You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since 2018, compilers started placing ENDBR instructions at the beginning of functions/branch, making it impossible for subhook to make a trampoline.
At my environment, whole glibc is compiled with such instructions, making it impossible for me to hook & trampoline any standard function.
Moreover, with modern processors, absence of ENDBR prevents indirect jumping at arbitrary address, and thus, requires small redesign of subhook's trampoline construction.
Proposed fix
A quick fix (for old processors)
Detect a single, 4-bytes long ENDBR32 or ENDBR64 instruction. As ENDBR are equal to NOP for processors with old ISA, prior to circa. 2019, we can carry on with copying / discarding the instruction.
A proper fix
I presume that a proper fix would require you to change both JMPs to include No-track prefix, and put the jump to trampoline AFTER ENDBR instruction of original function.
This can be, however, problematic, as I noticed that you use RET for AMD64 architecture, which will probably cause troubles with so-called Shadow stack, requiring you to work around with special Intel's instructions to for changing the stack.
In either case, with Indirect Branch Tracking enabled by both CPU and binary file, subhook will not work, because in such case, every function starts with ENDBR.
- see issue Zeex#49 for more details
(Zeex#49)
- fixed by hardcoded both instructions into disassembler
- will not work on modern CPUs (2018+) AND with IAT enabled
Intel® Control-Flow Enforcement Technology (Intel CET)
Problem
Since 2018, compilers started placing ENDBR instructions at the beginning of functions/branch, making it impossible for subhook to make a trampoline.
At my environment, whole glibc is compiled with such instructions, making it impossible for me to hook & trampoline any standard function.
Moreover, with modern processors, absence of ENDBR prevents indirect jumping at arbitrary address, and thus, requires small redesign of subhook's trampoline construction.
Proposed fix
A quick fix (for old processors)
Detect a single, 4-bytes long ENDBR32 or ENDBR64 instruction. As ENDBR are equal to NOP for processors with old ISA, prior to circa. 2019, we can carry on with copying / discarding the instruction.
A proper fix
I presume that a proper fix would require you to change both JMPs to include No-track prefix, and put the jump to trampoline AFTER ENDBR instruction of original function.
This can be, however, problematic, as I noticed that you use RET for AMD64 architecture, which will probably cause troubles with so-called Shadow stack, requiring you to work around with special Intel's instructions to for changing the stack.
In either case, with Indirect Branch Tracking enabled by both CPU and binary file, subhook will not work, because in such case, every function starts with ENDBR.
To get familiar, see Black Hat's PDF file
The text was updated successfully, but these errors were encountered: