Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pthread introspection hook #263

Closed
wants to merge 2 commits into from
Closed

Pthread introspection hook #263

wants to merge 2 commits into from

Conversation

fabianfreyer
Copy link
Collaborator

@fabianfreyer fabianfreyer commented Aug 14, 2021
edited
Loading

see #68

@fabianfreyer fabianfreyer marked this pull request as draft August 14, 2021 21:50
domenukk
domenukk reviewed Aug 14, 2021
View reviewed changes
libafl_frida/src/lib.rs Outdated Show resolved Hide resolved
@fabianfreyer fabianfreyer force-pushed the pthread-introspection-hook branch 2 times, most recently from f1d6b40 to b983d2a Compare August 14, 2021 22:28
@s1341
Copy link
Collaborator

s1341 commented Aug 15, 2021
edited
Loading

Nice. Didn't know about this api. I would have done it using regular hooks, but this is better I think. Still needs to be wired up so that we start stalking on the new threads...

Uh. Now I see it is apple-only. Maybe it is better to use regular hooks which will be more portable?

@fabianfreyer
Copy link
Collaborator Author

Well there are basically two things we could do:

  • use Frida Interceptor hooks. These work across threads, as they patch the function prologue. It's a bit of a hassle to make these work once a Stalker is active, and decreasing the trustlevel comes at a performance cost.
  • use Frida Stalker to emit code on the pthread functions. However, that could end up being a chicken-egg problem, as the stalker needs to be active on the thread that starts the new thread first. When attaching to a multithreaded target, this may be a problem.

I've tried to keep the external API's of the module clean from any apple pthread_introspection internals, so that it would be easy to make a drop-in replacement on other platforms.

@s1341
Copy link
Collaborator

s1341 commented Aug 16, 2021

I think the frida Interceptor hooks are the way to go. I am using them successfully in ASAN. You can see what I did there. There is no need to decrease the trustlevel if you apply the hooks before you start stalking.

@fabianfreyer
Copy link
Collaborator Author

Why are those only aarch64 though?

@fabianfreyer
Copy link
Collaborator Author

Also, looking at different libc's and their pthread implementations, it isn't really clear to me where to hook for each of them, especially at places where the stack size and location is already known. I doubt function call hooks suffice there; ideally that would be the clone/clone3 syscall on linux. But at least glibc's __clone_internal which is called from pthread_create doesn't seem to have symbols.

@s1341
Copy link
Collaborator

s1341 commented Aug 16, 2021

FRIDA-ASAN is only aarch64.

Why can we not hook pthread_create itself?

domenukk
domenukk reviewed Aug 26, 2021
View reviewed changes
libafl_frida/src/lib.rs
@@ -10,6 +10,10 @@ pub mod asan_errors;
/// The frida address sanitizer runtime
pub mod asan_rt;

/// Hooking thread lifecycle events. Seems like this is apple-only for now.
#[cfg(any(target_os = "macos", target_os = "ios"))]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like target_vendor = "apple" is the thing to use here

@andreafioraldi
Copy link
Member

Hey @fabianfreyer , what's the state of this PR? libafl_frida is under refactor, you will get some conflicts once we merge the other PRs

@domenukk
Copy link
Member

domenukk commented Jan 3, 2022

Instead of lazy_static, maybe take a look at https://crates.io/crates/static_init

@domenukk
Copy link
Member

Ping @fabianfreyer

@domenukk
Copy link
Member

What's the status @fabianfreyer

domenukk
domenukk reviewed Nov 12, 2022
View reviewed changes
libafl_frida/src/pthread_hook.rs
static PREVIOUS_HOOK: PreviousHook = PreviousHook(UnsafeCell::new(None));

lazy_static! {
static ref CURRENT_HOOK: RwLock<Option<PthreadIntrospectionHook>> = RwLock::new(None);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RwLock::new is const, so you can just remove lazy_static completely, here

@domenukk domenukk mentioned this pull request Nov 12, 2022
Merged
@domenukk
Copy link
Member

Continuing this in #891

@domenukk domenukk closed this Nov 12, 2022
domenukk added a commit that referenced this pull request Nov 15, 2022
@domenukk @fabianfreyer
Pthread introspection hook (extends #263) (#891)
2011ed2 
* Add pthread_introspection_hook support on macos

See-also: #68

* Remove lazy_static

* all of apple are created equal

Co-authored-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenukk domenukk domenukk approved these changes

@s1341 s1341 Awaiting requested review from s1341

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@fabianfreyer @s1341 @andreafioraldi @domenukk