How SVC hooking is implemented

[ghost]

How is SVC / syscall hooking is implemented?

If someone tries to bypass Frida by using syscalls directly without libc wrapper will we detect them? For example some packers do that

[FrenchYeti]

Interrutor use only instruction level hooking. There is only two features temporary based on function hooking : followingThread depending on libc, and startOnLoad depending on linker64.

Interruptor uses following strategy :

• syscall name are translated to a list of syscall number to intercept
• Stalker is used to "break" on every SVC + next instructions
• if at runtime, on SVC/SWI/... instruction, the value of the register which holds the syscall number match one from hook list, then execution jump inside hook.