SKRoot-linuxKernelRoot/Lite_version/src/patch_kernel_root/patch_current_avc_check.cpp at master · abcz316/SKRoot-linuxKernelRoot · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#include "patch_current_avc_check.h"
#include "analyze/base_func.h"
#include "3rdparty/aarch64_asm_helper.h"
using namespace asmjit;
using namespace asmjit::a64;
using namespace asmjit::a64::Predicate;

PatchCurrentAvcCheck::PatchCurrentAvcCheck(const PatchBase& patch_base) : PatchBase(patch_base) {}

PatchCurrentAvcCheck::~PatchCurrentAvcCheck() {}

size_t PatchCurrentAvcCheck::patch_current_avc_check_bl_func(const SymbolRegion& hook_func_start_region, size_t task_struct_cred_offset, std::vector<patch_bytes_data>& vec_out_patch_bytes_data) {
	size_t hook_func_start_addr = hook_func_start_region.offset;
	if (hook_func_start_addr == 0) { return 0; }
	std::cout << "Start hooking addr:  " << std::hex << hook_func_start_addr << std::endl << std::endl;
	if (is_huawei()) update_huawei_kti_calc_base(hook_func_start_addr);

	InitCredResult cred_result = m_init_cred_searcher.get_init_cred_result();
	int cred_uid_region_size = sizeof(cred_uid_info);
	int cred_euid_start_pos = cred_result.atomic_usage_size + offsetof(cred_uid_info, euid);

	aarch64_asm_ctx asm_ctx = init_aarch64_asm();
	auto a = asm_ctx.assembler();
	Label label_end = a->newLabel();
	Label label_allow = a->newLabel();
	Label label_cycle_cap = a->newLabel();

	a->mov(x10, xzr);
	emit_get_current(a, x11);
	a->ldr(x11, ptr(x11, task_struct_cred_offset));
	a->ldr(w12, ptr(x11, cred_euid_start_pos));
	a->cbnz(w12, label_end);
	a->add(x11, x11, Imm(cred_result.atomic_usage_size + cred_uid_region_size));
	a->ldr(w13, ptr(x11).post(cred_result.securebits_size));
	a->cbnz(w13, label_end);
	a->mov(x12, Imm(cred_result.cap_ability_max));
	a->mov(x13, Imm(cred_result.cap_cnt));
	a->bind(label_cycle_cap);
	a->ldr(x14, ptr(x11).post(8));
	a->cmp(x14, x12);
	a->b(CondCode::kLO, label_end);
	a->subs(x13, x13, Imm(1));
	a->b(CondCode::kNE, label_cycle_cap);
	a->bind(label_allow);
	a->mov(x10, Imm(1));
	a->bind(label_end);
	a->ret(x30);

	std::cout << print_aarch64_asm(a) << std::endl;

	std::vector<uint8_t> bytes = aarch64_asm_to_bytes(a);
	if (bytes.size() == 0) return 0;
	std::string str_bytes = bytes2hex((const unsigned char*)bytes.data(), bytes.size());
	size_t shellcode_size = str_bytes.length() / 2;
	if (shellcode_size > hook_func_start_region.size) {
		std::cout << "[发生错误] patch_current_avc_check_bl_func failed: not enough kernel space." << std::endl;
		return 0;
	}
	vec_out_patch_bytes_data.push_back({ str_bytes, hook_func_start_addr });
	return shellcode_size;
}