-
-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pthread introspection hook #263
Pthread introspection hook #263
Conversation
f9b8626
to
7976e0d
Compare
7976e0d
to
0b7c2fe
Compare
0b7c2fe
to
f2a4a1f
Compare
f1d6b40
to
b983d2a
Compare
b983d2a
to
1c9f1b1
Compare
Nice. Didn't know about this api. I would have done it using regular hooks, but this is better I think. Still needs to be wired up so that we start stalking on the new threads... Uh. Now I see it is apple-only. Maybe it is better to use regular hooks which will be more portable? |
Well there are basically two things we could do:
I've tried to keep the external API's of the module clean from any apple pthread_introspection internals, so that it would be easy to make a drop-in replacement on other platforms. |
I think the frida Interceptor hooks are the way to go. I am using them successfully in ASAN. You can see what I did there. There is no need to decrease the trustlevel if you apply the hooks before you start stalking. |
Why are those only aarch64 though? |
Also, looking at different libc's and their pthread implementations, it isn't really clear to me where to hook for each of them, especially at places where the stack size and location is already known. I doubt function call hooks suffice there; ideally that would be the clone/clone3 syscall on linux. But at least glibc's |
FRIDA-ASAN is only aarch64. Why can we not hook |
@@ -10,6 +10,10 @@ pub mod asan_errors; | |||
/// The frida address sanitizer runtime | |||
pub mod asan_rt; | |||
|
|||
/// Hooking thread lifecycle events. Seems like this is apple-only for now. | |||
#[cfg(any(target_os = "macos", target_os = "ios"))] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like target_vendor = "apple"
is the thing to use here
Hey @fabianfreyer , what's the state of this PR? libafl_frida is under refactor, you will get some conflicts once we merge the other PRs |
Instead of |
Ping @fabianfreyer |
What's the status @fabianfreyer |
static PREVIOUS_HOOK: PreviousHook = PreviousHook(UnsafeCell::new(None)); | ||
|
||
lazy_static! { | ||
static ref CURRENT_HOOK: RwLock<Option<PthreadIntrospectionHook>> = RwLock::new(None); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RwLock::new
is const, so you can just remove lazy_static
completely, here
Continuing this in #891 |
see #68