptrace.cpp /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | clang++ -target aarch64-linux-android21 arm_seccomp_ptrace.cpp -o tuziseccomp -static-libstdc++ 3 | adb push tuziseccomp /data/local/tmp 4 | adb shell chmod 777 /data/local/tmp/tuziseccomp 5 | -------------------------------------------------------------------------------- /Syscall_arm64.h: -------------------------------------------------------------------------------- 1 | #define __NR_io_setup 0 2 | #define __NR_io_destroy 1 3 | #define __NR_io_submit 2 4 | #define __NR_io_cancel 3 5 | #define __NR_io_getevents 4 6 | #define __NR_setxattr 5 7 | #define __NR_lsetxattr 6 8 | #define __NR_fsetxattr 7 9 | #define __NR_getxattr 8 10 | #define __NR_lgetxattr 9 11 | #define __NR_fgetxattr 10 12 | #define __NR_listxattr 11 13 | #define __NR_llistxattr 12 14 | #define __NR_flistxattr 13 15 | #define __NR_removexattr 14 16 | #define __NR_lremovexattr 15 17 | #define __NR_fremovexattr 16 18 | #define __NR_getcwd 17 19 | #define __NR_lookup_dcookie 18 20 | #define __NR_eventfd2 19 21 | #define __NR_epoll_create1 20 22 | #define __NR_epoll_ctl 21 23 | #define __NR_epoll_pwait 22 24 | #define __NR_dup 23 25 | #define __NR_dup3 24 26 | #define __NR3264_fcntl 25 27 | #define __NR_inotify_init1 26 28 | #define __NR_inotify_add_watch 27 29 | #define __NR_inotify_rm_watch 28 30 | #define __NR_ioctl 29 31 | #define __NR_ioprio_set 30 32 | #define __NR_ioprio_get 31 33 | #define __NR_flock 32 34 | #define __NR_mknodat 33 35 | #define __NR_mkdirat 34 36 | #define __NR_unlinkat 35 37 | #define __NR_symlinkat 36 38 | #define __NR_linkat 37 39 | #ifdef __ARCH_WANT_RENAMEAT 40 | #define __NR_renameat 38 41 | #endif 42 | #define __NR_umount2 39 43 | #define __NR_mount 40 44 | #define __NR_pivot_root 41 45 | #define __NR_nfsservctl 42 46 | #define __NR3264_statfs 43 47 | #define __NR3264_fstatfs 44 48 | #define __NR3264_truncate 45 49 | #define __NR3264_ftruncate 46 50 | #define __NR_fallocate 47 51 | #define __NR_faccessat 48 52 | #define __NR_chdir 49 53 | #define __NR_fchdir 50 54 | #define __NR_chroot 51 55 | #define __NR_fchmod 52 56 | #define __NR_fchmodat 53 57 | #define __NR_fchownat 54 58 | #define __NR_fchown 55 59 | #define __NR_openat 56 60 | #define __NR_close 57 61 | #define __NR_vhangup 58 62 | #define __NR_pipe2 59 63 | #define __NR_quotactl 60 64 | #define __NR_getdents64 61 65 | #define __ARCH_WANT_COMPAT_SYS_GETDENTS64 66 | #define __NR3264_lseek 62 67 | #define __NR_read 63 68 | #define __NR_write 64 69 | #define __NR_readv 65 70 | #define __NR_writev 66 71 | #define __NR_pread64 67 72 | #define __NR_pwrite64 68 73 | #define __NR_preadv 69 74 | #define __NR_pwritev 70 75 | #define __NR3264_sendfile 71 76 | #define __NR_pselect6 72 77 | #define __NR_ppoll 73 78 | #define __NR_signalfd4 74 79 | #define __NR_vmsplice 75 80 | #define __NR_splice 76 81 | #define __NR_tee 77 82 | #define __NR_readlinkat 78 83 | #define __NR3264_fstatat 79 84 | #define __NR3264_fstat 80 85 | #define __NR_sync 81 86 | #define __NR_fsync 82 87 | #define __NR_fdatasync 83 88 | #ifdef __ARCH_WANT_SYNC_FILE_RANGE2 89 | #define __NR_sync_file_range2 84 90 | #else 91 | #define __NR_sync_file_range 84 92 | #endif 93 | #define __NR_timerfd_create 85 94 | #define __NR_timerfd_settime 86 95 | #define __NR_timerfd_gettime 87 96 | #define __NR_utimensat 88 97 | #define __NR_acct 89 98 | #define __NR_capget 90 99 | #define __NR_capset 91 100 | #define __NR_personality 92 101 | #define __NR_exit 93 102 | #define __NR_exit_group 94 103 | #define __NR_waitid 95 104 | #define __NR_set_tid_address 96 105 | #define __NR_unshare 97 106 | #define __NR_futex 98 107 | #define __NR_set_robust_list 99 108 | #define __NR_get_robust_list 100 109 | #define __NR_nanosleep 101 110 | #define __NR_getitimer 102 111 | #define __NR_setitimer 103 112 | #define __NR_kexec_load 104 113 | #define __NR_init_module 105 114 | #define __NR_delete_module 106 115 | #define __NR_timer_create 107 116 | #define __NR_timer_gettime 108 117 | #define __NR_timer_getoverrun 109 118 | #define __NR_timer_settime 110 119 | #define __NR_timer_delete 111 120 | #define __NR_clock_settime 112 121 | #define __NR_clock_gettime 113 122 | #define __NR_clock_getres 114 123 | #define __NR_clock_nanosleep 115 124 | #define __NR_syslog 116 125 | #define __NR_ptrace 117 126 | #define __NR_sched_setparam 118 127 | #define __NR_sched_setscheduler 119 128 | #define __NR_sched_getscheduler 120 129 | #define __NR_sched_getparam 121 130 | #define __NR_sched_setaffinity 122 131 | #define __NR_sched_getaffinity 123 132 | #define __NR_sched_yield 124 133 | #define __NR_sched_get_priority_max 125 134 | #define __NR_sched_get_priority_min 126 135 | #define __NR_sched_rr_get_interval 127 136 | #define __NR_restart_syscall 128 137 | #define __NR_kill 129 138 | #define __NR_tkill 130 139 | #define __NR_tgkill 131 140 | #define __NR_sigaltstack 132 141 | #define __NR_rt_sigsuspend 133 142 | #define __NR_rt_sigaction 134 143 | #define __NR_rt_sigprocmask 135 144 | #define __NR_rt_sigpending 136 145 | #define __NR_rt_sigtimedwait 137 146 | #define __NR_rt_sigqueueinfo 138 147 | #define __NR_rt_sigreturn 139 148 | #define __NR_setpriority 140 149 | #define __NR_getpriority 141 150 | #define __NR_reboot 142 151 | #define __NR_setregid 143 152 | #define __NR_setgid 144 153 | #define __NR_setreuid 145 154 | #define __NR_setuid 146 155 | #define __NR_setresuid 147 156 | #define __NR_getresuid 148 157 | #define __NR_setresgid 149 158 | #define __NR_getresgid 150 159 | #define __NR_setfsuid 151 160 | #define __NR_setfsgid 152 161 | #define __NR_times 153 162 | #define __NR_setpgid 154 163 | #define __NR_getpgid 155 164 | #define __NR_getsid 156 165 | #define __NR_setsid 157 166 | #define __NR_getgroups 158 167 | #define __NR_setgroups 159 168 | #define __NR_uname 160 169 | #define __NR_sethostname 161 170 | #define __NR_setdomainname 162 171 | #define __NR_getrlimit 163 172 | #define __NR_setrlimit 164 173 | #define __NR_getrusage 165 174 | #define __NR_umask 166 175 | #define __NR_prctl 167 176 | #define __NR_getcpu 168 177 | #define __NR_gettimeofday 169 178 | #define __NR_settimeofday 170 179 | #define __NR_adjtimex 171 180 | #define __NR_getpid 172 181 | #define __NR_getppid 173 182 | #define __NR_getuid 174 183 | #define __NR_geteuid 175 184 | #define __NR_getgid 176 185 | #define __NR_getegid 177 186 | #define __NR_gettid 178 187 | #define __NR_sysinfo 179 188 | #define __NR_mq_open 180 189 | #define __NR_mq_unlink 181 190 | #define __NR_mq_timedsend 182 191 | #define __NR_mq_timedreceive 183 192 | #define __NR_mq_notify 184 193 | #define __NR_mq_getsetattr 185 194 | #define __NR_msgget 186 195 | #define __NR_msgctl 187 196 | #define __NR_msgrcv 188 197 | #define __NR_msgsnd 189 198 | #define __NR_semget 190 199 | #define __NR_semctl 191 200 | #define __NR_semtimedop 192 201 | #define __NR_semop 193 202 | #define __NR_shmget 194 203 | #define __NR_shmctl 195 204 | #define __NR_shmat 196 205 | #define __NR_shmdt 197 206 | #define __NR_socket 198 207 | #define __NR_socketpair 199 208 | #define __NR_bind 200 209 | #define __NR_listen 201 210 | #define __NR_accept 202 211 | #define __NR_connect 203 212 | #define __NR_getsockname 204 213 | #define __NR_getpeername 205 214 | #define __NR_sendto 206 215 | #define __NR_recvfrom 207 216 | #define __NR_setsockopt 208 217 | #define __NR_getsockopt 209 218 | #define __NR_shutdown 210 219 | #define __NR_sendmsg 211 220 | #define __NR_recvmsg 212 221 | #define __NR_readahead 213 222 | #define __NR_brk 214 223 | #define __NR_munmap 215 224 | #define __NR_mremap 216 225 | #define __NR_add_key 217 226 | #define __NR_request_key 218 227 | #define __NR_keyctl 219 228 | #define __NR_clone 220 229 | #define __NR_execve 221 230 | #define __NR3264_mmap 222 231 | #define __NR3264_fadvise64 223 232 | #ifndef __ARCH_NOMMU 233 | #define __NR_swapon 224 234 | #define __NR_swapoff 225 235 | #define __NR_mprotect 226 236 | #define __NR_msync 227 237 | #define __NR_mlock 228 238 | #define __NR_munlock 229 239 | #define __NR_mlockall 230 240 | #define __NR_munlockall 231 241 | #define __NR_mincore 232 242 | #define __NR_madvise 233 243 | #define __NR_remap_file_pages 234 244 | #define __NR_mbind 235 245 | #define __NR_get_mempolicy 236 246 | #define __NR_set_mempolicy 237 247 | #define __NR_migrate_pages 238 248 | #define __NR_move_pages 239 249 | #endif 250 | #define __NR_rt_tgsigqueueinfo 240 251 | #define __NR_perf_event_open 241 252 | #define __NR_accept4 242 253 | #define __NR_recvmmsg 243 254 | #define __NR_arch_specific_syscall 244 255 | #define __NR_wait4 260 256 | #define __NR_prlimit64 261 257 | #define __NR_fanotify_init 262 258 | #define __NR_fanotify_mark 263 259 | #define __NR_name_to_handle_at 264 260 | #define __NR_open_by_handle_at 265 261 | #define __NR_clock_adjtime 266 262 | #define __NR_syncfs 267 263 | #define __NR_setns 268 264 | #define __NR_sendmmsg 269 265 | #define __NR_process_vm_readv 270 266 | #define __NR_process_vm_writev 271 267 | #define __NR_kcmp 272 268 | #define __NR_finit_module 273 269 | #define __NR_sched_setattr 274 270 | #define __NR_sched_getattr 275 271 | #define __NR_renameat2 276 272 | #define __NR_seccomp 277 273 | #define __NR_getrandom 278 274 | #define __NR_memfd_create 279 275 | #define __NR_bpf 280 276 | #define __NR_execveat 281 277 | #define __NR_userfaultfd 282 278 | #define __NR_membarrier 283 279 | #define __NR_mlock2 284 280 | #define __NR_copy_file_range 285 281 | #define __NR_preadv2 286 282 | #define __NR_pwritev2 287 283 | #define __NR_pkey_mprotect 288 284 | #define __NR_pkey_alloc 289 285 | #define __NR_pkey_free 290 286 | #undef __NR_syscalls 287 | #define __NR_syscalls 291 -------------------------------------------------------------------------------- /arm_seccomp.h: -------------------------------------------------------------------------------- 1 | static void process_signals(pid_t child); 2 | static int wait_for_open(pid_t child); 3 | static void read_file(pid_t child, char *file,user_pt_regs regs); 4 | static void redirect_file(pid_t child, const char *file,user_pt_regs regs); 5 | void putdata(pid_t pid, uint64_t addr, char * str, long sz); 6 | 7 | 8 | #if defined(__aarch64__) 9 | #define ARM_x0 regs[0] 10 | #define ARM_x1 regs[1] 11 | #define ARM_x2 regs[2] 12 | #define ARM_x8 regs[8] 13 | #define ARM_lr regs[30] 14 | #define ARM_sp sp 15 | #define ARM_pc pc 16 | #define ARM_cpsr pstate 17 | #define NT_PRSTATUS 1 18 | #define NT_foo 1 19 | #endif 20 | -------------------------------------------------------------------------------- /arm_seccomp_ptrace.