Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Intercepting Return Values on SVC Interrupt Hooks #2835

Open
kyuds opened this issue Apr 25, 2024 · 0 comments
Open

Intercepting Return Values on SVC Interrupt Hooks #2835

kyuds opened this issue Apr 25, 2024 · 0 comments

Comments

@kyuds
Copy link

kyuds commented Apr 25, 2024

Hello, I have a question about the Frida interceptor in the context of an ARM64 machine.

Normally, the Frida Interceptor allows a programmer to examine both the input values and return values of a function call, which is simply done by:

Interceptor.attach(Module.findExportByName(null, "open"), {
    onEnter: function(args) {},
    onLeave: function(retval) {}
})

However, some programs deliberately make it hard to reverse engineer (eg: obfuscation), calling linux system calls manually instead of using the libc wrappers

MOV W8, #0x38
...
SVC 0

(btw this is calling openat in ARM64)

I understand that it is possible to hook the code location above using the Interceptor to examine the arguments, but I don't know any way to examine the return value (ie: I want to examine whether openat returned a valid file descriptor).

How could I do this?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kyuds