syscall trampoline without root access

[milahu]

readme says

Setup

To use zpoline, please set 0 to /proc/sys/vm/mmap_min_addr.

sudo sh -c "echo 0 > /proc/sys/vm/mmap_min_addr"

so zpoline fails when i have no root access to the machine

would be nice to remove this limitation
but then the name zpoline would be wrong
as the trampoline would no longer be at address zero

the challenge is to find a "code cave" for the trampoline ...

possible solution: shiva can insert instructions into binaries
maybe we can use shiva to insert the trampoline?
(but currently, shiva is limited to arm64, x86_64 is wip)

to improve performance for hot code
we can use relative jumps to multiple jump tables
to avoid adding a base address on every call

[yasukata]

Thank you for your message.

the challenge is to find a "code cave" for the trampoline ...

I would note that the restriction of zpoline, which requires the memory mapping at virtual address 0, comes from its approach replacing syscall with callq *%rax that jumps to around virtual address 0~500; therefore, for zpoline, the trampoline code has to be at around virtual address 0, and it cannot employ a trampoline located on a different virtual address.

possible solution: shiva can insert instructions into binaries
maybe we can use shiva to insert the trampoline?

I have looked through the documentation of shiva. While I do not fully understand its details yet, I think shiva can insert trampolines into existing binaries (although zpoline cannot use the trampolines made by shiva because of the restriction above).

Anyway, I believe shiva is a good option to apply hooks to existing programs when it fits a user's targeting use cases.

Thank you very much for providing me with the information.