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | #include "Syscall_arm64.h" 20 | #include "arm64_seccomp.h" 21 | 22 | const int long_size = sizeof(long); 23 | 24 | int main() 25 | { 26 | pid_t pid; 27 | int status; 28 | if ((pid = fork()) == 0) { 29 | struct sock_filter filter[] = { 30 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)), 31 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_openat, 0, 1), 32 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE), 33 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), 34 | }; 35 | struct sock_fprog prog = { 36 | .filter = filter, 37 | .len = (unsigned short) (sizeof(filter)/sizeof(filter[0])), 38 | }; 39 | ptrace(PTRACE_TRACEME, 0, 0, 0); 40 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) { 41 | perror("prctl(PR_SET_NO_NEW_PRIVS)"); 42 | return 1; 43 | } 44 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) { 45 | perror("when setting seccomp filter"); 46 | return 1; 47 | } 48 | kill(getpid(), SIGSTOP); 49 | ssize_t count; 50 | char buf[256]; 51 | int fd; 52 | fd = syscall(__NR_openat,fd,"/data/local/tmp/tuzi1.txt", O_RDONLY); 53 | syscall(__NR_openat,fd,"/data/local/tmp/asdss.txt", O_RDONLY); 54 | syscall(__NR_openat,fd,"/data/local/tmp/asda.txt", O_RDONLY); 55 | syscall(__NR_openat,fd,"/data/local/tmp/TsdsaWO.txt", O_RDONLY); 56 | syscall(__NR_openat,fd,"/data/local/tmp/sadas.txt", O_RDONLY); 57 | syscall(__NR_openat,fd,"/data/local/tmp/sad.txt", O_RDONLY); 58 | syscall(__NR_openat,fd,"/data/local/tmp/asda.txt", O_RDONLY); 59 | if (fd == -1) { 60 | perror("open"); 61 | return 1; 62 | } 63 | while((count = syscall(__NR_read, fd, buf, sizeof(buf))) > 0) { 64 | syscall(__NR_write, STDOUT_FILENO, buf, count); 65 | } 66 | syscall(__NR_close, fd); 67 | 68 | } else { 69 | waitpid(pid, &status, 0); 70 | ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACESECCOMP); 71 | process_signals(pid); 72 | return 0; 73 | } 74 | } 75 | 76 | static void process_signals(pid_t child) 77 | { 78 | char file_to_redirect[256] = "/data/local/tmp/tuzi1.txt"; 79 | char file_to_avoid[256] = "/data/local/tmp/tuzi.txt"; 80 | int status; 81 | while(1) { 82 | char orig_file[PATH_MAX]; 83 | struct user_pt_regs regs; 84 | struct iovec io; 85 | io.iov_base = ®s; 86 | io.iov_len = sizeof(regs); 87 | ptrace(PTRACE_CONT, child, 0, 0); 88 | waitpid(child, &status, 0); 89 | ptrace(PTRACE_GETREGSET, child, (void*)NT_PRSTATUS, &io); 90 | printf("syscall num : %llu \n",regs.regs[8]); 91 | if (status >> 8 == (SIGTRAP | (PTRACE_EVENT_SECCOMP << 8)) ){ 92 | switch (regs.regs[8]) 93 | { 94 | case __NR_openat: 95 | read_file(child, orig_file,regs); 96 | printf("[Openiat %s]\n", orig_file); 97 | if (strcmp(file_to_avoid, orig_file) == 0){ 98 | putdata(child,regs.regs[1],file_to_redirect,strlen(file_to_avoid)+1); 99 | } 100 | } 101 | } 102 | 103 | if (WIFEXITED(status)){ 104 | break; 105 | } 106 | } 107 | } 108 | 109 | 110 | static void read_file(pid_t child, char *file,user_pt_regs regs) 111 | { 112 | char *child_addr; 113 | int i; 114 | child_addr = (char *) regs.regs[1]; 115 | do { 116 | long val; 117 | char *p; 118 | val = ptrace(PTRACE_PEEKTEXT, child, child_addr, NULL); 119 | if (val == -1) { 120 | fprintf(stderr, "PTRACE_PEEKTEXT error: %s", strerror(errno)); 121 | exit(1); 122 | } 123 | child_addr += sizeof (long); 124 | p = (char *) &val; 125 | for (i = 0; i < sizeof (long); ++i, ++file) { 126 | *file = *p++; 127 | if (*file == '\0') break; 128 | } 129 | } while (i == sizeof (long)); 130 | } 131 | 132 | 133 | void putdata(pid_t pid, uint64_t addr, char * str, long sz) 134 | { 135 | printf("pid : %d addr : %lx str : %s sz : %ld \n",pid,addr,str,sz); 136 | int i = 0, j = sz / long_size; 137 | char *s = str; 138 | while (i < j) { 139 | ptrace(PTRACE_POKEDATA, pid, addr + i * 8, *(long *)(s + i * 8)); 140 | ++ i; 141 | } 142 | j = sz % long_size; 143 | if (j != 0) { 144 | ptrace(PTRACE_POKEDATA, pid, addr + i * 8, *(long *)(s + i * 8)); 145 | } 146 | } 147 | --------------------------------------------------------------------------------