yasukata
commented
6 months ago Thank you for your message.
the challenge is to find a "code cave" for the trampoline ...
I would note that the restriction of zpoline, which requires the memory mapping at virtual address 0, comes from its approach replacing syscall with callq *%rax that jumps to around virtual address 0~500; therefore, for zpoline, the trampoline code has to be at around virtual address 0, and it cannot employ a trampoline located on a different virtual address.
possible solution: shiva can insert instructions into binaries maybe we can use shiva to insert the trampoline?
I have looked through the documentation of shiva. While I do not fully understand its details yet, I think shiva can insert trampolines into existing binaries (although zpoline cannot use the trampolines made by shiva because of the restriction above).
Anyway, I believe shiva is a good option to apply hooks to existing programs when it fits a user's targeting use cases.
Thank you very much for providing me with the information.
readme says
so zpoline fails when i have no root access to the machine
would be nice to remove this limitation but then the name zpoline would be wrong as the trampoline would no longer be at address zero
the challenge is to find a "code cave" for the trampoline ...
possible solution: shiva can insert instructions into binaries maybe we can use shiva to insert the trampoline? (but currently, shiva is limited to arm64, x86_64 is wip)
to improve performance for hot code we can use relative jumps to multiple jump tables to avoid adding a base address on every call